Networking

Networking is configured at deploy time via the --network flag — not in alien.ts. Both alien deploy (developer) and alien-deploy up (customer admin) support the same network flags. This controls whether functions and containers run in an isolated VPC or on the cloud provider's default network.

Modes

Auto (default)

alien deploy --name acme --platform aws

The system decides. If your stack has resources that need networking (e.g. containers), a VPC is created automatically. Otherwise, functions run without a VPC.

Use Default

alien deploy --name acme --platform aws --network use-default

Functions run on the cloud provider's default VPC. No isolated networking is created. VMs get public IPs for internet access.

Good for development and testing. Not recommended for production.

Create

alien deploy --name acme --platform aws --network create

Alien creates an isolated VPC with private subnets and a managed NAT gateway. VMs use private IPs only — all outbound traffic routes through NAT.

Recommended for production. The CIDR block is auto-generated from the stack ID to reduce conflicts, or you can specify one:

alien deploy --name acme --platform aws \
  --network create \
  --network-cidr 10.42.0.0/16 \
  --availability-zones 3

Bring Your Own VPC

Use an existing VPC/VNet. Alien validates the references but creates no networking infrastructure — the customer handles routing and egress.

alien deploy --name acme --platform aws \
  --network byo \
  --vpc-id vpc-0abc123 \
  --public-subnet-ids subnet-pub1,subnet-pub2 \
  --private-subnet-ids subnet-priv1,subnet-priv2 \
  --security-group-ids sg-0abc123

alien deploy --name acme --platform gcp \
  --network byo \
  --network-name my-vpc \
  --subnet-name my-subnet \
  --network-region us-central1

alien deploy --name acme --platform azure \
  --network byo \
  --vnet-resource-id /subscriptions/.../vnet \
  --public-subnet-name pub-subnet \
  --private-subnet-name priv-subnet

BYO VPC is supported on AWS, GCP, and Azure only.

Flags Reference