Skip to main content

What It Does

Monk creates an encrypted overlay network spanning all your infrastructure - across clouds, regions, and even on-premises. Every service can securely communicate with every other service, no matter where they run. Zero configuration required. Monk derives all networking from your application’s connection graph and configures routing, firewalls, and load balancing automatically at every level of your system.

How It Works

Encrypted Overlay Network

Monk spans an encrypted overlay network between every VM in your system, regardless of location: Network coverage:
  • ✅ Single cloud, single region
  • ✅ Single cloud, multi-region
  • ✅ Multi-cloud (AWS + GCP + Azure + DigitalOcean)
  • ✅ Cloud + on-premises (manual setup required)
Encryption by default:
  • All inter-service communication encrypted automatically
  • No VPN setup required
  • No Tailscale or WireGuard configuration needed
  • Works transparently across cloud provider boundaries
Example: Your API server on AWS us-east-1 can securely communicate with:
  • PostgreSQL on GCP europe-west1
  • Redis on DigitalOcean nyc1
  • On-premises legacy system in your datacenter
All connections are encrypted and routed through Monk’s overlay network automatically.

Dynamic Routing & Firewall Configuration

Monk dynamically configures routing and firewalls at every level of your infrastructure: Configuration levels:
  • Container level - Network policies between containers
  • Pod level - Service-to-service routing
  • Machine level - Host firewall rules
  • Security group level - Cloud provider security groups
  • VPC level - Network ACLs and routing tables
All derived from connection graph: Based on your application’s Configuration & Wiring, Monk understands which services need to communicate: 
Your application:
  Frontend → API Server → Database
  API Server → Redis
  Worker → Redis
  Worker → External API (Stripe)
Monk configures:
  • Frontend can reach API Server (public endpoint)
  • API Server can reach Database (internal, encrypted)
  • API Server can reach Redis (internal, encrypted)
  • Worker can reach Redis (internal, encrypted)
  • Worker can reach Stripe API (public, via internet gateway)
  • Nothing else can communicate - all other paths blocked by default
Firewall rules managed automatically:
  • Only desired ports open to the internet
  • Internal services use private network
  • Unused ports blocked by default
  • Rules updated dynamically as services scale

Load Balancing

Monk handles load balancing at multiple levels: Cloud-managed load balancers:
  • Uses AWS Application Load Balancer, GCP Load Balancing, Azure Load Balancer when applicable
  • Automatically provisioned for public-facing services
  • Health checks configured automatically
  • SSL/TLS termination when using custom domains
Internal load balancing:
  • Built-in load balancing between service replicas
  • Automatic service discovery - no manual endpoint configuration
  • Requests distributed across healthy instances
  • Failed instances removed from rotation automatically
Zero-downtime deployments:
  • When containers are updated, Monk orchestrates rolling updates
  • New version starts while old version still serves traffic
  • Traffic switches to new version only after health checks pass
  • Old version gracefully shut down after traffic drains

Temporary Domains with TLS

Every machine managed by Monk gets a free temporary domain: Format: <machine-id>.runs.onmonk.io Features:
  • Automatically assigned to each VM
  • Free TLS certificates included
  • Only active if workload explicitly opens a port to the internet
  • Useful for development, testing, and temporary deployments
Use cases:
  • Test API endpoints before configuring custom domain
  • Share staging environment URLs with team
  • Quick demos without DNS configuration
  • Development environments with HTTPS
These temporary domains are assigned to all machines but only serve traffic if your application opens a port publicly. Internal services (databases, workers, etc.) don’t expose anything via these domains.

Custom Domains with Cloudflare Integration

Want to use your own domain? Monk integrates with Cloudflare to manage DNS and domain setup automatically. Bring Your Own Domain:
  • Use your own domain name (e.g., api.yourapp.com, www.yourapp.com)
  • Monk manages your Cloudflare DNS zone
  • Automatic DNS record creation and updates
  • Free SSL/TLS certificates via Cloudflare
What Monk handles:
  • DNS zone configuration
  • A/AAAA records pointing to your services
  • CNAME records for aliases
  • SSL/TLS certificate provisioning
  • DNS updates when infrastructure changes
Setup:
  1. Have your domain registered with Cloudflare (or transfer it to Cloudflare)
  2. Provide Cloudflare API credentials to Monk
  3. Tell Monk which domain to use for your application
  4. Monk configures DNS and connects your domain to your deployment
When your infrastructure changes (scaling, migration, etc.), Monk updates DNS records automatically.

Cloud Network Provisioning

Monk provisions cloud networking resources automatically: What Monk creates:
  • VPCs - Isolated networks for your application
  • Subnets - Public and private subnets as needed
  • Internet gateways - For public-facing services
  • NAT gateways - For private services to reach internet (updates, APIs)
  • Route tables - Routing between subnets and internet
  • Security groups - Firewall rules at instance level
  • Network ACLs - Additional firewall layer at subnet level
All configured based on your application’s architecture - no manual network engineering required.

API Gateway Integration

When applicable, Monk utilizes cloud-managed API gateways: Supported:
  • AWS API Gateway
  • GCP API Gateway
  • Azure API Management
Benefits:
  • Centralized API management
  • Rate limiting and throttling
  • Request/response transformation
  • API versioning support
Monk provisions and configures API gateways when your architecture benefits from them (e.g., serverless functions, microservices with many endpoints).

Coming Soon

Built-in Ingress Controller with ModSecurity COMING SOON Monk’s orchestrator includes a built-in ingress controller with ModSecurity WAF (Web Application Firewall) pre-installed. This will be managed by the agent soon, providing:
  • Automatic WAF protection against common web attacks
  • DDoS mitigation at application layer
  • Request filtering and rate limiting
  • Zero configuration required

What Makes This Different

Traditional networking setup requires:
  • Manually creating VPCs, subnets, route tables
  • Configuring security groups for each service
  • Setting up VPNs or VPC peering for multi-cloud
  • Managing firewall rules across environments
  • Configuring load balancers manually
  • Setting up service discovery mechanisms
  • Managing SSL certificates and DNS
  • Debugging connectivity issues between services
With Monk: Monk derives all networking from your application’s connection graph. Everything configured automatically, encrypted by default.

Key Capabilities

  • Encrypted overlay network - Spans all infrastructure automatically
  • Zero configuration - All derived from service relationships
  • Multi-cloud networking - Works across AWS, GCP, Azure, DigitalOcean, on-prem
  • Dynamic routing - Configured at container, machine, security group, VPC levels
  • Automatic firewalls - Only necessary ports open, everything else blocked
  • Load balancing - Cloud-managed and internal load balancing
  • Zero-downtime updates - Rolling updates with automatic traffic switching
  • Free TLS domains - .runs.onmonk.io with automatic certificates
  • Custom domain support - Bring your own domain with Cloudflare integration
  • Automatic DNS management - DNS records updated as infrastructure changes
  • Service discovery - Built-in, no manual endpoint management
  • VPC provisioning - Complete cloud network infrastructure created automatically