Network Tiers
Not every environment needs the full enterprise network stack. A production landing zone should be highly available and privately connected; a nightly smoke-test environment does not need to pay for that redundancy.
Fractal Cloud exposes a networkTier provisioning parameter that lets you right-size the hub-and-spoke network to the criticality of the environment — without changing its topology or the way workloads are wired.
| Tier | Default | Intended for |
|---|---|---|
nonprod | ✅ | Development, staging, ephemeral, and smoke-test environments. Lean, topology-equivalent. |
prod | Production and production-like environments. Full Well-Architected hub-and-spoke. |
networkTier is set during Environment Initialization. It defaults to nonprod — opt into prod explicitly for production and production-parity environments.
Why Tiers?
Matching spend to environment criticality is not a compromise on the architecture — it is the architecture. The AWS Well-Architected Framework Cost Optimization pillar explicitly calls for adjusting resource allocation to the value an environment delivers.
A default production network provisions three independent egress and connectivity mechanisms — interface VPC endpoints, a NAT Gateway, and a Transit Gateway. For a high-value, high-traffic production workload that redundancy is correct. For a low-traffic non-prod account it is over-built: you pay a standing baseline for capacity you never exercise.
The nonprod tier removes the redundancy while preserving the parts of the topology that non-prod testing actually exercises — the hub and spoke roles, the centralized-egress pattern, and the security-group and routing model.
What Each Tier Provisions (AWS)
Both tiers deploy a hub VPC and spoke VPCs with centralized egress through the hub. They differ only in the transport between hub and spoke, the egress mechanism, and the AZ count.
| Layer | prod | nonprod | Parity impact |
|---|---|---|---|
| Topology | Hub + spoke VPCs | Hub + spoke VPCs | Identical |
| Egress model | Centralized via hub | Centralized via hub | Identical pattern |
| Hub ↔ spoke transport | Transit Gateway | VPC peering (free) | Transport differs; routing intent same |
| Egress mechanism | Multi-AZ PrivateLink | Single-AZ NAT in hub | Egress path differs |
| Interface VPC endpoints | 5 × multi-AZ | Dropped — AWS APIs reached via hub NAT | — |
| S3 gateway endpoint | Kept (free) | Kept (free) | Identical |
The nonprod tier differs from prod only in transport (VPC peering instead of Transit Gateway), AZ count (single-AZ NAT instead of multi-AZ), and egress mechanism (NAT instead of interface endpoints). Hub/spoke roles, the centralized-egress pattern, and the SG/routing model are unchanged — so parity testing against a nonprod environment remains representative of production behavior.
Cost Comparison (AWS)
The following is an illustrative monthly baseline for a single AWS account/region, idle, before any workload — it reflects the standing cost of the network stack itself.
| Component | prod ($/mo) | nonprod ($/mo) | Notes |
|---|---|---|---|
| Interface VPC endpoints | ~129 | 0 | prod: 5 endpoints × 3 AZ = 15 ENIs, billed per ENI-hour. Dropped in nonprod. |
| Transit Gateway | ~86 | 0 | prod: TGW + per-VPC attachments. Replaced by free VPC peering in nonprod. |
| NAT Gateway | ~37 | ~37 | Single centralized NAT in the hub for both tiers. |
| Data processing + Public IPv4 | ~8 | trivial | Scales with traffic; negligible for idle non-prod. |
| Total baseline | ~$260/mo | ~$37/mo | ~85% reduction |
The saving comes entirely from removing the two redundant connectivity layers (interface endpoints and Transit Gateway). The single NAT Gateway — the one mechanism that still provides egress — is retained, so nonprod environments keep working, private, centralized internet access.
Choosing a Tier
- Use
nonprod(default) for evergreen smoke tests, CI environments, short-lived feature environments, and any account whose value does not justify multi-AZ redundant connectivity. - Opt into
prodfor any environment where availability, private-only egress, or multi-account Transit Gateway scale matter — production, and production-parity staging.
nonprod egress runs through a single-AZ NAT Gateway. If that AZ has an outage, internet egress for the environment is interrupted. This is an acceptable trade-off for non-critical environments — opt into prod for anything that needs multi-AZ resilience.
Azure and GCP hub-and-spoke networks already use free native peering (VNet peering and VPC peering respectively) and free private-service access, so they do not carry the AWS three-way-redundancy baseline. Their nonprod tier centers on single-AZ / single-region NAT sizing rather than removing a paid transport layer.