Infrastructure
Domains & DNS

Domains and DNS

Pivot's DNS is managed by Cloudflare. Our primary registrar is 101Domain, at least for TLDs that Cloudflare Registry does not support. Most of our DNS routes go to AWS, usually with the Cloudflare proxy.

Accessing Internal Resources

Most resources internal to the Pivot team require authentication with JumpCloud SSO, often using Cloudflare Access. An exception to this is the backend services of the staging environment, which need to be on the public internet so that fetch() requests can be made from frontend apps.

Application DNS Records

pivot.app

  • A record pointing to the Cloudflare Workers deployment of the frontend proxy.
  • The equivalent staging domain is pivot.dev.

app.pivot.app

  • CNAME record pointing to the Expo web app Cloudflare Pages deployment.
  • This domain points to the production environment based on the main branch.
  • This domain is used as a destination for the rewrites that the frontend proxy implements.
  • The equivalent staging domain is app.pivot.dev.

docs.pivot.app

  • CNAME pointing to the Docs site Cloudflare Pages deployment.
  • This domain points to the production environment deployment based on the main branch.
  • This domain is used as a destination for the rewrites that the frontend proxy implements.
  • The equivalent staging domain is docs.pivot.dev.

auth.pivot.app

  • CNAME pointing to the AWS public Elastic Load Balancer (ELB). The ELB then routes requests to the Visa service running in ECS.
  • This domain points to the AWS production environment which is based on the main branch.
  • The equivalent staging domain is auth.pivot.dev.

rpc.pivot.app

  • CNAME pointing to the AWS public Elastic Load Balancer (ELB). The ELB then routes requests to the Friend service running in ECS.
  • This domain points to the AWS production environment which is based on the main branch.
  • The equivalent staging domain is rpc.pivot.dev.

api.pivot.app

  • CNAME pointing to the AWS public Elastic Load Balancer (ELB). The ELB then routes requests to the Rest service running in ECS.
  • This domain points to the AWS production environment which is based on the main branch.
  • The equivalent staging domain is api.pivot.dev.

tnl.pivot.app

  • CNAME pointing to the AWS public Elastic Load Balancer (ELB). The ELB then routes requests to the Tunnel service running in ECS.
  • This domain points to the AWS production environment which is based on the main branch.
  • The equivalent staging domain is tunnel.pivot.dev.

us-east-2.ws.pivot-ws.com and ws.pivot-ws.com

  • CNAME pointing to the AWS public Elastic Load Balancer (ELB). The ELB then routes requests to the Pilot service running in ECS.
  • This domain points to the AWS production environment which is based on the main branch.
  • The equivalent staging domain is ws.staging.pivot-ws.com.

files.pivotusercontent.com

  • CNAME pointing to the AWS Cloudfront distribution, which passes all requests to the file-proxy-viewer Lambda@Edge function.
  • This domain points to the AWS production environment which is based on the main branch.
  • The equivalent staging domain is files.pivot.dev.

Administrative DNS Records

admin.pivot.app

  • CNAME pointing to the PivotAdmin Cloudflare Pages deployment.

  • This domain points to the production environment based on the main branch.

  • The production deployment is behind Cloudflare Access.

  • The equivalent staging domain is admin.pivot.dev.

ui.pivot.app

  • CNAME pointing to the Storybook Cloudflare Pages deployment.
  • This domain points to the production environment based on the main branch.
  • The production deployment is behind Cloudflare Access.

engbook.pivot.app

  • CNAME pointing to the Engbook Cloudflare Pages frontend deployment.
  • The production deployment is behind Cloudflare Access.

Custom Frontend Domains

For enterprise customers using our Private Deployment model, the custom domain can be either a pivot.app subdomain or an entirely different FQDN. Either way, the 'root' is simply a CNAME record to the Cloudflare frontend reverse proxy Worker.

Subdomains of the selected custom domain are used to host the backend deployment for the organization and because Facebox knows that these domains correspond to a distinct Visa service deployment, it can advise the frontend of that service's location.

Note that custom domains are distinct from Facebox's domain entity, which represent the organization's control of a domain for the purposes of SSO enforcement and user administration and are also applicable to the single-tenant Pivot Cloud Platform deployment model. The Visa service enforces SAML SSO if Facebox is configured that way for a specific organization.

Public Block Domains

In our multi-tenant deployment, we use subdomains of the pivot.site domain to host public block URLs. This is important so that the pivot.app domain doesn't get banned if a user creates an abusive public block that an ISP or firewall provider wants to block.

If a user attempts to access https://pivot.app/_/b/123 but doesn't have access directly or isn't logged in and the block is public, they will be redirected to that block at a subdomain of pivot.site, such as https://654.pivot.site/_/b/123.

The subdomain is assigned to the organization by the Facebox service. Each subdomain's DNS routes to the web app (Expo web export) via a wildcard domain *.pivot.site configured in Cloudflare.

Cloudflare TunnelsEcs