Skip to main content

Networking

By default, Defang configures your application's networking and security groups to follow secure best practices. We also configure load-balancers and public IP addresses when appropriate. The following sections describe how to configure different network and security group topologies.

tip

This page is about complex networking. If you want to configure your services to be accessible from the public internet, check the Domains page.

Networks

The Compose spec has a notion of networks. By default, each service gets added to the default network. Services in the default network can have public IPs. Services in any other network will be in a private subnet. These services cannot be reached from outside the network, but they can still make network requests to the public internet.

services:
  frontend:
    build: ./fe
    ports:
      - 80 # load-balanced, ie. mode: ingress
    networks:
      default:
      private:

  backend:
    build: ./be
    ports:
      - mode: host # no load balancer
        target: 8080
    networks:
      private:

networks:
  default:
  private:
    internal: true # no egress

Public Services

By default, services will be in the default network. By default these services are not accessible directly, but may be accessed through a public load-balancer, ie. exposed ports default to mode: ingress:

services:
  web:
    networks:
      default: # this is the default, so no need to specify
    ports:
      - 80:80 # Defang will use a public load-Balancer

If you want a service to have a public IP address, ensure it's in the default network (the default) and set the port to mode: host:

services;
  web:
    ports:
      - target: 80
        mode: host # Defang will assign a public IP

Private Services

If you want a service with exposed ports to not be accessible from the public internet, create a private network:

services:
  web: # this service can receive public traffic and communicate to private services
    ports:
      - 80
    networks:
      default:
      private:
  db: # this service can only receive traffic from other services in the same network
    ports:
      - 1234
    networks:
      private:
networks:
  private: # any network that's not "default" is considered private

The service's hostname will be the same as the service's name, in this case db.

Hostname Aliases

By using network aliases, a service can be made available at multiple hostnames.

services:
  web:
    domainname: example.com
    networks:
      default:
        aliases:
          - www.example.com # a public alias

Internal DNS

Internal communication is handled slightly differently between the Defang Playground and Defang BYOC.

Internal communication between services in the Defang Playground follows the following pattern:

http://<username>-<service-name>:<port>

The Defang CLI applies the <username> prefix when it detects service names in the values of environment variables.