'%20filter='url(%23b)'%20transform='translate(0%20-286)'/%3e%3cpath%20d='M1636.5%20147c-123.436%200-223.5%20102.975-223.5%20230s100.064%20230%20223.5%20230S1860%20504.025%201860%20377c-.143-126.964-100.124-229.853-223.5-230Zm107.16%20308.341c-1.892%202.323-4.973%203.231-7.78%202.295l-98.896-32.908-98.896%2032.908c-2.807.933-5.884.022-7.774-2.3-1.89-2.32-2.212-5.587-.815-8.25l101.128-192.49c1.376-2.238%203.776-3.596%206.357-3.596%202.58%200%204.981%201.358%206.357%203.596l101.128%20192.49c1.401%202.663%201.08%205.932-.81%208.255Z'%20fill='url(%23c)'%20filter='url(%23d)'%20transform='translate(0%20-286)'/%3e%3c/g%3e%3c/svg%3e)
Networking overview
Loopback networking is designed for private connectivity between your servers without asking every customer to build a full overlay from scratch. The implementation you run today centers on WireGuard meshes managed by the platform, optional bridges between networks in the same organization, and firewall objects that apply layered policy at organization and workspace scope.
This page ties those pieces together for buyers and operators. UI labels may differ by deployment.
Objects you should know
Network
A logical overlay belonging to an organization, with a context:
- Workspace - the network is anchored to one workspace’s hosts.
- Organization - the network spans organization-level use cases (for example shared services).
- System - appears for specialized platform flows in some deployments.
After allocation you will see address family, name, state, assigned CIDR, and whether the platform manages the object for you.
Network bridge
Links two networks in the same organization. Create and delete flow through the execution tier so WireGuard peers can be stitched across meshes.
Firewall and firewall rules
Organization-scoped or workspace-scoped policy objects with ordered rules (protocol, direction, source, destination, action). Hosts can attach additional firewalls; effective policy is layered (see Firewalls).
How workspace networks come to life
For typical v2 workspaces, managed networking is enabled on create (often not customer-editable; treat it as part of the template).
When managed networking is enabled during workspace create, automation:
- Registers a workspace-scoped overlay with IPv4 intent and platform-managed lifecycle.
- Allocates a private IPv4 slice from a shared carrier-grade NAT-style pool and drives the network to an active mesh.
- Distributes per-host WireGuard configuration through the agent.
IPv6: IPv6-only overlays are not accepted on the default path today.
Organization-level and manual network flows
Some deployments still expose older organization APIs for listing or creating networks. Whether those surfaces are mounted must be confirmed with your operator. Regardless, managed workspace networks on modern templates follow the execution path described above.
Forcing a mesh refresh on a host
The API exposes a host-level operation to re-apply WireGuard configuration: it walks the relevant organization and workspace networks and schedules mesh refresh work for each. Use this when agents missed an update or after significant membership changes (see WireGuard mesh and agents).
Load balancers and “LBFW”
Load balancers can carry allow and block lists of origin CIDRs as part of edge policy. Monitoring can optionally include LBFW-related metrics where the deployment supports them. This is orthogonal to host firewalls: one protects the front door, the other the server.