Skip to main content

Network Configuration

import { App } from "@fjall/components-infrastructure";
Unlike Compute and Storage, network configuration is passed during App initialization rather than through a dedicated factory.

Basic Usage

const app = App.getApp("MyApp", {
  network: {
    maxAzs: 2,
    natGateways: false,
    flowLogs: false,
    vpcEndpoints: {
      interface: {
        secretsManager: true,
        kms: true,
      },
    },
  },
});

Network Configuration Interface

interface NetworkConfig {
  maxAzs: number;                    // Maximum availability zones
  natGateways: boolean | number;     // NAT gateway configuration
  flowLogs: boolean;                 // Enable VPC flow logs
  vpcEndpoints: {
    interface?: {
      secretsManager?: boolean;
      kms?: boolean;
      // ... other interface endpoints
    };
    gateway?: {
      s3?: boolean;
      dynamodb?: boolean;
    };
  };
}

Configuration Options

Maximum Availability Zones

Control how many AZs your VPC spans: 
const app = App.getApp("MyApp", {
  network: {
    maxAzs: 3,  // Span 3 availability zones
  },
});
Default: 3 Cost Impact: More AZs = more NAT gateways (if enabled) = higher cost

NAT Gateways

Configure NAT gateway deployment for private subnet internet access: 
// Disable NAT gateways (no internet access from private subnets)
const app = App.getApp("MyApp", {
  network: {
    natGateways: false,
  },
});

// Enable NAT gateways (one per AZ)
const app = App.getApp("MyApp", {
  network: {
    natGateways: true,
  },
});

// Specify exact number
const app = App.getApp("MyApp", {
  network: {
    natGateways: 1,  // Single NAT gateway (cost optimization)
  },
});
Cost Impact: NAT gateways cost ~$32/month each + data transfer fees. Disabling saves money but prevents private subnet resources from accessing the internet. When to Disable: If your application only uses VPC endpoints for AWS services and doesn’t need external internet access.

VPC Flow Logs

Enable VPC flow logs for network traffic monitoring: 
const app = App.getApp("MyApp", {
  network: {
    flowLogs: true,
  },
});
Default: Varies by configuration Use Case: Security auditing, troubleshooting network connectivity issues

VPC Endpoints

Reduce NAT gateway costs by using VPC endpoints for AWS services: 
const app = App.getApp("MyApp", {
  network: {
    vpcEndpoints: {
      interface: {
        secretsManager: true,  // Access Secrets Manager without NAT gateway
        kms: true,             // Access KMS without NAT gateway
      },
      gateway: {
        s3: true,              // Free S3 gateway endpoint
        dynamodb: true,        // Free DynamoDB gateway endpoint
      },
    },
  },
});
Interface Endpoints: Cost ~$7/month each, but can eliminate NAT gateway need Gateway Endpoints: Free, no data transfer charges

Advanced VPC Usage

For more control, create VPC directly: 
import { Vpc } from "@fjall/components-infrastructure/lib/resources/aws/networking/vpc";

const vpc = new Vpc(this, "MyVpc", {
  maxAzs: 3,
  natGateways: 1,
  vpcName: "production-vpc",
  accountId: this.account,
  ipv4IpamPoolId: "ipam-pool-123",
});

VpcFactory (Alternative)

Rarely used alternative for VPC creation: 
import { VpcFactory } from "@fjall/components-infrastructure";

const vpcFactory = VpcFactory.build("AppVpc", {
  maxAzs: 2,
  natGateways: 1,
});

const vpc = vpcFactory(app, this);

HostedZoneFactory

Import existing Route 53 hosted zones for domain configuration: 
import { HostedZoneFactory } from "@fjall/components-infrastructure";

const hostedZone = HostedZoneFactory.import(
  app.getDefaultComputeStack(),
  "Z08083911D2IFBH8ELIKJ",  // Hosted Zone ID
  "myapp.com",                // Domain name
);

// Use with compute cluster domain config
app.addCompute(
  ComputeFactory.build("WebApp", {
    type: "ecs",
    cluster: {
      domainConfig: {
        domainName: "myapp.com",
        hostedZone: hostedZone,
      },
    },
  })
);

Cost Optimization Strategies

Eliminate NAT Gateways

If your application only needs AWS service access: 
const app = App.getApp("MyApp", {
  network: {
    natGateways: false,  // Save ~$32/month per gateway
    vpcEndpoints: {
      interface: {
        secretsManager: true,  // ~$7/month
        kms: true,             // ~$7/month
      },
      gateway: {
        s3: true,              // FREE
      },
    },
  },
});
Savings: 32/monthNATgateway32/month NAT gateway - 14/month interface endpoints = $18/month saved

Single NAT Gateway

For non-critical workloads, use one NAT gateway instead of one per AZ: 
const app = App.getApp("MyApp", {
  network: {
    maxAzs: 3,
    natGateways: 1,  // Single gateway for all AZs
  },
});
Savings: 2 NAT gateways = $64/month saved Trade-off: No NAT gateway redundancy if failure occurs

Gateway Endpoints Only

For S3 and DynamoDB workloads: 
const app = App.getApp("MyApp", {
  network: {
    natGateways: false,
    vpcEndpoints: {
      gateway: {
        s3: true,
        dynamodb: true,
      },
    },
  },
});
Cost: FREE

Common Patterns

Development Environment

Minimal cost configuration: 
const app = App.getApp("DevApp", {
  network: {
    maxAzs: 2,
    natGateways: false,
    flowLogs: false,
    vpcEndpoints: {
      interface: {
        secretsManager: true,
      },
      gateway: {
        s3: true,
      },
    },
  },
});

Production Environment

High availability with cost optimization: 
const app = App.getApp("ProdApp", {
  network: {
    maxAzs: 3,
    natGateways: 2,  // Redundancy across 2 AZs
    flowLogs: true,
    vpcEndpoints: {
      interface: {
        secretsManager: true,
        kms: true,
      },
      gateway: {
        s3: true,
        dynamodb: true,
      },
    },
  },
});

Serverless Optimized

No NAT gateways, VPC endpoints only: 
const app = App.getApp("ServerlessApp", {
  network: {
    maxAzs: 2,
    natGateways: false,
    vpcEndpoints: {
      interface: {
        secretsManager: true,
        kms: true,
        ecr: true,
        logs: true,
      },
      gateway: {
        s3: true,
      },
    },
  },
});

Access VPC from App

Get the default VPC for use in other constructs: 
const app = App.getApp("MyApp", { /* ... */ });

const vpc = app.getDefaultVpc();

// Use in compute or storage
app.addCompute(
  ComputeFactory.build("Api", {
    vpc: vpc,
    // ... other config
  })
);

Best Practices

  • Start with no NAT gateways: Add them only if external internet access is needed
  • Use gateway endpoints: Always enable S3 and DynamoDB gateway endpoints (free)
  • Interface endpoints for AWS services: Use interface endpoints instead of NAT gateways for AWS service access
  • Multi-AZ for production: Use maxAzs: 3 with multiple NAT gateways for production high availability
  • Flow logs for security: Enable flow logs in production for security monitoring

See Also