Networking

VPC isolation via WireGuard, subnet management with IPAM, security groups with nftables, and NAT gateways.

Networking

The Networking service provides VPC isolation, subnet management, security groups, and NAT gateways. All networking is built on WireGuard overlay networks and nftables firewall rules. The Network Agent manages the full network lifecycle.

Features

  • VPC isolation — each VPC is a WireGuard overlay network providing complete isolation between environments
  • Subnet management — divide VPCs into subnets with built-in IPAM (IP Address Management)
  • Security groups — stateful firewall rules implemented via nftables on each host
  • NAT gateway — provides internet access for resources in private subnets
  • Automatic IP allocation — the agent tracks and assigns IPs from subnet CIDRs

Create a VPC

agentmetal vpc create --name prod --cidr 10.0.0.0/16

The Network Agent creates a WireGuard network, generates keys, and prepares the address space for subnets.

Add Subnets

Public Subnet

agentmetal subnet create \
  --vpc prod \
  --name web \
  --cidr 10.0.1.0/24 \
  --type public

Private Subnet

agentmetal subnet create \
  --vpc prod \
  --name data \
  --cidr 10.0.2.0/24 \
  --type private

Public subnets allow direct internet access. Private subnets require a NAT gateway for outbound traffic.

NAT Gateway

Create a NAT gateway for private subnets:

agentmetal nat create --vpc prod --subnet web

The agent configures iptables/nftables rules on a dedicated host to provide source NAT for outbound traffic from private subnets.

Security Groups

Security groups provide stateful firewall rules:

agentmetal sg create --name web-sg --vpc prod \
  --inbound "tcp:80:0.0.0.0/0" \
  --inbound "tcp:443:0.0.0.0/0" \
  --inbound "tcp:22:10.0.0.0/16" \
  --outbound "all:all:0.0.0.0/0"

Rules are applied as nftables chains on each host. Connection tracking ensures return traffic is automatically allowed.

What the Agent Manages

The Network Agent performs these operations:

  1. WireGuard setup — generates keypairs, configures WireGuard interfaces, and establishes peer connections between all hosts in a VPC
  2. IPAM — tracks IP address allocation for each subnet, assigns addresses to new resources, and reclaims them on deletion
  3. Subnet routing — configures routing tables so resources in different subnets within the same VPC can communicate
  4. Security group enforcement — translates security group rules into nftables rule sets and applies them to host firewalls
  5. NAT configuration — sets up SNAT/MASQUERADE rules for outbound traffic from private subnets
  6. DNS integration — registers VPC-internal DNS records so resources can communicate by name

VPC Peering

Connect two VPCs to allow resources to communicate across them:

agentmetal vpc peer create --vpc1 prod --vpc2 staging

The agent configures WireGuard peers and routing tables in both VPCs to enable cross-VPC traffic.

List Resources

agentmetal vpc list
agentmetal subnet list --vpc prod
agentmetal sg list --vpc prod