All Docs

Set Up VPC Networking

Plan network topology, create VPCs and subnets, configure security groups, and test connectivity for NFYio resources.

This guide walks you through planning your network topology, creating a VPC and subnets, configuring security groups, attaching resources, and testing connectivity for NFYio deployments.

Plan Network Topology

Before creating resources, plan your network layout.

CIDR Allocation

Choose non-overlapping CIDR blocks:

NetworkCIDRPurpose
VPC10.0.0.0/16Main VPC (65,536 addresses)
Public Subnet A10.0.1.0/24Load balancer, API gateway (256 addresses)
Public Subnet B10.0.2.0/24Redundant public (256 addresses)
Private Subnet A10.0.10.0/24Storage, agents, app servers (256 addresses)
Private Subnet B10.0.11.0/24Database, Redis, internal services (256 addresses)

Placement Strategy

  • Public subnets: Ingress/load balancers, bastion hosts
  • Private subnets: NFYio gateway, storage proxy, agent service, PostgreSQL, Redis, SeaweedFS

Diagram

┌─────────────────────────────────────────────────────────────────┐
│                     VPC (10.0.0.0/16)                            │
│                                                                  │
│  ┌──────────────────────┐    ┌──────────────────────┐          │
│  │  Public Subnet A      │    │  Public Subnet B      │          │
│  │  10.0.1.0/24          │    │  10.0.2.0/24          │          │
│  │  - Load Balancer      │    │  - (Spare / HA)       │          │
│  │  - NAT Gateway        │    │                        │          │
│  └──────────┬───────────┘    └──────────────────────┘          │
│             │                                                    │
│  ┌──────────▼───────────┐    ┌──────────────────────┐          │
│  │  Private Subnet A     │    │  Private Subnet B     │          │
│  │  10.0.10.0/24         │    │  10.0.11.0/24         │          │
│  │  - NFYio Gateway       │    │  - PostgreSQL         │          │
│  │  - Storage Proxy       │    │  - Redis              │          │
│  │  - Agent Service       │    │  - SeaweedFS          │          │
│  └──────────────────────┘    └──────────────────────┘          │
└─────────────────────────────────────────────────────────────────┘

Create VPC

Via NFYio API

export NFYIO_API="https://api.yourdomain.com"
export NFYIO_TOKEN="your-access-token"

curl -X POST "$NFYIO_API/api/networking/vpcs" \
  -H "Authorization: Bearer $NFYIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "nfyio-production",
    "cidrBlock": "10.0.0.0/16",
    "description": "Production VPC for NFYio"
  }'

Response:

{
  "id": "vpc_abc123",
  "name": "nfyio-production",
  "cidrBlock": "10.0.0.0/16",
  "status": "available",
  "createdAt": "2026-03-01T12:00:00Z"
}

Via Dashboard

  1. Go to NetworkingVPCs
  2. Click Create VPC
  3. Enter name, CIDR block, and optional description
  4. Click Create

Add Subnets

Public Subnet

export VPC_ID="vpc_abc123"

curl -X POST "$NFYIO_API/api/networking/subnets" \
  -H "Authorization: Bearer $NFYIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"vpcId\": \"$VPC_ID\",
    \"name\": \"public-a\",
    \"cidrBlock\": \"10.0.1.0/24\",
    \"type\": \"public\",
    \"availabilityZone\": \"us-east-1a\"
  }"

Private Subnet

curl -X POST "$NFYIO_API/api/networking/subnets" \
  -H "Authorization: Bearer $NFYIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"vpcId\": \"$VPC_ID\",
    \"name\": \"private-a\",
    \"cidrBlock\": \"10.0.10.0/24\",
    \"type\": \"private\",
    \"availabilityZone\": \"us-east-1a\"
  }"

List Subnets

curl -s "$NFYIO_API/api/networking/subnets?vpcId=$VPC_ID" \
  -H "Authorization: Bearer $NFYIO_TOKEN" | jq .

Configure Security Groups

Security groups act as virtual firewalls for resources. Create groups for each tier.

Load Balancer / Ingress

curl -X POST "$NFYIO_API/api/networking/security-groups" \
  -H "Authorization: Bearer $NFYIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"vpcId\": \"$VPC_ID\",
    \"name\": \"lb-ingress\",
    \"description\": \"Load balancer - allow HTTP/HTTPS from internet\"
  }"

# Add inbound rules (use returned sg-id)
export SG_LB="sg_xyz789"

curl -X POST "$NFYIO_API/api/networking/security-groups/$SG_LB/rules" \
  -H "Authorization: Bearer $NFYIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "direction": "inbound",
    "protocol": "tcp",
    "fromPort": 443,
    "toPort": 443,
    "cidrBlocks": ["0.0.0.0/0"],
    "description": "HTTPS from internet"
  }'

curl -X POST "$NFYIO_API/api/networking/security-groups/$SG_LB/rules" \
  -H "Authorization: Bearer $NFYIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "direction": "inbound",
    "protocol": "tcp",
    "fromPort": 80,
    "toPort": 80,
    "cidrBlocks": ["0.0.0.0/0"],
    "description": "HTTP from internet"
  }'

Application Tier (Gateway, Storage, Agent)

curl -X POST "$NFYIO_API/api/networking/security-groups" \
  -H "Authorization: Bearer $NFYIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"vpcId\": \"$VPC_ID\",
    \"name\": \"nfyio-app\",
    \"description\": \"NFYio gateway, storage, agent\"
  }"

export SG_APP="sg_app123"

# Allow from load balancer subnet
curl -X POST "$NFYIO_API/api/networking/security-groups/$SG_APP/rules" \
  -H "Authorization: Bearer $NFYIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "direction": "inbound",
    "protocol": "tcp",
    "fromPort": 3000,
    "toPort": 3000,
    "cidrBlocks": ["10.0.1.0/24"],
    "description": "Gateway from LB"
  }'

curl -X POST "$NFYIO_API/api/networking/security-groups/$SG_APP/rules" \
  -H "Authorization: Bearer $NFYIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "direction": "inbound",
    "protocol": "tcp",
    "fromPort": 7007,
    "toPort": 7007,
    "cidrBlocks": ["10.0.1.0/24", "10.0.10.0/24"],
    "description": "Storage from LB and app"
  }'

curl -X POST "$NFYIO_API/api/networking/security-groups/$SG_APP/rules" \
  -H "Authorization: Bearer $NFYIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "direction": "inbound",
    "protocol": "tcp",
    "fromPort": 7010,
    "toPort": 7010,
    "cidrBlocks": ["10.0.10.0/24"],
    "description": "Agent from gateway"
  }'

Database Tier

curl -X POST "$NFYIO_API/api/networking/security-groups" \
  -H "Authorization: Bearer $NFYIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"vpcId\": \"$VPC_ID\",
    \"name\": \"nfyio-db\",
    \"description\": \"PostgreSQL, Redis, SeaweedFS\"
  }"

export SG_DB="sg_db456"

# PostgreSQL from app tier
curl -X POST "$NFYIO_API/api/networking/security-groups/$SG_DB/rules" \
  -H "Authorization: Bearer $NFYIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "direction": "inbound",
    "protocol": "tcp",
    "fromPort": 5432,
    "toPort": 5432,
    "cidrBlocks": ["10.0.10.0/24"],
    "description": "PostgreSQL from app"
  }'

# Redis from app tier
curl -X POST "$NFYIO_API/api/networking/security-groups/$SG_DB/rules" \
  -H "Authorization: Bearer $NFYIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "direction": "inbound",
    "protocol": "tcp",
    "fromPort": 6379,
    "toPort": 6379,
    "cidrBlocks": ["10.0.10.0/24"],
    "description": "Redis from app"
  }'

# SeaweedFS from storage proxy
curl -X POST "$NFYIO_API/api/networking/security-groups/$SG_DB/rules" \
  -H "Authorization: Bearer $NFYIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "direction": "inbound",
    "protocol": "tcp",
    "fromPort": 9333,
    "toPort": 9333,
    "cidrBlocks": ["10.0.10.0/24"],
    "description": "SeaweedFS master from storage"
  }'

Attach Resources

When deploying NFYio (e.g., via Kubernetes or Docker), attach the appropriate subnets and security groups to each component:

ComponentSubnetSecurity Group
Load BalancerPubliclb-ingress
GatewayPrivatenfyio-app
Storage ProxyPrivatenfyio-app
Agent ServicePrivatenfyio-app
PostgreSQLPrivatenfyio-db
RedisPrivatenfyio-db
SeaweedFSPrivatenfyio-db

Kubernetes Example

In your Helm values.yaml:

gateway:
  nodeSelector:
    kubernetes.io/subnet: private-a
  # Or use pod network policies / security group annotations per cloud provider

For cloud providers (AWS, GCP, Azure), use the provider’s mechanism to attach security groups to nodes or pods (e.g., AWS Security Group for Node Group, or GCP network tags).

Test Connectivity

From Load Balancer to Gateway

# From a pod/node in the LB subnet
curl -s http://nfyio-gateway.nfyio.svc.cluster.local:3000/health

From Gateway to Database

# From gateway pod
docker compose exec nfyio-gateway sh -c "nc -zv postgres 5432"
docker compose exec nfyio-gateway sh -c "nc -zv redis 6379"

From Storage to SeaweedFS

docker compose exec nfyio-storage sh -c "nc -zv seaweedfs-master 9333"

End-to-End

# From outside (through LB)
curl -s https://nfyio.yourdomain.com/health
curl -s https://storage.yourdomain.com/health

Monitoring

VPC Flow Logs

Enable flow logs for the VPC to capture accepted/rejected traffic:

curl -X POST "$NFYIO_API/api/networking/vpcs/$VPC_ID/flow-logs" \
  -H "Authorization: Bearer $NFYIO_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "vpc-flow-logs",
    "destinationType": "cloudwatch",
    "retentionDays": 7
  }'

Security Group Metrics

Monitor inbound/outbound rule hits via your observability stack (Prometheus, Grafana) if integrated with NFYio networking.

Troubleshooting

IssueSolution
Cannot reach service from LBCheck security group allows LB subnet CIDR to service port
Gateway cannot reach PostgreSQLEnsure DB security group allows app subnet on port 5432
Storage cannot reach SeaweedFSVerify SeaweedFS master port 9333 is open from storage subnet
Inter-subnet routingEnsure route tables allow traffic between subnets in the same VPC

What’s Next

Edit this page on GitHub