Public Cloud
ComputeContainersStorageDatabasesNetworkAIAnalyticsIaCQuantum

Public cloud — Network

Networking that does what you wrote down.

Managed cloud networking — private networks, gateways, floating IPs, and load balancers — under one operator. Topology defined as code, traffic patterns explained in dashboards, and changes that don't require an outage to verify.

Schedule consultation  ⟶See the engines

Network as code

Define topology in Terraform or via the API. Reproduce identically across environments.

Encrypted in transit

TLS between services and IPsec across regions. Logged for the evidence pack.

Predictable performance

Reserved bandwidth on private network paths. No noisy-neighbor surprises.

Hybrid by default

Peer to other regions, VPCs, or your on-prem datacenter through one operator.

Five managed services

The whole connectivity layer, under one operator.

Each service is operated end to end — provisioning, monitoring, change management, incident response. Pick the ones you need; the rest stay out of the way.

01

Cloud Networking

FOUNDATION · TOPOLOGY

The umbrella service. Region-aware design, IP plan, segmentation, routing, and DNS — defined as code, deployed consistently, audited continuously.

02

Private Network

VPC · SEGMENTATION

Isolated private network for your workloads. Subnets, route tables, security groups, and flow logs — all of it controlled and visible.

03

Floating IP

PORTABLE · REMAPPABLE

Public IPs you can move between instances or load balancers in seconds. Used for failover, blue-green deployments, and address-stable services.

04

Gateway

INGRESS · NAT · DNS

Managed edge for private networks: NAT for outbound, controlled ingress for inbound, DNS resolution, and traffic policy enforcement.

05

Load Balancer

L4 · L7 · HEALTH CHECKED

L4 and L7 traffic distribution with TLS termination, health checks, sticky sessions, and rules. Built for production traffic, not a side experiment.

01 · Cloud Networking

Topology defined as code. Not in someone's head.

Cloud Networking is the umbrella over the other four services. We start with an IP plan, a segmentation model, and a routing intent — written in Terraform, reviewed in a pull request, applied through the IaC pipeline.

Whatever runs in production today can be replicated to staging tomorrow, byte-for-byte. New regions get added with the same module instead of a new spreadsheet.

  • IP plan and segmentation model designed up front
  • Topology defined in Terraform with reviewed modules
  • Routing intent documented, enforced, and audited
  • DNS zones managed under the same workflow
  • Cross-region peering as a first-class concept
  • Property value enhancement
terraform · network.tf
module "prod_network" {
  source  = "./intsignal-network"
  name    = "prod"
  region  = "us-east-1"

  cidr = "10.0.0.0/16"

  subnets = {
    app  = "10.0.1.0/24"
    api  = "10.0.2.0/24"
    data = "10.0.3.0/24"
  }

  gateway     = true
  flow_logs   = true
  peer_to     = ["prod-eu-west-1"]
}

# Apply → reviewed via IaC pipeline → deployed
✓ plan validated · policy gate passed
PRIVATE NETWORK · SUBNETS 10.0.0.0/16 · private network app · 10.0.1.0/24 .10 .11 .12 SG: app-to-api · 8080 api · 10.0.2.0/24 .20 .21 .22 SG: api-to-data · 5432 data · 10.0.3.0/24 .30 .31 SG: deny-all-ingress

02 · Private Network

Your workloads on a network that's actually private.

Workloads in your private network can talk to each other through internal addresses, with traffic that never touches the public internet. Subnets enforce segmentation. Security groups control which services reach which. Flow logs record what actually happened.

Bandwidth between instances in the same private network isn't best-effort — it's reserved capacity, so a noisy neighbor in someone else's tenancy doesn't degrade yours.

  • Encrypted east-west traffic between workloads
  • Subnet-level segmentation with stateful security groups
  • VPC flow logs captured for forensics and compliance
  • Reserved bandwidth on private network paths
  • Peering to other regions and customer VPCs

03 · Floating IP

An address you control, on a target you can change.

Floating IPs decouple your public address from the instance behind it. Failover happens in seconds — reassign the IP to a healthy target and traffic resumes without DNS propagation or client retry storms.

Same mechanism powers blue-green deployments: spin up the new version on a different instance, validate it, then flip the floating IP. The address your customers know stays the same.

  • Reassign between instances or load balancers in seconds
  • Used for failover, blue-green, and address-stable services
  • Reverse DNS records you control
  • BYOIP option to bring your own IP ranges
  • API-driven so reassignment can be automated
FLOATING IP · FAILOVER Floating IP 203.0.113.42 was here → now here Instance A v1.4.2 drained · standby Instance B v1.4.3 active · serving traffic reassignment time: ~2 seconds · no DNS change · no client retry
GATEWAY · EDGE Internet Gateway NAT outbound Firewall ingress rules DNS resolver Private network · 10.0.0.0/16 no direct exposure to the internet all egress through the gateway · all ingress filtered

04 · Gateway

The edge of your private network, managed.

The Gateway is the controlled door in and out of your private network. NAT for outbound — instances reach the internet through it without exposing themselves. Ingress rules for inbound — only the traffic you want, on the ports you want. DNS resolution sits here too.

This is the surface where most operational network risk lives. We operate it with logging on, policy enforced, and a documented change process — not as a black box.

  • NAT for outbound traffic from private subnets
  • Controlled ingress with stateful firewall rules
  • DNS resolution and zone management
  • Anti-DDoS protection at the edge
  • All access logged for audit and forensics

05 · Load Balancer

Production traffic, distributed without surprises.

L4 for raw TCP/UDP throughput. L7 for HTTP-aware routing, path rules, and host headers. TLS termination, certificate management, health checks, sticky sessions, and rate limits — all configurable, all observable.

The default policy isn't "round-robin and hope" — it's health-checked distribution with sensible failure handling, automatic deregistration of unhealthy targets, and rolling-update support that doesn't drop in-flight requests.

  • L4 and L7 distribution with multiple algorithms
  • TLS termination with managed certificate rotation
  • Health checks with automatic target deregistration
  • Sticky sessions, rate limits, and rule-based routing
  • Rolling updates without dropping in-flight requests
LOAD BALANCER · L7 ROUTING Client traffic Load Balancer · L7 TLS termination · health checks · rules /api/* /static/* /admin/* api pool 3 healthy · 1 draining round-robin static pool 2 healthy least-connections admin pool 2 healthy sticky sessions

Day-two operations

What we operate, every day.

Networking failures are usually subtle — a misconfigured route, a tightened security group, a forgotten certificate. These are the operations that catch them before they become outages.

CHANGE MANAGEMENT

Every change reviewed

Network changes flow through the IaC pipeline. Plan generated, policy checked, peer-reviewed, applied to locked state. No console clicks, no surprise security groups.

  • workflow · GitOps

OBSERVABILITY

Flow logs and metrics

VPC flow logs captured for forensics. Per-service metrics (LB latency, gateway throughput, floating IP reassignments) wired into dashboards. Anomalies paged, not buried.

  • retention · configurable

CERTIFICATES

Rotated before expiry

TLS certificates on load balancers and gateways managed and rotated before expiration. No more 2 AM outages because a cert from 18 months ago lapsed.

  • renewal · automated

DDoS PROTECTION

Edge mitigation

Volumetric DDoS absorbed at the edge before it reaches your gateway. Anti-spoofing, rate limiting, and traffic scrubbing as baseline — not as upsell.

  • always-on · transparent

INCIDENT RESPONSE

On-call rotation

Network incidents paged to on-call. Triage, mitigation, and post-incident review. Customers get a status page, not a Slack thread we forget to escalate.

  • coverage · 24/7

AUDIT TRAIL

Every change recorded

Topology changes, security-group edits, certificate rotations, and floating-IP reassignments all captured with timestamps and operator. Part of the monthly evidence pack.

  • format · immutable log

Built for regulated workloads

Hardening and operating practices aligned to the frameworks your assessors recognize. intSignal is not the certified entity for most of these — we deliver the controls and evidence that make your audit possible. Where required, we partner with FedRAMP-authorized providers for federal scoping.

HARDENING

CIS Benchmark

Edge and gateway hardening with documented exceptions.

    SOC 2

    Aligned to Type II

    Change records and evidence cadence ready for audit.

      ISO

      Aligned to 27001 / 27017

      Cloud-services control narratives.

        HIPAA

        HIPAA-compliant ops

        Encryption, access, audit; BAA via partner.

          FEDERAL

          FedRAMP via partner

          Authorized hyperscaler regions integrated.

            DATACENTER

            Compliant facility

            Hosting facility carries its own attestations.

              FAQ

              Questions network teams ask before signing.

              If yours isn't here, ask in the consultation — we'd rather flag the awkward bits early than discover them in production.

              Yes — BYOIP is supported. If you have an existing IP range with established reputation and want to keep it, we can announce it from intSignal infrastructure with the appropriate ROA records. The migration is coordinated to avoid traffic blackholes.

              Cross-region peering is a first-class feature — encrypted with IPsec, with reserved bandwidth on inter-region paths and no per-byte egress charges between intSignal regions. Peering to hyperscaler regions (AWS, Azure, GCP) is supported through dedicated interconnects.

              Site-to-site VPN over IPsec is the default. For higher bandwidth or stricter latency, dedicated cross-connects through carrier partners. Either way, the on-prem network appears as a peered network in your topology, with the same routing and security-group model.

              Inbound traffic is free. Outbound traffic is priced per region with no surprise per-byte spikes for inter-region or peered traffic between intSignal networks. Load balancer throughput is included in the service tier you pick; we'll model the cost with you against your actual traffic shape before you commit.

              Yes — through approved Terraform modules. Application teams request a new subnet, security group, or load balancer rule by submitting a PR. The platform team owns the underlying topology and policy gates; app teams operate within the boundaries that policy defines.

              Service-level objectives are defined per engagement with measurable targets — availability, request latency, and error rates — backed by credits when missed. Specific numbers are part of the contract because they depend on your traffic profile and redundancy choices; we'll walk through what fits in the consultation.

              Volumetric attacks are absorbed at the edge before reaching your gateway. Anti-spoofing and rate limiting are baseline. For sophisticated application-layer attacks, the load balancer supports rule-based mitigation (geo-blocking, header inspection, JS challenges) that can be tightened during an incident.

              Stop debugging route tables at 2 AM.

              Tell us about your current network — regions, hybrid integrations, compliance constraints, and where the pain is today. We'll propose a topology, the migration path, and the cost model.

              Schedule consultation  ⟶