Skip to main content

Network Tiers

Not every environment needs the full enterprise network stack. A production landing zone should be highly available and privately connected; a nightly smoke-test environment does not need to pay for that redundancy.

Fractal Cloud exposes a networkTier provisioning parameter that lets you right-size the hub-and-spoke network to the criticality of the environment — without changing its topology or the way workloads are wired.

TierDefaultIntended for
nonprodDevelopment, staging, ephemeral, and smoke-test environments. Lean, topology-equivalent.
prodProduction and production-like environments. Full Well-Architected hub-and-spoke.
info

networkTier is set during Environment Initialization. It defaults to nonprod — opt into prod explicitly for production and production-parity environments.


Why Tiers?

Matching spend to environment criticality is not a compromise on the architecture — it is the architecture. The AWS Well-Architected Framework Cost Optimization pillar explicitly calls for adjusting resource allocation to the value an environment delivers.

A default production network provisions three independent egress and connectivity mechanisms — interface VPC endpoints, a NAT Gateway, and a Transit Gateway. For a high-value, high-traffic production workload that redundancy is correct. For a low-traffic non-prod account it is over-built: you pay a standing baseline for capacity you never exercise.

The nonprod tier removes the redundancy while preserving the parts of the topology that non-prod testing actually exercises — the hub and spoke roles, the centralized-egress pattern, and the security-group and routing model.


What Each Tier Provisions (AWS)

Both tiers deploy a hub VPC and spoke VPCs with centralized egress through the hub. They differ only in the transport between hub and spoke, the egress mechanism, and the AZ count.

LayerprodnonprodParity impact
TopologyHub + spoke VPCsHub + spoke VPCsIdentical
Egress modelCentralized via hubCentralized via hubIdentical pattern
Hub ↔ spoke transportTransit GatewayVPC peering (free)Transport differs; routing intent same
Egress mechanismMulti-AZ PrivateLinkSingle-AZ NAT in hubEgress path differs
Interface VPC endpoints5 × multi-AZDropped — AWS APIs reached via hub NAT
S3 gateway endpointKept (free)Kept (free)Identical

The nonprod tier differs from prod only in transport (VPC peering instead of Transit Gateway), AZ count (single-AZ NAT instead of multi-AZ), and egress mechanism (NAT instead of interface endpoints). Hub/spoke roles, the centralized-egress pattern, and the SG/routing model are unchanged — so parity testing against a nonprod environment remains representative of production behavior.


Cost Comparison (AWS)

The following is an illustrative monthly baseline for a single AWS account/region, idle, before any workload — it reflects the standing cost of the network stack itself.

Componentprod ($/mo)nonprod ($/mo)Notes
Interface VPC endpoints~1290prod: 5 endpoints × 3 AZ = 15 ENIs, billed per ENI-hour. Dropped in nonprod.
Transit Gateway~860prod: TGW + per-VPC attachments. Replaced by free VPC peering in nonprod.
NAT Gateway~37~37Single centralized NAT in the hub for both tiers.
Data processing + Public IPv4~8trivialScales with traffic; negligible for idle non-prod.
Total baseline~$260/mo~$37/mo~85% reduction
tip

The saving comes entirely from removing the two redundant connectivity layers (interface endpoints and Transit Gateway). The single NAT Gateway — the one mechanism that still provides egress — is retained, so nonprod environments keep working, private, centralized internet access.


Choosing a Tier

  • Use nonprod (default) for evergreen smoke tests, CI environments, short-lived feature environments, and any account whose value does not justify multi-AZ redundant connectivity.
  • Opt into prod for any environment where availability, private-only egress, or multi-account Transit Gateway scale matter — production, and production-parity staging.
caution

nonprod egress runs through a single-AZ NAT Gateway. If that AZ has an outage, internet egress for the environment is interrupted. This is an acceptable trade-off for non-critical environments — opt into prod for anything that needs multi-AZ resilience.

Azure and GCP hub-and-spoke networks already use free native peering (VNet peering and VPC peering respectively) and free private-service access, so they do not carry the AWS three-way-redundancy baseline. Their nonprod tier centers on single-AZ / single-region NAT sizing rather than removing a paid transport layer.