The dstack networking architecture is built on multiple layers, each designed to deliver security, isolation, and flexibility for your deployments. By understanding how these layers interact, you’ll be better equipped to optimize performance, maintain strong security boundaries, and quickly resolve any networking issues that arise.

Network Model Overview

Network Layers (at a glance)

1
Public Access
users connect to your app over HTTPS
DNS points to your app domain
(optional) CDN for static files
HTTP/HTTPS, DNS
2
Gateway Security
gateway handles TLS (auto certificates)
blocks attacks (WAF, rate limiting, DDoS protection)
supports HTTP/2 and HTTP/3
3
Private VPN to CVMs
gateway connects to each Confidential VM (CVM) using a secure WireGuard tunnel. this keeps app traffic private and isolated.

4. Internal CVM Network

Container-to-container communication within a CVM: 
# Docker network configuration
networks:
  internal:
    driver: bridge
    ipam:
      config:
        - subnet: 172.20.0.0/16
    internal: true  # No external access

services:
  web:
    networks:
      - internal
      - external
  database:
    networks:
      - internal  # Only internal access

Traffic Routing

Domain-Based Routing

dstack supports multiple routing patterns:

Routing Patterns:

PatternExampleUse Case
app.srv.domainmyapp.app.example.comDefault app routing
custom.domainapi.mycompany.comCustom domain via DNS TXT
port-N.srv.domain8080.app.example.comDirect port access
cvm-id.internalcvm-abc123.internalInternal debugging

Custom Domain Setup

To use a custom domain, configure DNS records as follows:

DNS Configuration:

Request Routing Flow

Network Security Framework

Port Security Configuration

Default Port Configuration:

PortServiceAccessSecurity
80HTTPPublicRedirect to HTTPS
443HTTPSPublicTLS 1.2+ only
51820WireGuardPublicKey-based auth
9080VMM APIInternalLocalhost only
8000KMS RPCInternalRA-TLS required

Firewall Configuration

Recommended Firewall Rules:

Network Isolation Mechanisms

Multi-Layer Isolation:

VLAN Separation: Different VLANs for management and application traffic
Network Namespaces: Each CVM has isolated network stack
Bridge Isolation: Separate bridges prevent cross-CVM communication
Firewall Rules: Default deny with explicit allow rules
WireGuard Encryption: All CVM traffic encrypted

HTTPS & Certificate Management

Automatic Certificate Provisioning

dstack automatically provisions and renews TLS certificates using Let’s Encrypt:

Certificate Configuration

Gateway Certificate Settings:

Certificate Transparency Monitoring

CT Log Monitoring:

Advanced Networking Features

Multi-Region Deployment Architecture

Deploy across multiple regions with optimized routing:

Load Balancing Strategies

Load Balancing Methods:

MethodAlgorithmUse Case
Round RobinSequential distributionEqual server capacity
Least ConnectionsRoute to least busyLong-lived connections
IP HashConsistent routingSession affinity needed
GeographicNearest regionGlobal deployments

Service Mesh Integration

For complex microservices deployments:

Istio Integration Example: