Skip to main content

What It Does

Monk creates an encrypted overlay network that spans all your infrastructure — across clouds, regions, and on-premises. Every service talks to every other service securely, no matter where it runs. Zero configuration required. Monk derives all networking from your app’s connection graph and configures routing, firewalls, and load balancing automatically.

How It Works

Encrypted Overlay Network

Monk spans an encrypted overlay network between every VM in your system, regardless of location. Network coverage:
  • Single cloud, single region
  • Single cloud, multi-region
  • Multi-cloud (AWS + GCP + Azure + DigitalOcean)
  • Cloud + on-premises (manual setup required)
Encryption by default:
  • All inter-service communication encrypted automatically
  • No VPN setup required
  • No Tailscale or WireGuard configuration needed
  • Works transparently across cloud provider boundaries
Example: Your API server on AWS us-east-1 can securely reach:
  • PostgreSQL on GCP europe-west1
  • Redis on DigitalOcean nyc1
  • An on-premises legacy system in your datacenter
All connections are encrypted and routed through the overlay network automatically.

Dynamic Routing & Firewall Configuration

Monk configures routing and firewalls dynamically at every level of your infrastructure. Configuration levels:
  • Container level - Network policies between containers
  • Machine level - Host firewall rules
  • Security group level - Cloud provider security groups
  • VPC level - Network ACLs and routing tables
All derived from the connection graph: Monk reads your app’s Configuration & Wiring and figures out which services need to talk to each other: 
Your application:
  Frontend → API Server → Database
  API Server → Redis
  Worker → Redis
  Worker → External API (Stripe)
Monk configures:
  • Frontend can reach API Server (public endpoint)
  • API Server can reach Database (internal, encrypted)
  • API Server can reach Redis (internal, encrypted)
  • Worker can reach Redis (internal, encrypted)
  • Worker can reach Stripe API (public, via internet gateway)
  • Nothing else can communicate — all other paths blocked by default
Firewall rules are managed automatically:
  • Only required ports open to the internet
  • Internal services stay on the private network
  • Unused ports blocked by default
  • Rules update dynamically as services scale

Load Balancing

Monk handles load balancing at multiple levels. Cloud-managed load balancers:
  • Uses AWS ALB, GCP Load Balancing, or Azure Load Balancer as appropriate
  • Automatically provisioned for public-facing services
  • Health checks configured automatically
  • SSL/TLS termination when using custom domains
Internal load balancing:
  • Built-in load balancing between service replicas
  • Automatic service discovery — no manual endpoint configuration
  • Requests distributed across healthy instances
  • Failed instances removed from rotation automatically
Zero-downtime deployments:
  • Monk orchestrates rolling updates when containers change
  • New version starts while the old version still serves traffic
  • Traffic switches only after health checks pass
  • Old version shuts down gracefully after traffic drains

Temporary Domains with TLS

Every machine managed by Monk gets a free temporary domain. Format: <machine-id>.runs.onmonk.io Features:
  • Automatically assigned to each VM
  • Free TLS certificates included
  • Only active if a workload explicitly opens a port to the internet
  • Useful for development, testing, and temporary deployments
Use cases:
  • Test API endpoints before configuring a custom domain
  • Share staging environment URLs with your team
  • Quick demos without DNS configuration
  • Development environments with HTTPS
These temporary domains are assigned to all machines but only serve traffic if your application opens a port publicly. Internal services (databases, workers, etc.) don’t expose anything via these domains.

Custom Domains with Cloudflare Integration

You can bring your own domain. Monk integrates with Cloudflare to manage DNS and domain setup automatically.
Custom domains currently require your domain to be managed by Cloudflare. Support for additional DNS providers is on the roadmap.
Bring your own domain:
  • Use your domain name (e.g., api.yourapp.com, www.yourapp.com)
  • Monk manages your Cloudflare DNS zone
  • Automatic DNS record creation and updates
  • Free SSL/TLS certificates via Cloudflare
What Monk handles:
  • DNS zone configuration
  • A/AAAA records pointing to your services
  • CNAME records for aliases
  • SSL/TLS certificate provisioning
  • DNS updates when infrastructure changes
Setup:
  1. Have your domain registered with Cloudflare (or transfer it)
  2. Provide Cloudflare API credentials to Monk
  3. Tell Monk which domain to use for your app
  4. Monk configures DNS and connects your domain to your deployment
When your infrastructure changes (scaling, migration, etc.), Monk updates DNS records automatically.

Cloud Network Provisioning

Monk provisions cloud networking resources automatically. What Monk creates:
  • VPCs - Isolated networks for your app
  • Subnets - Public and private subnets as needed
  • Internet gateways - For public-facing services
  • NAT gateways - For private services that need internet access (updates, APIs)
  • Route tables - Routing between subnets and the internet
  • Security groups - Firewall rules at instance level
  • Network ACLs - Additional firewall layer at subnet level
All configured based on your app’s architecture. No manual network engineering required.

API Gateway Integration

Monk uses cloud-managed API gateways when they make sense. Supported:
  • AWS API Gateway
  • GCP API Gateway
  • Azure API Management
Benefits:
  • Centralized API management
  • Rate limiting and throttling
  • Request/response transformation
  • API versioning support
Monk provisions and configures API gateways when your architecture benefits from them — for example, serverless functions or microservices with many endpoints.

Built-in Ingress Controller with ModSecurity

Monk’s orchestrator includes a built-in ingress controller with ModSecurity WAF (Web Application Firewall) enabled by default on all clusters:
  • Automatic WAF protection against common web attacks
  • DDoS mitigation at the application layer
  • Request filtering and rate limiting
  • Zero configuration required

Configuration & Wiring

The connection graph that drives all networking decisions.

Security

Encryption, firewalls, and access control across your infrastructure.