Networking on Northflank | Network | Northflank Application docs
v1
ApplicationAPI & CLI

On this page

Network /

Networking on Northflank

Northflank allows flexible and secure private and public networking for services, jobs, databases and other addons. HTTP, HTTP/2, Websockets, gRPC, TCP and UDP are all supported networking protocols.

Networking settings are accessed on the ports & DNS page on deployment and combined services, and on the settings page in the network section for databases and other addons.

Public networking

HTTP, HTTP/2, Websockets and gRPC can be exposed publicly via a load-balancer served with an auto-generated TLS certificate with either code.run endpoints or your own custom domains. HTTPS requests are terminated at the edge load-balancer and the request is routed via Northflank’s network using mTLS to ensure end-to-end encryption.

You can choose to publicly expose databases and other addons via a load-balanced TCP endpoint. Northflank will enforce and generate TLS certificates which will be automatically configured in the database and connection details.

Northflank will expose your HTTP ports publicly on ports 80 and 443 and route traffic to your configured ports. HTTP (port 80) traffic is automatically redirected to HTTPS (port 443).

Private networking

Ports serving all protocols can be configured for private networking. Services, jobs and databases with private ports will only be accessible by other resources inside the same project.

Deployments and databases can be forwarded for secure, local access, without the need to publicly expose them to the internet.

Load-balancer

Northflank uses scalable and highly performant load balancers to securely distribute external traffic to containers in your projects. Traffic is routed to your application containers at the specified port configured. Every public port is assigned a Northflank code.run domain, optionally you can add custom domains, disable code.run traffic, and add IP policies and basic authentication security.

If you have multiple instances of a service running, ingress traffic will be directed with a round-robin load-balancing strategy. The load balancer will not route traffic to non-ready containers, for example containers that are starting, terminating, or that are failing health checks.

Certificates

All public endpoints on Northflank are given a TLS certificate generated by Let's Encrypt. Certificates are created automatically and renewed before they expire, generated with 2048-bit RSA encryption.

Your custom domains can be linked to a service port and immediately start serving secure traffic with a managed Let's Encrypt certificate.

Headers

You can access the source IP of a request from the X-Forwarded-For header , which is attached to all HTTP/S requests by the Northflank load balancer.

Next steps

Add private ports

Configure ports to allow your services to communicate securely within your project.

Set IP policies

Allow or deny access to services based on IP addresses.

Configure basic authentication

Require users to enter a username or password to access your site.

Expose a database with TLS

Secure internal database connections or expose it publicly with TLS.

Forward deployments and databases

Forward deployments and databases to your local machine for development.

© 2023 Northflank Ltd. All rights reserved.

northflank.comTermsPrivacyfeedback@northflank.com