Skip to content
Watasu Docs

Private Networking

Not every service should be on the public internet. Watasu lets one app expose private TCP services and another app reach them — without DNS, certificates, or VPC plumbing.

Private TCP processes

Section titled “Private TCP processes”

Any process whose name ends in -tcp is a private TCP service:

web:      bundle exec puma
grpc-tcp: bundle exec grpc_server

grpc-tcp is reachable from inside your team’s runtime, but not from the public internet. There’s no public DNS name and no TLS certificate — it’s a raw TCP endpoint exposed to other apps that you explicitly trust.

Common uses:

  • internal gRPC service consumed by a public API
  • private job intake for a worker fleet
  • admin-only RPC between control and data planes
  • microservice-to-microservice calls within a team

Granting trust

Section titled “Granting trust”

For an app to reach another app’s *-tcp processes, the source app must trust the target.

From inside the source app’s repo (or with --app):

Terminal window
watasu apps:trust --app api-app

This authorizes the current/named app to reach *-tcp services on api-app. Trust is directionalapi-app doesn’t gain anything from being the target.

Picking the right process suffix

Section titled “Picking the right process suffix”

Use this rule:

What you’re doingProcess name
Public HTTP/WebSocket trafficweb or *-web
Internal service-to-service traffic*-tcp (with explicit trust)
WebRTC / UDP / real-time*-rtc (see Real-Time and WebRTC)
Background work nothing calls intoany other name (typically worker)

The temptation to “just expose it on the public web with a hard-to-guess path” is real, but it’s a worse default. *-tcp is the same effort, narrower blast radius, and easier to reason about when an audit happens.

Microservices without the platform tax

Section titled “Microservices without the platform tax”

Watasu’s process model gives you most of what microservice deployments need without a service mesh:

  • Service discovery — apps in the same team find each other by app name
  • Network isolation*-tcp is private by default; trust opens the door explicitly
  • Independent scaling — each app scales its own pods, sizes, and replica counts
  • Independent deploys — each app has its own Git push, release, and rollback timeline

For most teams that’s enough. If you outgrow it, your container images are still standard containers — nothing here locks you into Watasu.

What private networking doesn’t do

Section titled “What private networking doesn’t do”

It doesn’t replace authentication. Trust controls reachability; your app still needs to authorize callers (e.g. mTLS, signed tokens, shared secrets) for anything sensitive.