AWS Network Architecture
This page describes the network infrastructure that Fractal Cloud deploys when you initialize an AWS environment. The architecture follows the AWS Cloud Adoption Framework and Well-Architected Framework recommendations for enterprise landing zones.
Overview
Fractal Cloud deploys a hub-and-spoke topology using AWS Transit Gateway (TGW) as the central routing fabric and a NAT Gateway for centralized internet egress. All network address ranges are allocated dynamically by the built-in IPAM system — no CIDRs are hardcoded.
This page describes the full prod network tier. The default nonprod tier is leaner but topology-equivalent — it replaces the Transit Gateway with free VPC peering and drops the interface VPC endpoints. See Network Tiers.
┌──────────────────────────────────────────────────────┐
│ Hub VPC │
│ Public subnets (multi-AZ) ─── Internet Gateway │
│ Private subnets (multi-AZ) NAT Gateway │
└──────────────────┬───────────────────────────────────┘
│
Transit Gateway
│
┌──────────────┼──────────────┐
│ │ │
▼ ▼ ▼
Platform Spoke A Spoke B
VPC VPC VPC
(Agents) (Ops Env A) (Ops Env B)
Hub VPC
The Hub VPC is the network's central routing point. It provides internet connectivity to all spoke VPCs and hosts public-facing infrastructure.
- Multi-AZ deployment — public and private subnets span multiple Availability Zones for high availability
- Internet Gateway — single point of internet ingress for the entire landing zone
- NAT Gateway — centralized internet egress for all private subnets across all VPCs
- Route tables — direct spoke-bound traffic to the Transit Gateway and internet-bound traffic to the NAT Gateway
Platform VPC
The Platform VPC hosts the Cloud Agents and all shared platform services. It has no direct internet access — all outbound traffic routes through the Transit Gateway to the Hub VPC's NAT Gateway.
What Runs Here
- Fractal Cloud Agent — ECS Fargate service that reconciles infrastructure
- Custom Workload Agent — ECS Fargate service for application-level deployments
- PostgreSQL database — agent state and configuration (Aurora Serverless)
- Application Load Balancer — routes traffic to agent services
- Container Registry — agent container images
- VPC Endpoints — private connectivity to AWS services (S3, ECR, CloudWatch, Secrets Manager, STS) to minimize NAT data processing costs
Transit Gateway
The Transit Gateway is the central routing fabric that connects all VPCs in the landing zone:
- Hub-to-spoke connectivity — hub VPC to platform VPC and all operational environment VPCs
- Spoke-to-hub connectivity — operational environments reach the internet and shared services through the hub
- Cross-account spoke support — the TGW is shared to the AWS Organization via RAM, with auto-accept enabled for new spoke attachments
- Dynamic route propagation — spoke VPC CIDRs are automatically propagated to the hub route table, so no manual route updates are needed when adding new operational environments
Operational Environment Spoke VPCs
When an Operational Environment is created under a Management Environment:
- A new AWS account is created and placed in the Management Environment's organizational unit
- IPAM allocates a CIDR block from the management environment's address space — non-overlapping with all other VPCs
- A spoke VPC is created with private subnets across multiple Availability Zones
- A TGW attachment connects the spoke VPC to the shared Transit Gateway (auto-accepted)
- Routing is configured — all spoke traffic routes through the hub for internet access
- VPC Endpoints are created to reduce data processing costs
Spoke VPCs have no internet gateway and no NAT gateway — all internet-bound traffic flows through the Transit Gateway to the Hub VPC.
Live System Placement
When a Live System is deployed into an operational environment:
- Molecule-level Blueprints (no VPC declared) — workloads are automatically placed into the spoke VPC. Subnets are allocated via IPAM within the spoke's address space, sized by the Live System's requirements. All hub-and-spoke connectivity is inherited.
- Atom-level Blueprints (explicit VPC component) — the declared VPC is created as standalone infrastructure, outside the hub-and-spoke topology. The customer manages its own routing and connectivity.
AWS Organizations Integration
Fractal Cloud uses AWS Organizations to structure the account hierarchy:
Organization Root
└── Platform Management
└── Fractal Cloud Management
└── Environment OU
├── Management Account
├── Operational Account A
├── Operational Account B
└── Operational Account C
Each operational environment gets a dedicated AWS account for workload isolation. The Cloud Agents in the management account use cross-account IAM roles to manage resources in each operational account.
Security
- No inbound access required — agents initiate all communication outbound over HTTPS
- Network isolation — spoke VPCs are isolated by default and can only reach the hub
- Private subnets only — spoke VPCs have no public subnets and no internet gateway
- Cross-account access — agents authenticate to operational accounts via IAM roles with scoped permissions
- VPC Endpoints — traffic to AWS services stays on the AWS backbone, never traversing the public internet