Overview
NetworkFactory creates VPC and networking infrastructure on AWS. Fjall configures networking automatically when you create an application. Use NetworkFactory directly when you need custom networking.
Automatic Networking
When you create an application, Fjall automatically provisions:VPC Configuration
- CIDR blocks: Managed by IPAM
- Availability zones: Multi-AZ by default
- Subnets: Public and private subnets per AZ
- NAT gateways: For private subnet internet access
- VPC endpoints: For AWS service access
Security Groups
- Automatic rules: Based on resource connections
- Least privilege: Only required ports opened
- Dynamic updates: As resources are added
Load Balancers
- Application Load Balancer: For ECS services
- Target groups: Automatic health checks
- SSL termination: With ACM certificates
Current Implementation
Through App Class
Through Compute Factory
Through Database Factory
Connection Management
Declare connections on a service and Fjall wires the security group rules:NetworkFactory Usage
Basic Usage
Full Configuration
Parameters
| Parameter | Type | Description | Default |
|---|---|---|---|
vpcName | string | Custom VPC name | App name |
maxAzs | number | Number of availability zones | 2 |
cidrMask | number | Subnet CIDR mask | 24 |
natGateways | { count: number } or false | NAT gateway config, or false to disable | { count: 1 } |
flowLogs | { destination, retentionDays?, trafficType? } or false | Flow logs config | Disabled |
flowLogs.destination | "cloudwatch" | "s3" | Log destination | - |
flowLogs.retentionDays | number | CloudWatch log retention (days) | 14 |
flowLogs.trafficType | "ALL" | "ACCEPT" | "REJECT" | Traffic to log | "ALL" |
vpcEndpoints | object or false | VPC endpoint configuration | None |
vpcEndpoints.gateway | { s3?: boolean, dynamodb?: boolean } | Gateway endpoints | {} |
vpcEndpoints.interface | { ecr?, secretsManager?, kms?, ssm?, sts?, cloudwatchLogs? } | Interface endpoints | {} |
subnets | object | Custom subnet configuration | Auto |
transitGateway | { id: string } | Transit Gateway attachment | None |
Disabling NAT Gateways
For cost savings in development:VPC Endpoints for Private Access
Reduce data transfer costs and improve security. Gateway endpoints supports3 and dynamodb. Interface endpoints support ecr, secretsManager, kms, ssm, sts, and cloudwatchLogs:
Transit Gateway Integration
Connect VPCs across accounts:Best Practices
- Let Fjall manage networking - Automatic configuration handles most use cases
- Use IPAM - Prevents CIDR conflicts across accounts
- Multi-AZ deployment - Enabled by default for resilience
- Private subnets - Databases always in private subnets
- VPC endpoints - Reduces data transfer costs
Next Steps
Compute Factory
Deploy ECS and Lambda applications behind the VPC.
Database Factory
Provision Aurora, RDS, and DynamoDB in private subnets.
Storage Factory
Create S3 buckets with VPC gateway endpoint access.
Standard Pattern
Compose a full application with networking included.