Docs

Networking

VPC configuration and network isolation for deployments.

Networking is configured at deploy time, not in alien.ts. The CLI exposes this as --network flags, and setup files carry the same choice as StackSettings.network. Alien turns those settings into the generated Network resource in stack state.

Use this page for deployment commands. Use Network API Reference, Behavior & Limits, and Pricing for the full Network reference.

Modes

Auto (default)

alien deploy --name acme --platform aws

The system decides. If your stack has resources that need cloud networking, such as containers, Alien creates the default network shape required by the target platform. Otherwise, no deployment network resource is created.

Use Default

alien deploy --name acme --platform aws --network use-default

Alien uses the cloud provider's default network where the provider has one. Azure has no default VNet, so use-default creates VNet infrastructure for the deployment.

Good for development and testing. Not recommended for production.

Create

alien deploy --name acme --platform aws --network create

Alien creates an isolated VPC with private subnets and a managed NAT gateway. VMs use private IPs only — all outbound traffic routes through NAT.

Recommended for production. The CIDR block is auto-generated from the stack ID to reduce conflicts, or you can specify one:

alien deploy --name acme --platform aws \
  --network create \
  --network-cidr 10.42.0.0/16 \
  --availability-zones 3

Bring Your Own VPC

Use an existing VPC/VNet. Alien stores and validates the references but creates no network infrastructure. The customer handles routing, egress, subnet layout, and security posture.

alien deploy --name acme --platform aws \
  --network byo \
  --vpc-id vpc-0abc123 \
  --public-subnet-ids subnet-pub1,subnet-pub2 \
  --private-subnet-ids subnet-priv1,subnet-priv2 \
  --security-group-ids sg-0abc123
alien deploy --name acme --platform gcp \
  --network byo \
  --network-name my-vpc \
  --subnet-name my-subnet \
  --network-region us-central1
alien deploy --name acme --platform azure \
  --network byo \
  --vnet-resource-id /subscriptions/.../vnet \
  --public-subnet-name pub-subnet \
  --private-subnet-name priv-subnet

BYO VPC is supported on AWS, GCP, and Azure only.

Flags Reference

FlagModeDescription
--network <mode>allauto, use-default, create, or byo
--network-cidr <cidr>createVPC CIDR block (auto-generated if omitted)
--availability-zones <n>createNumber of AZs (default: 2)
--vpc-id <id>byo (AWS)Existing VPC ID
--public-subnet-ids <ids>byo (AWS)Comma-separated public subnet IDs
--private-subnet-ids <ids>byo (AWS)Comma-separated private subnet IDs
--security-group-ids <ids>byo (AWS)Comma-separated security group IDs (optional)
--network-name <name>byo (GCP)Existing VPC network name
--subnet-name <name>byo (GCP)Subnet name
--network-region <region>byo (GCP)Subnet region
--vnet-resource-id <id>byo (Azure)Existing VNet resource ID
--public-subnet-name <name>byo (Azure)Public subnet name
--private-subnet-name <name>byo (Azure)Private subnet name

External URLs

How Workers get HTTPS endpoints and how to access them.

Local Development

Next Page

On this page

ModesAuto (default)Use DefaultCreateBring Your Own VPCFlags Reference