# VPC Connections
CloudWright Deployment Zones allow customers to control the environment into which an application is published. Among the benefits of a custom Deployment Zone is the ability to deploy an Application into a customer-controlled VPC network. This section provides details on why and how to attach a Deployment Zone to a VPC network.
VPC network access from CloudWright applications is an advanced topic. This section provides an overview of how to set up connectivity in different network architectures; for more complicated network infrastructure questions or help setting up a VPC-attached Deployment Zone, please reach out to us at email@example.com.
By default, CloudWright applications are deployed into the CloudWright Managed Deployment Zone, which is not attched to a VPC network. Applications must access network resources over the public internet. If your application only needs to connect to public APIs and cloud services (for example, the Salesforce API and S3), you do not need a Deployment Zone which has VPC access:
However, some customers may have resources which can only be accessed via internal IP addresses — for example, a database hosted internally on 10.x.x.x. In this case, CloudWright Applications must be deployed into the same VPC network as the database in order to connect and make queries.
The default CloudWright Managed Deployment Zone cannot be modified, but by creating a new customer-managed Deployment Zone, customers can attach the new zone to a VPC network. This process is different for AWS and GCP Deployment Zones, as detailed below.
# GCP network access
CloudWright Applications in GCP Deployment Zones are deployed as Google Cloud Functions. Google Cloud Functions connect to resources in a VPC network by attaching to a Serverless VPC Access connector. When a Cloud Function requests resources on internal IP addresses, the requests are routed through the VPC Access connector. Other requests are routed through the public internet.
# Using a VPC Access connector
When creating a customer-managed GCP CloudWright Deployment Zone, you will be prompted to optionally attach a Serverless VPC Access connector to the zone.
If configured, all Applications deployed into this zone will use the supplied connector when trying to access internal resources. A CloudWright Deployment Zone configured to publish into a customer-managed VPC network would look like the following:
# Attaching to a Shared VPC Network
Sophisticated GCP deployments may use a Shared VPC Network to create a single logical network which spans multiple GCP projects. Shared VPC Networks allow GCP users to take advantage of a single logical network while maintaining fine-grained, project-based IAM access controls.
Serverless VPC Access connectors are not supported on Shared VPC networks. However, by using a 'bridge' VPC network, customers can attach Cloud Functions to a non-shared VPC network which uses VPC peering to attach to the Shared VPC network. A GCP Deployment Zone where CloudWright Applications have network access to resources on a Shared VPC network would look like the following:
In this configuration, network traffic from the published application to internal resources will be routed through the bridge VPC network to resources on the Shared VPC network in other projects.
# AWS network access
CloudWright Applications in AWS Deployment Zones are deployed as Lambdas. AWS Lambdas connect to resources in VPC networks by attaching one or more subnet IDs to the Lambda. AWS Lambdas can then connect to resources accessible via that subnet.
When creating an AWS Deployment Zone, you will be prompted for a list of subnet IDs and security group IDs to apply to the deployed Lambda:
When an Application is deployed into the created AWS Deployment Zone, the Application uses the provided subnets to connect to internal resources:
For more details on AWS Lambdas and VPC access, please see the AWS documentation or reach to us at firstname.lastname@example.org.