Networking

How traffic reaches a pod and how clusters are wired. The path is Cloudflare → DO Load Balancer → Envoy Gateway → customer pod; clusters, resold Managed DBs, and telemetry droplets share a per-region /16 VPC (VPC-native, Cilium), with the control-plane VPC peered to each regional VPC.

This tab covers Traffic Flow & TLS (§5), the VPC & IP topology (§4.4), the Gateway architecture (§33), and the Load Balancer lifecycle (§34). Use the left sidebar to navigate.

Load-bearing

TLS is Cloudflare edge + Origin Certs (no cert-manager); the HTTPRoute-name parse is Envoy-Gateway-version-sensitive — re-verify envoy_cluster_name on any EG bump (§20.2). The HTTPRoute naming contract stays canonical under Shuttle.