Skip to main content

Networking Configuration

This guide explains Agenta's network topology, how containers communicate with each other, and the environment variables that control networking behavior and connectivity.

Network Topology

Agenta uses a Docker-based network architecture with a dedicated bridge network for container communication and Traefik as the reverse proxy for external access.

┌─────────────────────────────────────┐
│ External Users │
└─────────────────┬───────────────────┘
│ HTTPS/HTTP
┌─────────────────▼───────────────────┐
│ Host Server (80/443) │
└─────────────────┬───────────────────┘

┌─────────────────────────────────────────▼───────────────────────────────────┐
│ agenta-network (bridge) │
│ │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ Traefik (Reverse Proxy) │ │
│ │ HTTP: 80 -> HTTPS: 443 -> Dashboard: 8080 │ │
│ │ SSL termination and routing │ │
│ └─┬─────────────────────┬─────────────────────┬─────────────────────────┘ │
│ │ │ │ │
│ │ / │ /api/ │ /services/ │
│ ▼ ▼ ▼ │
│ ┌─────────────┐ ┌─────────────┐ ┌────────────────────┐ │
│ │ Web │ │ API │ │ Services API │ │
│ │ :3000 │ │ :8000 │ │ :8080 │ │
│ └─────────────┘ └──────┬──────┘ └─────────┬──────────┘ │
│ │ │ AGENTA_RUNNER_URL │
│ │ Redis queues ▼ │
│ │ / streams ┌─────────────────┐ │
│ │ │ runner :8765 │ │
│ │ │ (internal only) │ │
│ │ └────────┬────────┘ │
│ │ │ │
│ ▼ │ │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ Worker Pool │ │
│ │ worker-evaluations, worker-tracing, worker-webhooks, │ │
│ │ worker-events, worker-records, worker-interactions, │ │
│ │ worker-triggers, cron │ │
│ └─────────────────────────┬────────────────────────────────────────────┘ │
│ │ │ (from runner) │
│ ▼ ▼ │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ Infrastructure Layer │ │
│ │ │ │
│ │ ┌──────────────┐ ┌──────────────────┐ ┌────────────┐ ┌────────────┐ │ │
│ │ │ PostgreSQL │ │ Redis │ │SuperTokens │ │ seaweedfs │ │ │
│ │ │ :5432 │ │ :6379 / :6381 │ │ :3567 │ │ :8333 │ │ │
│ │ │Core+Tracing │ │queues + caching │ │auth+sess │ │bundled or │ │ │
│ │ │ DB │ │ │ │ │ │external S3 │ │ │
│ │ └──────────────┘ └──────────────────┘ └────────────┘ └────────────┘ │ │
│ └──────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘

Container Communication Patterns

External Access Flow

Internet → Traefik (80/443) → Internal Services
├── / → web:3000 (Frontend)
├── /api/ → api:8000 (Backend API)
└── /services/ → services:8080 (includes completion/chat endpoints)

Internal Service Communication

Web Container:
├── → api:8000 (Backend API calls)
└── → services:8080 (Playground and model interaction endpoints)

API Container:
├── → postgres:5432 (Database operations)
├── → redis-volatile:6379, redis-durable:6381 (queues, streams, caching)
├── → supertokens:3567 (Authentication)
└── → worker pool (Task delegation via queues/streams)

Services API Container:
├── → postgres:5432 (agent and service state)
├── → LLM providers (model calls)
└── → runner:8765 (agent run dispatch via AGENTA_RUNNER_URL)

Runner:
├── → seaweedfs:8333 or external S3 endpoint (durable storage mount)
└── → api:8000 (session record writes)

Worker Pool:
├── → redis-volatile:6379, redis-durable:6381 (task and event consumption)
├── → postgres:5432 (Data access)
├── → api:8000 (coordination and shared backend logic)
└── → external webhook destinations (worker-webhooks)

Network Environment Variables

External Access Configuration

These variables control how external users access Agenta:

VariablePurposeExampleDescription
TRAEFIK_DOMAINDomain routinglocalhost, agenta.mydomain.comPrimary domain for routing
TRAEFIK_PORTHTTP port80External HTTP port
TRAEFIK_HTTPS_PORTHTTPS port443External HTTPS port
AGENTA_API_URLAPI endpointhttp://localhost/apiExternal API URL
AGENTA_WEB_URLFrontend URLhttp://localhostExternal frontend URL
AGENTA_SERVICES_URLServices URLhttp://localhost/servicesExternal services URL template
AGENTA_API_INTERNAL_URLInternal API URL between services and backendhttp://api:8000/apiInternal API URL
DOCKER_NETWORK_MODEDocker network mode hint for runtime URL logicbridgeShould be bridge for compose-based deployments

Internal Service Communication

These variables configure how containers communicate internally. Use REDIS_URI for a single Redis instance, or split with the volatile/durable URLs for separate caches and queues.

VariablePurposeExampleDescription
POSTGRES_URI_CORECore databasepostgresql+asyncpg://user:pass@postgres:5432/agenta_coreCore database connection
POSTGRES_URI_TRACINGTracing databasepostgresql+asyncpg://user:pass@postgres:5432/agenta_tracingTracing database connection
POSTGRES_URI_SUPERTOKENSAuth databasepostgresql://user:pass@postgres:5432/agenta_supertokensSuperTokens database connection
REDIS_URISingle Redis (fallback)redis://redis:6379/0Used when split URLs are not set
REDIS_URI_VOLATILERedis for caches/channelsredis://redis-volatile:6379/0Falls back to REDIS_URI
REDIS_URI_DURABLERedis for queues/streamsredis://redis-durable:6381/0Falls back to REDIS_URI
SUPERTOKENS_CONNECTION_URIAuth servicehttp://supertokens:3567SuperTokens service URL
AGENTA_RUNNER_URLRunner URLhttp://runner:8765Points the Services API at the agent runner; default in compose, generated from agentRunner.* in Helm
Daytona sandboxes and the remote compose profile

Compose deployments using Daytona remote sandboxes require the remote compose profile, which starts an ngrok tunnel. The remote sandbox mounts durable storage over the public internet, so the store endpoint must be reachable. Railway and Kubernetes deployments expose the store endpoint publicly and do not need ngrok.

Port Mapping (Optional)

These variables control external port exposure for direct access:

VariableDefaultPurposeDescription
POSTGRES_PORT5432Database accessExternal PostgreSQL port (development)
NGINX_PORT80Alternative proxyNginx port (when using Nginx)

Traffic Routing Rules

Traefik Routing Configuration

Frontend Routing

# Route: / → web:3000
Rule: Host(`${TRAEFIK_DOMAIN}`) && PathPrefix(`/`)
Target: web:3000
Processing: Direct forwarding
SSL: Automatic (production)

API Routing

# Route: /api/ → api:8000
Rule: Host(`${TRAEFIK_DOMAIN}`) && PathPrefix(`/api/`)
Target: api:8000
Processing: Strip `/api` prefix
Middleware: Path prefix stripping

Services Routing

# Route: /services/ -> services:8080
Rule: Host(`${TRAEFIK_DOMAIN}`) && PathPrefix(`/services/`)
Target: services:8080
Processing: Strip `/services` prefix

# Examples served by the same services container:
# /services/completion/* -> services:8080/completion/*
# /services/chat/* -> services:8080/chat/*

SSL/TLS Configuration

Development (HTTP)

TRAEFIK_PORT=80
AGENTA_API_URL=http://localhost/api
AGENTA_WEB_URL=http://localhost

Production (HTTPS)

TRAEFIK_PORT=80
TRAEFIK_HTTPS_PORT=443
AGENTA_SSL_DIR=/path/to/certificates
AGENTA_API_URL=https://agenta.mydomain.com/api
AGENTA_WEB_URL=https://agenta.mydomain.com

SSL Certificate Management

  • Automatic: Let's Encrypt via Traefik (HTTP challenge)
  • Storage: ${AGENTA_SSL_DIR}/acme.json
  • Renewal: Automatic every 60-90 days
  • Redirect: HTTP → HTTPS automatic

::: info Network Security The services are isolated within Docker bridge network. None of the services are exposed to the host network (except Traefik) :::

Troubleshooting Network Issues

Connection Testing

# Test database connectivity
docker exec :container-name: nc -zv postgres 5432

# Test Redis connectivity
docker exec :container-name: redis-cli -h redis-volatile -p 6379 ping
docker exec :container-name: redis-cli -h redis-durable -p 6381 ping

Port Conflicts

# Check port usage
sudo netstat -tulpn | grep :80
sudo lsof -i :443

# View container port mappings
docker ps --format "table {{.Names}}\t{{.Ports}}"

Traefik Routing Issues

# Access Traefik dashboard
http://localhost:8080

# Check Traefik logs
docker logs :container-name:

# Verify service registration
curl -s http://localhost:8080/api/http/services

DNS Resolution

# Test external domain resolution
nslookup agenta.mydomain.com
dig agenta.mydomain.com +short

# Test from multiple DNS servers
nslookup agenta.mydomain.com 8.8.8.8
nslookup agenta.mydomain.com 1.1.1.1