Skip to main content

Deployment

The Connector is availabe to customers as a statically linked binary package in a multi-architecture distroless Docker image.

Infrastructure Requirements

  • Operating System: Linux environment
  • Architecture: AMD64 or ARM64
  • Container Runtime: Docker or compatible container runtime

Network Requirements

The Connector requires:
  • Network access to api.joinformal.com (Formal Control Plane)
  • Outbound access to your protected resources
  • Inbound access from clients on configured listener ports
For customers deploying on AWS, the Connector can connect to the Formal Control Plane using AWS VPC Private Link instead of traversing the public internet. This provides enhanced security and network isolation. Service Details:
  • Service Name: com.amazonaws.vpce.eu-west-1.vpce-svc-01bfea09d5ec08d36
  • Region: eu-west-1
  • Endpoint Type: Interface (services that use NLBs or GWLBs)
Setup Steps:
  1. Create VPC Endpoint Using AWS Console:
    • Navigate to VPCEndpointsCreate Endpoint
    • Select Other endpoint services
    • Enter service name: com.amazonaws.vpce.eu-west-1.vpce-svc-01bfea09d5ec08d36
    • Click Verify service
    • Select your VPC and subnets where the Connector is deployed
    • Configure security groups to allow outbound HTTPS traffic (port 443) from the Connector
    • Important: Check Enable Private DNS Name
    • If your VPC is in a region other than eu-west-1, enable Cross-region endpoint and specify eu-west-1 as the target region
    • Review and create the endpoint
  2. Configuration Requirements
    • Private DNS: Must be enabled for proper DNS resolution of Control Plane endpoints
    • Cross-region Support: Required if your VPC is in any region other than eu-west-1
    • Security Groups: Must allow outbound HTTPS (port 443) from Connector to VPC endpoint
    • Network ACLs: Ensure subnet ACLs permit traffic to/from the VPC endpoint
  3. Verify Connectivity Once the endpoint is in Available state, test from your Connector instance: 
    # Verify DNS resolves to private IP
nslookup api.joinformal.com

# Test HTTPS connectivity
curl -v https://api.joinformal.com
The VPC endpoint uses Private DNS to automatically redirect api.joinformal.com traffic through the private connection. No configuration changes are needed on the Connector side.
For cross-region deployments (regions other than eu-west-1), you must enable the cross-region endpoint feature and specify eu-west-1 as the target region, or the connection will fail.

Resource Requirements

The Connector requires adequate resources to apply policies with minimal latency and maintain all necessary context in RAM (control plane data, queries metadata, responses data, etc.).
SpecMinimumRecommended
CPU1 core2 cores per node (2 nodes)
RAM2 GB4 GB per node (2 nodes)
CPU Throttling Warning: If you don’t allocate entire CPU cores to the Connector and rely on CPU throttling (e.g., CFS quotas on Linux, CPU limits in Kubernetes), you will most likely experience increased latency and timeouts during peak loads.

Production Recommendations

For production deployments, we recommend:
  • High Availability: Run at least 2 nodes behind a load balancer
  • Resource Allocation: 2 CPU cores and 4 GB RAM per node
  • Load Distribution: Distribute traffic across multiple Connector instances
CPU and RAM requirements vary based on usage patterns, query types, traffic volume, and enforced policies. Monitor your Connector performance and scale resources as needed.
When deploying multiple instances, Connectors attempt automatically to form a cluster with shared state. It enables Connectors to coordinate rate limiting across all instances. See the Clustering page for details.

AWS ECS Fargate

Deploy as a Fargate service behind a Network Load Balancer with multi-AZ availability

Kubernetes

Deploy using Formal Helm charts on any Kubernetes cluster (EKS, GKE, AKS, on-premises).

Docker

Run as a standalone container (development/testing only)
See the Quickstart guide for step-by-step deployment instructions.

Environment Variables

The Connector is configured primarily through the Control Plane, but requires the following environment variable:
VariableTypeDescription
FORMAL_CONTROL_PLANE_API_KEYStringAPI token to authenticate with the Control Plane (obtained when creating the Connector)