Networking & Domains

Load balancing, SSL, custom domains, CDN, and private networking.

Custom Domains

Add any domain to your service:

rf domains add myapp.com
rf domains add api.myapp.com
rf domains add "*.myapp.com"  # Wildcard

✓ Domain added: myapp.com
✓ SSL certificate provisioned (Let's Encrypt)

Add this DNS record:
  CNAME  myapp.com  →  my-app-abc123.raidframe.app

  Or for apex domains (A record):
  A  myapp.com  →  76.42.193.12

Verify DNS

rf domains verify myapp.com

✓ DNS configured correctly
✓ SSL certificate active (expires 2026-06-14)
✓ Traffic routing to: web service (production)

Domain Management

# List all domains
rf domains list

# Remove a domain
rf domains remove old-domain.com

# Assign domain to specific environment
rf domains add staging.myapp.com --environment staging

SSL Certificates

SSL is automatic on every domain. Certificates are provisioned via Let's Encrypt and auto-renewed 30 days before expiry. No configuration needed.

For custom certificates (EV, wildcard, specific CA):

rf domains cert myapp.com --cert ./cert.pem --key ./key.pem --chain ./chain.pem

Load Balancing

Every web service gets a global load balancer. Traffic is distributed across all healthy instances using weighted round-robin with health check awareness.

Load Balancer Configuration

services:
  api:
    load_balancer:
      algorithm: least_connections  # round_robin, least_connections, ip_hash
      sticky_sessions: true
      sticky_cookie: __rf_session
      timeout:
        connect: 5s
        read: 30s
        write: 30s
        idle: 120s
      rate_limit:
        requests_per_second: 100
        burst: 200

Sticky Sessions

For WebSocket and stateful connections:

rf services config api --sticky-sessions true

CDN / Edge Caching

Static assets and cacheable responses are served from 40+ edge locations:

services:
  web:
    cdn:
      enabled: true
      cache_static: true            # Auto-cache *.js, *.css, images, fonts
      cache_rules:
        - path: "/api/products"
          ttl: 60s
          vary: ["Accept", "Accept-Language"]
        - path: "/static/*"
          ttl: 365d

Cache Control

# Purge specific path
rf cdn purge /api/products

# Purge all
rf cdn purge --all

# View cache hit rate
rf cdn stats

CDN Stats (24h)
  Requests:   482,301
  Cache hits:  389,102 (80.7%)
  Bandwidth:   12.4 GB served, 2.4 GB origin

Private Networking

All services within a project communicate over an encrypted private network. Internal traffic never touches the public internet.

web → api.internal:8080         (private)
api → pg-main.internal:5432     (private)
api → redis-cache.internal:6379 (private)
worker → api.internal:8080      (private)

Service discovery is automatic. Reference other services by name: http://api.internal:8080.

Cross-Project Networking

Connect services across different projects:

rf network peer my-app other-app

Firewall Rules

# Allow only specific IPs to access admin service
rf firewall add admin --allow 203.0.113.0/24
rf firewall add admin --allow 198.51.100.1

# Block specific IPs
rf firewall add api --deny 192.0.2.0/24

# View rules
rf firewall list

WAF (Web Application Firewall)

Basic web application firewall rules:

services:
  api:
    waf:
      enabled: true
      rules:
        - block_sql_injection: true
        - block_xss: true
        - rate_limit:
            path: "/api/auth/login"
            max: 10
            window: 60s
        - geo_block: ["CN", "RU"]  # Block by country
        - bot_protection: true

HTTP/3 and gRPC

HTTP/3 (QUIC) is enabled by default on all web services for faster connections.

gRPC services:

services:
  grpc-api:
    type: web
    port: 50051
    protocol: grpc
    health_check:
      grpc: true
PreviousEmail ServiceNextRegions