Network spaces

Juju models networks using spaces, which can be mapped to one or more subnets of the chosen backing cloud. When a space’s subnets span multiple availability zones, Juju will automatically distribute application units across subnets and zones, thereby providing increased resilience.

From a security standpoint, spaces allow you to restrict an application’s network access. Spaces allow you to configure the model’s network topology to restrict applications to posse only the network connectivity they need.

Here are a few properties to keep in mind:

  • Spaces can contain multiple subnets
  • Subnets are restricted to a single one space
  • All subnets within a space are considered equal in terms of routing

Provider support: Spaces are currently only supported by the MAAS and EC2 providers.

Example: isolating a database from the Internet

Consider a model divided into three segments with distinct security requirements:

  • The “dmz” space for publicly-accessible applications (e.g. HAProxy) providing access to the CMS application behind it.
  • The “cms” space for content-management applications accessible via the “dmz” space only.
  • The “db” space for backend database applications, which should be accessible only by the applications.

HAProxy is deployed inside the “dmz” space, it is accessible from the internet and proxies HTTP requests to one or more Joomla units in the “cms” space. The backend MySQL for Joomla is running in the “db” space. All subnets within the “cms” and “db” spaces provide no access from outside the environment for security reasons.

Adding and listing spaces and subnets

Spaces are created with the add-space command. The following command maps a space called db-space with subnet

juju add-space db-space

To see which spaces have been added, along with any subnets belonging to those spaces, use the juju spaces command. Its output will look similar to the following:

Space    Subnets

To map an existing subnet to a space use the add-subnet command. Here we map subnet to space ‘db-space’:

juju add-subnet db-space

The juju subnets command will list all subnets known to Juju with output similar to the following:

    type: ipv4
    provider-id: "5"
    status: in-use
    space: undefined
    - default
    type: ipv4
    provider-id: "6"
    status: in-use
    space: undefined
    - default

MAAS and spaces

MAAS has a native knowledge of spaces. Within MAAS, spaces can be created, configured, and destroyed. This allows Juju to leverage MAAS spaces without the need to add/remove spaces and subnets. However, this also means that Juju needs to “pull” such information from MAAS. This is done by default upon controller-creation. Run juju reload-spaces to refresh Juju’s knowledge of MAAS spaces and works on a per-model basis.

The reload-spaces command does not currently pull in all information. This is being worked upon. See LP #1747998.


Juju creates bridges for containers only when Juju knows the spaces an application may require, and the container’s bridge for that application will only connect to the required network interfaces.

Using spaces

Once all desired spaces have been added and/or configured they can be called upon by using either a constraint or a binding.

A space constraint, like any other constraint, operates at the machine level. It requests that certain network connections be made available to the Juju machine. When a constraint is used, all application endpoints get associated with the space.

A binding is a space-specific, software level operation and is a more fine-grained request. It associates an application endpoint with a subnet.

  • See examples of using a binding when deploying applications on Deploying to network spaces. For using spaces with bundles go to Charm bundles.
  • The juju bind command allows you to modify an application’s endpoint bindings.

Last updated 7 months ago. Help improve this document in the forum.