Private Spaces

When you create the private network, you associate a range of IP addresses for the apps in your private space to use, the region in which they run, and optionally, any internal DNS servers to resolve requests to custom domain.

Private spaces support Amazon regions. You can configure multiple private spaces in a single Amazon region, enabling you to set up separate isolated networks for your production and non-production environments, such as QA or staging.

You can connect a private space to your private network using the following methods:

Using Transport Layer Security (TLS) contexts, CloudHub 2.0 enables clients to use custom domains to reach apps deployed to private spaces.

When setting up a private space, you configure Transport Layer Security (TLS) contexts that define the domains that are available when deploying apps to the private spaces.

When deploying an app to the private space, you use the domains from the TLS contexts to configure multiple endpoints, which clients use to reach the app from the internet. If the domains in the TLS context include a wildcard, you can configure an optional subdomain, such as the app name or an organization. You can create as many endpoints as you need.

In addition to custom domains, you can configure the app to be accessible from a different path from the base path where the app is listening.

You control the traffic to and from your private spaces. By default, CloudHub 2.0 blocks all traffic to the private space and provides firewall rules to allow connections through specified ports. You can configure additional firewall rules to control traffic to your private space, expose or block your custom ports, and block requests to your apps.

The private space provides load balancing to balance inbound traffic to apps across multiple replicas.

By combining firewall rules and TLS context configuration, you can fine-tune how external services reach your applications.