Phacility Cluster Network
Updated 1,089 Days AgoPublic

This document describes the network layout of the Phacility Cluster.


The Phacility cluster is deployed in an AWS VPC.

Most devices only accept connections from other devices within the cluster. Load balancers at the edge of the cluster accept external traffic and relay it to devices within the cluster, which may make additional service calls to other cluster services.

External Interfaces

These devices have external interfaces and accept requests from the public internet.

admin.phacility.comalbHTTP load balancer (ELB). Serves admin HTTP traffic.
bastionbastionManages operational access.
nlb*.phacility.comnlbNotification load balancers.
vault.phacility.comvaultSSH load balancer. Serves VCS SSH traffic.
www.phacility.comcorpHTTP load balancer (ELB). Serves corporate site HTTP traffic.
*.phacility.comlbHTTP load balancer (ELB). Serves most HTTP traffic.
secure.phabricator.comsecureServes the upstream.
phabricator.orgsecureServes marketing copy.
phabricator.comsecureRedirects to
javelinjs.comsecureWas hacked by Chinese.
blog.phacility.comsecureCorporate blog.

Network Layout

This is a general overview of device layout and traffic flow within the network.

For each type of request, traffic enters the network at the perimeter device in the left column, and is forwarded to the "Internal Device" to respond to the request. The internal device may also make requests to one or more devices from the "Service Devices" column to satisfy the request.

Perimeter DevicePerimeter PortInternal DeviceInternal PortService Devices
alb80, 443admin80None
clb80, 443corp80None
lb80, 443web80db, repo
secure22, 80, 443, 2222secureSame HostNone

Connection Restrictions

Connections to devices within the network are restricted. This table summarizes the layers which provide restrictions.

AWS Security RulesAll DevicesDrops most inbound traffic.
iptables RulesNormal DevicesDrops most inbound traffic.
Phabricator RulesApplication ServersRestricts cluster devices and listening interfaces.
rSAAS RulesApplication ServersProvides additional restrictions.
MySQL RulesDatabase ServersPrevents unrecognized connections.
Last Author