Private Networking

Convox Racks are installed using best practices for privacy and security. In cases with exceptional needs for isolation, Convox offers a “private” Rack mode that is easy to configure.

Public vs. Private Racks

Convox Rack creates a cluster of server instances into which your apps are deployed. In the default “public” mode, these instances are connected to a public subnet. Security Groups are used to keep out unwanted inbound traffic, and outbound traffic to the Internet is unrestricted.

By contrast, server instances in a private Rack have no direct connection to the Internet. Inbound traffic is routed from the load balancer to a private subnet, and outbound traffic passes through a NAT gateway.

Installing a Private Rack

A Rack can be installed as private by selecting the Private checkbox in the Rack installation page in the Convox console.

We recommend installing via the Console, but it’s also possible using the Convox CLI:

convox rack install Private=Yes

Note that Racks installed via the CLI will need to be added manually to the Console.

Converting an Existing Rack to Private

An existing Rack can be flipped to private mode:

convox rack params set Private=Yes

Why Use a Private Rack?

The benefits of running a Rack in private mode include:

Cost

Private networking mode requires the provisioning of up to three NAT gateways (one for each availability zone) which are charged based on time and traffic. This will increase the monthly cost of your rack. More pricing details can be found in the AWS docs.

See also