> ## Documentation Index > Fetch the complete documentation index at: https://docs.monk.io/llms.txt > Use this file to discover all available pages before exploring further. # Networking > Encrypted overlay network, dynamic routing, and zero-config connectivity ## What It Does Monk creates an encrypted overlay network that spans all your infrastructure — across clouds, regions, and on-premises. Every service talks to every other service securely, no matter where it runs. **Zero configuration required.** Monk derives all networking from your app's [connection graph](/features/configuration-and-wiring) and configures routing, firewalls, and load balancing automatically. ## How It Works ### Encrypted Overlay Network Monk spans an encrypted overlay network between every VM in your system, regardless of location. **Network coverage:** * Single cloud, single region * Single cloud, multi-region * Multi-cloud (AWS + GCP + Azure + DigitalOcean + Hetzner) * Cloud + on-premises (manual setup required) **Encryption by default:** * All inter-service communication encrypted automatically * No VPN setup required * No Tailscale or WireGuard configuration needed * Works transparently across cloud provider boundaries **Example:** Your API server on AWS us-east-1 can securely reach: * PostgreSQL on GCP europe-west1 * Redis on DigitalOcean nyc1 * An on-premises legacy system in your datacenter All connections are encrypted and routed through the overlay network automatically. ### Dynamic Routing & Firewall Configuration Monk configures routing and firewalls dynamically at every level of your infrastructure. **Configuration levels:** * **Container level** - Network policies between containers * **Machine level** - Host firewall rules * **Security group level** - Cloud provider security groups * **VPC level** - Network ACLs and routing tables **All derived from the connection graph:** Monk reads your app's [Configuration & Wiring](/features/configuration-and-wiring) and figures out which services need to talk to each other: ``` Your application: Frontend → API Server → Database API Server → Redis Worker → Redis Worker → External API (Stripe) ``` **Monk configures:** * Frontend can reach API Server (public endpoint) * API Server can reach Database (internal, encrypted) * API Server can reach Redis (internal, encrypted) * Worker can reach Redis (internal, encrypted) * Worker can reach Stripe API (public, via internet gateway) * **Nothing else can communicate** — all other paths blocked by default **Firewall rules are managed automatically:** * Only required ports open to the internet * Internal services stay on the private network * Unused ports blocked by default * Rules update dynamically as services scale ### Load Balancing Monk handles load balancing at multiple levels. **Cloud-managed load balancers:** * Uses AWS ALB, GCP Load Balancing, or Azure Load Balancer as appropriate * Automatically provisioned for public-facing services * Health checks configured automatically * SSL/TLS termination when using custom domains **Internal load balancing:** * Built-in load balancing between service replicas * Automatic service discovery — no manual endpoint configuration * Requests distributed across healthy instances * Failed instances removed from rotation automatically **Zero-downtime deployments:** * Monk orchestrates rolling updates when containers change * New version starts while the old version still serves traffic * Traffic switches only after health checks pass * Old version shuts down gracefully after traffic drains ### Temporary Domains with TLS Every machine managed by Monk gets a free temporary domain. **Format:** `.runs.onmonk.io` **Features:** * Automatically assigned to each VM * Free TLS certificates included * Only active if a workload explicitly opens a port to the internet * Useful for development, testing, and temporary deployments **Use cases:** * Test API endpoints before configuring a custom domain * Share staging environment URLs with your team * Quick demos without DNS configuration * Development environments with HTTPS These temporary domains are assigned to all machines but only serve traffic if your application opens a port publicly. Internal services (databases, workers, etc.) don't expose anything via these domains. ### Custom Domains with Cloudflare Integration You can bring your own domain. Monk integrates with Cloudflare to manage DNS and domain setup automatically. Custom domains currently require your domain to be managed by Cloudflare. Support for additional DNS providers is on the roadmap. **Bring your own domain:** * Use your domain name (e.g., `api.yourapp.com`, `www.yourapp.com`) * Monk manages your Cloudflare DNS zone * Automatic DNS record creation and updates * Free SSL/TLS certificates via Cloudflare **What Monk handles:** * DNS zone configuration * A/AAAA records pointing to your services * CNAME records for aliases * SSL/TLS certificate provisioning * DNS updates when infrastructure changes **Setup:** 1. Have your domain registered with Cloudflare (or transfer it) 2. Provide Cloudflare API credentials to Monk 3. Tell Monk which domain to use for your app 4. Monk configures DNS and connects your domain to your deployment When your infrastructure changes (scaling, migration, etc.), Monk updates DNS records automatically. ### Cloud Network Provisioning Monk provisions cloud networking resources automatically. **What Monk creates:** * **VPCs** - Isolated networks for your app * **Subnets** - Public and private subnets as needed * **Internet gateways** - For public-facing services * **NAT gateways** - For private services that need internet access (updates, APIs) * **Route tables** - Routing between subnets and the internet * **Security groups** - Firewall rules at instance level * **Network ACLs** - Additional firewall layer at subnet level All configured based on your app's architecture. No manual network engineering required. ### API Gateway Integration Monk uses cloud-managed API gateways when they make sense. **Supported:** * AWS API Gateway * GCP API Gateway * Azure API Management **Benefits:** * Centralized API management * Rate limiting and throttling * Request/response transformation * API versioning support Monk provisions and configures API gateways when your architecture benefits from them — for example, serverless functions or microservices with many endpoints. ## Built-in Ingress Controller with ModSecurity Monk's orchestrator includes a built-in ingress controller with ModSecurity WAF (Web Application Firewall) enabled by default on all clusters: * Automatic WAF protection against common web attacks * DDoS mitigation at the application layer * Request filtering and rate limiting * Zero configuration required ## Related Features The connection graph that drives all networking decisions. Encryption, firewalls, and access control across your infrastructure.