Skip to content
Komerce Infrastructure

Networking Overview

1. Introduction

Section titled “1. Introduction”

This section provides a comprehensive overview of Komerce’s network infrastructure. A robust and secure network foundation is critical for the reliable operation of our services, ensuring efficient communication between microservices, secure access for users, and resilient connectivity to external resources.

Our network architecture is designed for high availability, scalability, and security, leveraging cloud-native networking capabilities.

2. Key Network Components

Section titled “2. Key Network Components”

Our network infrastructure primarily consists of:

  • Virtual Private Clouds (VPCs): Isolated network environments for our resources.
  • Subnets: Logical divisions within VPCs, typically categorized by public/private access and availability zones.
  • Route Tables: Define rules for network traffic to flow between subnets and to the internet or other networks.
  • Network Access Control Lists (NACLs) & Security Groups: Layered security mechanisms to control inbound and outbound traffic.
  • Load Balancers: Distribute incoming application traffic across multiple targets, such as EC2 instances or containers.
  • DNS (Domain Name System): Manages domain names and translates them into IP addresses.
  • VPN/Direct Connect: Secure connections to on-premise networks or other cloud environments (if applicable).

3. High-Level Network Architecture

Section titled “3. High-Level Network Architecture”

Our core network architecture is built around a multi-VPC strategy, ensuring logical separation for different environments (e.g., Development, Staging, Production) and critical services.

graph TD
    A[Internet] --> B(Load Balancer)
    B --> C{Public Subnet}
    C --> D[Web Servers / API Gateways]
    D --> E{Private Subnet}
    E --> F[Application Servers]
    F --> G[Database Servers]
    G --> H[Data Storage / Object Storage]


    subgraph Production VPC
        C
        D
        E
        F
        G
        H
    end


    subgraph Development VPC
        I[Dev Instances] --> J[Dev Databases]
    end


    Production VPC --- K(VPC Peering / Transit Gateway) --- Development VPC
    K --> L[On-Premise Network (Optional)]


    style Production VPC fill:#f9f,stroke:#333,stroke-width:2px
    style Development VPC fill:#ccf,stroke:#333,stroke-width:2px

4. Virtual Private Clouds (VPCs)

Section titled “4. Virtual Private Clouds (VPCs)”

Each environment (Production, Staging, Development) operates within its own dedicated VPC. This provides:

  • Isolation: Prevents unintended cross-environment communication.
  • Security: Granular control over network access within each environment.
  • Resource Management: Easier management of IP address ranges and network configurations.

Naming Convention: komerce-<environment>-vpc (e.g., komerce-prod-vpc, komerce-dev-vpc)

5. Subnets

Section titled “5. Subnets”

Within each VPC, subnets are strategically deployed across multiple Availability Zones (AZs) to ensure high availability and fault tolerance. We categorize subnets as:

  • Public Subnets: Contain resources that require direct internet access (e.g., Load Balancers, NAT Gateways, public-facing web servers).
  • Private Subnets: Contain application and database servers that do not require direct internet access, enhancing security.

Naming Convention: komerce-<environment>-<az>-<type>-subnet (e.g., komerce-prod-us-east-1a-public-subnet)

6. Routing

Section titled “6. Routing”

Route tables define how network traffic is directed within and out of our VPCs. Key routing configurations include:

  • Internet Gateway: Attached to public subnets to allow communication with the internet.
  • NAT Gateway: Deployed in public subnets to enable instances in private subnets to initiate outbound connections to the internet while remaining private.
  • VPC Peering / Transit Gateway: Used for secure and efficient communication between different VPCs (e.g., Production to Development for specific data access) or to an on-premise network.

7. Security Groups & NACLs

Section titled “7. Security Groups & NACLs”
  • Security Groups: Act as virtual firewalls for instances, controlling traffic at the instance level. They are stateful.
  • Network Access Control Lists (NACLs): Operate at the subnet level, controlling traffic in and out of subnets. They are stateless.

Both are configured with the principle of least privilege, allowing only necessary traffic.

8. DNS Management

Section titled “8. DNS Management”

We utilize [Cloud DNS Service] for managing our internal and external DNS records, ensuring reliable service discovery and routing.

9. Monitoring & Logging

Section titled “9. Monitoring & Logging”

Network flow logs are enabled for all VPCs and ingested into our centralized logging system for security analysis, troubleshooting, and compliance. Key network metrics (e.g., traffic volume, latency) are monitored via [Cloud Monitoring Service].