Networking

Fugoku networking provides isolated private networks, static floating IPs, load balancing, and firewall controls.

Private Networks

Isolate services on VLANs with private IP ranges.

Creating a Private Network

Via Console:

Navigate to Networking → Networks
Click Create Network
Configure:
- Name: backend-net
- Subnet: 10.10.0.0/24 (RFC1918 range)
- Region: lagos-1
- DHCP: Enabled (auto-assign IPs)
Click Create

Via CLI:

fugoku networks create \
  --name backend-net \
  --subnet 10.10.0.0/24 \
  --region lagos-1

Via API:

curl -X POST https://api.fugoku.com/v1/networks \
  -H "Authorization: Bearer $FUGOKU_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "backend-net",
    "subnet": "10.10.0.0/24",
    "region": "lagos-1",
    "dhcp_enabled": true
  }'

Attaching Instances

Via Console: Instance detail → Networking tab → Attach to Network

Via CLI:

fugoku networks attach backend-net --instance web-1

Instance gains second network interface (eth1) with private IP (e.g., 10.10.0.5).

Use Cases

Database isolation:

┌─────────┐     Public Internet     ┌──────────┐
│  Web    │ ←──────────────────────→ │  Users   │
│ Server  │                          └──────────┘
└────┬────┘
     │ eth1: 10.10.0.5
     │
  Private Network (10.10.0.0/24)
     │
     │ eth1: 10.10.0.10
┌────┴─────┐
│ Database │ (no public IP)
└──────────┘

Database only accessible from web server, not internet.

Multi-tier architecture:

Load Balancer (public)
    ↓
Frontend Network (10.10.0.0/24)
    ↓
App Servers
    ↓
Backend Network (10.20.0.0/24)
    ↓
Database Servers

Floating IPs

Static public IP addresses that can be reassigned between instances.

Creating a Floating IP

Via Console:

Networking → Floating IPs
Click Reserve IP
Select region
IP allocated from pool (e.g., 102.89.45.200)

Via CLI:

fugoku networking create-ip --region lagos-1
# IP: 102.89.45.200

Assigning to Instance

Via Console: Floating IP detail → Assign → Select instance

Via CLI:

fugoku networking assign-ip web-1 --ip 102.89.45.200

Use Cases

DNS stability: Point DNS records at floating IP instead of instance IP. Rebuild instance without DNS changes.

# DNS records
A    example.com      102.89.45.200
A    www.example.com  102.89.45.200

Zero-downtime failover:

# Primary instance fails
fugoku networking unassign-ip web-1 --ip 102.89.45.200

# Assign to standby instance
fugoku networking assign-ip web-2 --ip 102.89.45.200

# Downtime: ~5 seconds for ARP cache

Blue-green deployments:

# Deploy new version on web-2
# Test web-2 directly

# When ready, switch traffic
fugoku networking unassign-ip web-1 --ip 102.89.45.200
fugoku networking assign-ip web-2 --ip 102.89.45.200

# Rollback if issues
fugoku networking assign-ip web-1 --ip 102.89.45.200

Pricing

Floating IPs: $3/month per IP (free when assigned, charged when unassigned but reserved)

Load Balancers

Distribute traffic across multiple backend instances.

Creating a Load Balancer

Via Console:

Networking → Load Balancers
Click Create Load Balancer
Configure:
- Name: api-lb
- Region: lagos-1
- Algorithm: Round Robin, Least Connections, IP Hash
- Protocol: HTTP, HTTPS, TCP
- Frontend Port: 80 (public)
- Backend Port: 8080 (instance)
- Health Check: /health, interval 10s, timeout 5s
Add backends (instances)
Click Create

Via CLI:

# Create load balancer
fugoku lb create \
  --name api-lb \
  --region lagos-1 \
  --algorithm round-robin \
  --protocol http \
  --port 80 \
  --backend-port 8080

# Add backend instances
fugoku lb add-backend api-lb --instance api-1
fugoku lb add-backend api-lb --instance api-2
fugoku lb add-backend api-lb --instance api-3

# Configure health check
fugoku lb set-health-check api-lb \
  --path /health \
  --interval 10 \
  --timeout 5 \
  --unhealthy-threshold 3

Load Balancing Algorithms

Round Robin (default): Distribute requests evenly across all backends.

Request 1 → api-1
Request 2 → api-2
Request 3 → api-3
Request 4 → api-1
...

Least Connections: Send to backend with fewest active connections.

api-1: 5 connections
api-2: 3 connections  ← Next request goes here
api-3: 8 connections

IP Hash: Same client IP always goes to same backend (session affinity).

Client 192.168.1.10 → always → api-2
Client 192.168.1.20 → always → api-1

Health Checks

Load balancer regularly pings backends to detect failures.

HTTP health check:

GET /health HTTP/1.1
Host: api-1

Response: 200 OK = healthy
Response: 5xx or timeout = unhealthy

TCP health check: Just verify TCP connection succeeds.

Configuration:

Interval: How often to check (default 10s)
Timeout: Max time to wait for response (default 5s)
Unhealthy threshold: Failed checks before marking down (default 3)
Healthy threshold: Successful checks before marking up (default 2)

SSL/TLS Termination

Load balancer handles HTTPS, forwards HTTP to backends.

Upload certificate:

fugoku lb add-cert api-lb \
  --cert /path/to/fullchain.pem \
  --key /path/to/privkey.pem

Via Console: LB detail → Certificates → Upload

Enable HTTPS listener:

fugoku lb add-listener api-lb \
  --protocol https \
  --port 443 \
  --backend-port 8080 \
  --cert default

Automatic redirect HTTP → HTTPS:

fugoku lb set-redirect api-lb --from 80 --to 443

Sticky Sessions

Keep client on same backend for session persistence.

Cookie-based:

fugoku lb set-sticky api-lb --method cookie --cookie-name SERVERID

Load balancer sets cookie, routes subsequent requests to same backend.

Source IP-based: Use IP Hash algorithm (same result).

Example: High-Availability API

# Create 3 API servers
for i in 1 2 3; do
  fugoku create instance \
    --name api-$i \
    --plan standard-2 \
    --image ubuntu-22.04 \
    --region lagos-1
done

# Deploy API to each instance (your deployment script)
./deploy.sh api-1
./deploy.sh api-2
./deploy.sh api-3

# Create load balancer
fugoku lb create \
  --name api-lb \
  --region lagos-1 \
  --algorithm least-connections \
  --protocol http \
  --port 80 \
  --backend-port 3000

# Add backends
fugoku lb add-backend api-lb --instance api-1
fugoku lb add-backend api-lb --instance api-2
fugoku lb add-backend api-lb --instance api-3

# Configure health check
fugoku lb set-health-check api-lb \
  --path /health \
  --interval 5 \
  --timeout 3 \
  --unhealthy-threshold 2

# Get load balancer IP
fugoku lb get api-lb
# IP: 102.89.45.250

# Point DNS to load balancer
# A  api.example.com  102.89.45.250

# Test
curl http://api.example.com/health
# {"status": "ok", "server": "api-2"}

Pricing

Load Balancers: $10/month + $0.01/GB transferred

Firewalls

Control inbound and outbound traffic with security groups.

Default Rules

Every instance has a default security group:

Inbound:
  TCP 22 from 0.0.0.0/0  (SSH from anywhere)

Outbound:
  ALL to 0.0.0.0/0       (allow all outbound)

Adding Rules

Via Console: Instance detail → Networking → Edit Firewall → Add Rule

Via CLI:

# Allow HTTP
fugoku firewalls add-rule web-1 \
  --direction inbound \
  --protocol tcp \
  --port 80 \
  --source 0.0.0.0/0

# Allow HTTPS
fugoku firewalls add-rule web-1 \
  --direction inbound \
  --protocol tcp \
  --port 443 \
  --source 0.0.0.0/0

# Restrict SSH to office IP
fugoku firewalls add-rule web-1 \
  --direction inbound \
  --protocol tcp \
  --port 22 \
  --source 203.0.113.50/32

Rule Anatomy

Direction: inbound | outbound
Protocol:  tcp | udp | icmp | all
Port:      Single (80) or range (8000-8080)
Source:    IP/CIDR (192.0.2.0/24) or security group ID

Example: Web Server

# Inbound rules
TCP 22 from office IP      # SSH access
TCP 80 from 0.0.0.0/0      # HTTP
TCP 443 from 0.0.0.0/0     # HTTPS

# Outbound rules
ALL to 0.0.0.0/0           # Allow all outbound

Example: Database Server

# Inbound rules
TCP 5432 from sg-app-servers  # PostgreSQL from app tier only

# Outbound rules
ALL to 0.0.0.0/0              # Allow updates, etc.

Security Groups

Group instances with same rules.

Via Console: Networking → Security Groups → Create

Via CLI:

# Create security group
fugoku firewalls create-group \
  --name web-servers \
  --description "Rules for web tier"

# Add rules to group
fugoku firewalls add-rule web-servers \
  --protocol tcp --port 80 --source 0.0.0.0/0

fugoku firewalls add-rule web-servers \
  --protocol tcp --port 443 --source 0.0.0.0/0

# Apply to instances
fugoku firewalls apply web-servers --instance web-1
fugoku firewalls apply web-servers --instance web-2

Inter-Group Rules

Allow instances in one group to talk to another.

# Create groups
fugoku firewalls create-group --name app-tier
fugoku firewalls create-group --name db-tier

# Allow app tier to access database
fugoku firewalls add-rule db-tier \
  --protocol tcp \
  --port 5432 \
  --source-group app-tier

# Now any instance in app-tier can reach port 5432 on db-tier instances

DNS (Coming Q3 2026)

Managed DNS service for your domains.

Planned features:

Create DNS zones
Manage A, AAAA, CNAME, MX, TXT records
GeoDNS (route based on user location)
Health-checked failover
API-driven updates

Bandwidth & Transfer

Included bandwidth:

1-4 TB/month per instance (depends on plan)
Unlimited traffic between Fugoku instances in same region
Free traffic to/from load balancers

Additional bandwidth: $0.01/GB

Monitoring: View bandwidth usage in Console → Instance detail → Metrics

IPv6

IPv6 support coming Q4 2026.

All instances will receive:

IPv4 (as today)
IPv6 /128 address
No extra charge

DDoS Protection

All Fugoku IPs protected by automatic DDoS mitigation:

Layer 3/4 attacks (SYN floods, UDP floods)
Automatic detection and filtering
Always-on, no configuration needed
Included at no extra cost

For Layer 7 protection (HTTP floods), use a CDN (Cloudflare, Fastly).

Best Practices

Network Architecture

Public-facing tier:

Load balancer with floating IP
Multiple frontend instances
Firewall: Allow 80, 443 only

Application tier:

Private network (10.10.0.0/24)
Multiple app instances
Firewall: Accept from frontend tier only

Database tier:

Private network (10.20.0.0/24)
Primary + replica instances
Firewall: Accept from app tier only, port 5432 only

Security

Minimize attack surface: Only open ports you need
Restrict SSH: Limit to your IP or VPN
Use private networks: Backend services shouldn't have public IPs
Implement defense in depth: Firewalls + application-level auth
Enable logging: Monitor firewall denials
Regular audits: Review rules quarterly

High Availability

Use load balancers: Multiple backends for redundancy
Deploy across multiple instances: Avoid single points of failure
Health checks: Detect failures automatically
Floating IPs: Quick failover for databases
Monitor: Set up alerts for instance/LB failures

Troubleshooting

Can't connect to instance

# Check firewall rules
fugoku firewalls list-rules web-1

# Verify rule exists
# Should see: TCP 22 from your IP

# Add rule if missing
fugoku firewalls add-rule web-1 \
  --protocol tcp --port 22 --source $(curl -s ifconfig.me)/32

Load balancer not distributing

Verify instances are healthy: LB detail → Backends
Check health check configuration
Review backend application logs
Test backend directly: curl http://backend-ip:port/

Private network not working

# On instance, check interfaces
ip addr show

# Should see eth1 with private IP
# eth1: <BROADCAST,MULTICAST,UP,LOWER_UP>
#     inet 10.10.0.5/24

# Ping other instance on private network
ping 10.10.0.10

If not working:

Verify instances attached to same network
Check DHCP is enabled on network
Restart networking: sudo systemctl restart networking

Limits

Per account:

Private networks: 10 per region
Floating IPs: 20 per region
Load balancers: 10 per region
Security groups: 50 per region
Rules per security group: 50

Need higher limits? Contact support@fugoku.com

Next Steps:

Learn about Security best practices
Explore the API for network automation
Read about Compute for backend instances
Learn about Storage for persistent data

Networking

On this page