Skip to main content


Defang configures Security Groups, deploys applications to a private subnet and uses an Application Load Balancer to route traffic to your services from the public internet only when required.


This page is about internal networking only. If you want to configure your services to be accessible from the public internet, check the domains page.

Internal Communication

You can expose ports in your service definition to allow other services to communicate with it. Similar to public communication, you can use the ports section of your service definition, but set the mode to host instead of ingress to allow other services to communicate with it through the internal network.

Sample Configuration

# [...]
- mode: host
target: 3000
protocol: http

Internal DNS

Internal communication is handled slightly differently between the Defang Playground and Defang BYOC.

Internal communication between services in the Defang Playground follows the following pattern: