Projects

Enterprise Network

Apps and databases on Skytells are internet-accessible by default. Every project also includes a private internal network so services can communicate securely without touching the public internet — compliant by design, unlike traditional providers.

Overview

Apps and databases on Skytells are internet-accessible by default. When you deploy a service, Skytells provisions a public endpoint through the reverse proxy automatically — no extra configuration needed to go live.

At the same time, every project comes with a private internal network that all services share from day one. Services can communicate with each other over this internal network using only their service name — without going through the public internet, without manual network setup, and without exposing ports to each other publicly.

You can disable public access on any service at any time to make it reachable only from inside the project. This is what sets Skytells apart from traditional providers: instead of requiring you to build private networking yourself — VPCs, subnets, security groups, firewall rules — the private network exists automatically on every project, and switching a service to internal-only is a single configuration change.

The internal network is available on all plans and all projects. There is no setup required — it is active the moment a project is created.

How It Works

Every project has its own dedicated private network. When you deploy an app or provision a database inside a project, that service joins the project network automatically.

Services within the project reach each other by service name. If your API service is named api, your web app calls it at http://api (or http://api:<port>) without any public IP, DNS record, or credential exchange — even if that API is also reachable from the internet.

Public traffic is routed through a reverse proxy that handles TLS termination and domain routing for all services in the project. By default every service gets a public endpoint. You can remove the public endpoint for any service to make it internal-only — it will still be reachable from sibling services over the private network.

Project — Private Network HTTPS via domain routes to http://api DATABASE_URL env var DATABASE_URL env var User PROXY TLS WEB service API WORKER DB

What This Means in Practice

Public by default — every app and database is internet-accessible when deployed. You can start shipping immediately without any networking configuration.

Service discovery by name — apps call each other using the service name as a hostname regardless of their public accessibility. No IP addresses, no DNS setup, no service mesh. The internal network handles resolution automatically.

No manual network configuration — there are no VPCs, subnets, or firewall rules to configure for internal communication. The private network exists the moment the project is created.

Disable public access per service — if a service should not be reachable from the internet (a background worker, an internal API, a database you want locked down), you can disable its public endpoint from the service settings. It remains fully reachable by name from every other service in the project.

Unlike traditional providers — on AWS, GCP, or Azure, private communication between services requires you to provision a VPC, configure subnets, set security group rules, and often install a service mesh or DNS resolver. On Skytells, the internal network is provisioned automatically. Enterprise-level network compliance is the default, not an infrastructure project.

Internal Communication Example

Consider a typical three-tier application deployed inside one project:

HTTPS app.example.com route to web container http://api/endpoint DATABASE_URL connection query result response rendered page User Reverse Proxy Web App API Service Database
  • The Web App has a public domain assigned. The reverse proxy routes inbound HTTPS to it.
  • The API Service is public by default. The Web App also calls it by service name (http://api) over the private network. You can disable the API's public endpoint if it should only be called internally.
  • The Database is internal-only by default. The API connects using a DATABASE_URL environment variable automatically injected by Skytells. Internet access can be enabled explicitly from the database settings when external access is required.

No part of this setup requires you to configure networking manually.

Environment Variables and Service Discovery

Skytells automatically injects connection details for project databases as environment variables into apps in the same project. This is how apps discover and connect to databases without manual coordination.

For example, when you provision a database inside a project, Skytells makes the host, port, name, and credentials available to your apps through standard environment variable names. Your app reads those values at runtime — the connection stays internal.

For cross-service communication between apps (as opposed to databases), services can call each other using internal hostnames. The exact hostname format is surfaced in the Console within the app's configuration.

Security Boundaries

The internal network is scoped strictly to the project. Services in different projects do not share a network boundary, even if both projects belong to the same account.

Do not place services that belong to separate products or require strict isolation in the same project just for the sake of network proximity. Use separate projects to maintain proper security and access boundaries.

Key properties of the internal network boundary:

  • Project-scoped — isolated from other projects on the account.
  • Encrypted in transit — internal traffic is encrypted between services.
  • Always available — every service in the project can reach every other service by name, whether or not public access is enabled.

Public Access and Ingress

Every service in a project gets a public endpoint through the reverse proxy by default. All external traffic enters through that endpoint. You can disable the public endpoint for any service from the service settings to make it internal-only.

Managing public domains is handled through each app's domain configuration. DNS and TLS are handled by Skytells — you bring the domain, the Console handles routing and certificate provisioning.

  • Project Overview — the full project architecture and what it contains.
  • Integrations — connect external services to the project.
  • Security — platform-wide security architecture.

How is this guide?

Create Project

Step-by-step guide to creating a new project in the Skytells Console, including what to prepare, plan limits, and what to do next.

Members

Manage who can access a Skytells project, invite collaborators, assign roles, and control what each person can do inside your project.

On this page

Overview
How It Works
What This Means in Practice
Internal Communication Example
Environment Variables and Service Discovery
Security Boundaries
Public Access and Ingress
Related