Skip to main content
Synthetiq provisions into a VPC and public subnets you provide. By default the stack creates everything else it needs — three /24 private workload subnets, their route table, and a NAT gateway — all visible in the changeset diff before anything is applied. The overrides block lets you reuse existing infrastructure instead. We recommend deploying Synthetiq into its own AWS sub-account — isolated IAM, quotas, billing, and blast radius — and selectively granting access to services in your internal VPCs from your side, via VPC peering, Transit Gateway, or PrivateLink. You can equally provision into an existing VPC, or supply your own private subnets end to end.

Required: a VPC and three public subnets

network:
  vpc: vpc-0abc123
  public_subnets: [subnet-a, subnet-b, subnet-c]
  • Public subnets in at least 3 Availability Zones, each with an internet-gateway route.
  • Three unused /24 blocks within the VPC CIDR for the workload subnets (allocation starts at x.x.128.0) — unless you supply your own.

Reusing an existing NAT gateway

overrides:
  nat: nat-0xyz789
The stack still creates the workload subnets and their route table, but routes egress through this NAT instead of creating a NAT gateway and Elastic IP.

Deploying into existing private subnets

overrides:
  private_subnets: [subnet-p, subnet-q, subnet-r]
Synthetiq creates no networking at all — workloads run in your subnets. overrides.nat cannot be combined with this: egress through your subnets is governed by your route tables. What lands in your subnets:
ResourceCountIP consumption
Fargate task ENIsOne per running app/worker instanceVariable — scales with load
Interface VPC endpoint ENIs (metrics delivery)One per subnetFixed — 3 IPs

Your responsibilities when supplying subnets

  • Egress — each subnet needs a default route (0.0.0.0/0) to your NAT gateway, Transit Gateway, or egress stack, and it must stay in place after provisioning (removing it later breaks deployments and outbound calls). If you filter egress by destination, allow HTTPS to: ECR and S3 (image pulls at task launch), Secrets Manager (secret injection at container start), CloudWatch Logs (log shipping), login.synthetiq.com (user sign-in to apps), and any APIs your apps call.
  • IP capacity — one IP per running task; size for the sum of autoscaling maxima across all services, plus 3 endpoint IPs (≥50 free IPs per subnet recommended). Exhaustion fails gracefully: new launches roll back, running apps are unaffected.
  • Subnet shape — three subnets in three distinct AZs, with no internet-gateway default route (tasks launch without public IPs, so an IGW route means no working egress). Non-default NACLs must allow outbound 443, ephemeral return ports, and port 8080 from your public subnets’ CIDRs.
The pre-flight verifies subnet shape, reports free-IP capacity, and warns (rather than blocks) on egress it can’t statically verify, such as Transit Gateway or inspection architectures.