Existing VPCs and custom networking
How networking works in RunsOn v3, and when to use Terraform / OpenTofu for an existing VPC.
RunsOn still supports custom networking, but the built-in CloudFormation template no longer supports swapping between embedded and external topology in v3.
CloudFormation in v3
The built-in CloudFormation path now always uses embedded networking:
- fixed VPC CIDR:
10.1.0.0/16 - fixed two-AZ topology
- built-in S3 gateway VPC endpoint
- RunsOn-managed public ingress WAF when
EnableWAF=true
This is the simplest path and the one most teams should start with.
The built-in template no longer creates EC2 or ECR interface VPC endpoints. If you need those PrivateLink endpoints, manage them with Terraform / OpenTofu or your own networking stack.
When you need an existing VPC
If you need to:
- reuse an existing VPC
- control your own subnet layout
- own the NAT / endpoint / route-table design
- run GHES
- attach a user-managed public ingress Web ACL
- add EC2, ECR, or other interface VPC endpoints
use Terraform / OpenTofu instead of the built-in CloudFormation template.
Migration note for v2 users
If you previously used CloudFormation with NetworkingStack=external and the ExternalVpc* parameters, that path is gone in v3. Plan that upgrade as a migration, not a casual parameter update. The v2 -> v3 migration guide covers the replacement path.