Overview
NATS is an open-source, high-performance, lightweight messaging system optimized for cloud-native architectures. It supports pub/sub, queueing, and request/reply patterns. This template deploys a NATS super cluster using the official NATS image across multiple regions, with each location running independent replicas. JetStream can be enabled for persistent streams, durable consumers, K-V store, and object store — each replica gets its own dedicated volume. By default it exposes a WebSocket interface on port 443 via Control Plane’s TLS termination.What Gets Created
- GVC — A dedicated GVC spanning the configured locations.
- Stateful NATS Workload — A NATS super cluster using the official
natsimage, with per-location replica counts, exposing the client port (4222), cluster port (6222), gateway port (7222), and optionally the WebSocket port (8080). - Volume Set (optional, when JetStream is enabled) — Persistent storage for JetStream data. Each replica gets its own volume, with optional autoscaling.
- Secrets — An opaque configuration secret containing the full NATS server config, and an opaque extra data secret used for the
nats_extra_configblock. - Identity & Policy — An identity bound to the workload with
revealaccess to both secrets.
This template creates a GVC. If you plan to deploy multiple instances, you must assign a unique GVC name for each deployment.
Installation
This template has no external prerequisites. To install, follow the instructions for your preferred method:UI
Browse, install, and manage templates visually
CLI
Manage templates from your terminal
Terraform
Declare templates in your Terraform configurations
Pulumi
Declare templates in your Pulumi programs
Configuration
The defaultvalues.yaml for this template:
Image
image— The NATS container image to use. Defaults to the officialnats:2.11.6-alpineimage. Bump the tag to upgrade the NATS version.
GVC and Locations
gvc.name— Name of the GVC to create. Must be unique per deployment if running multiple instances.gvc.locations— List of locations where NATS replicas will run. Each entry requires:name— The location identifier (e.g.aws-us-east-1).replicas— Number of NATS replicas in that location. Set to0to suspend a location without removing it.
Resources
resources.cpu/resources.memory— CPU and memory allocated to each NATS replica.
JetStream
jetstream.enabled— Whentrue, enables NATS’s built-in persistence layer, adding durable streams, consumers, K-V store, and object store on top of the core pub/sub model. Without it, NATS is purely in-memory.
volumeset).
Streams default to
num_replicas: 1, meaning stream data lives on a single server. For streams that must survive a location outage, set num_replicas to 2 or higher in your application — this is configured per-stream, not in this template.Volume Set
Thevolumeset block applies only when jetstream.enabled: true.
volumeset.capacity— Initial volume size in GiB per replica (minimum 10).volumeset.autoscaling.enabled— Automatically expand the volume as it fills. When enabled:maxCapacity— Maximum volume size in GiB.minFreePercentage— Trigger a scale-up when free space drops below this percentage.scalingFactor— Multiply the current capacity by this factor when scaling up.
WebSocket
nats_defaults.websocket.enabled— Whentrue, exposes a WebSocket endpoint on the configured port. Control Plane handles TLS termination and serves it externally on port 443.nats_defaults.websocket.port— Internal WebSocket port (default:8080).
External Access
allowCIDR— CIDR ranges allowed to reach the WebSocket port from the internet. Defaults to0.0.0.0/0(open to all). Restrict this to limit exposure.
allowCIDR only applies to the WebSocket port. The NATS client port (4222), cluster port (6222), and gateway port (7222) are only accessible internally.Internal Access
internalAccess.type— Controls which workloads can reach NATS on the client (4222), cluster (6222), and gateway (7222) ports:
| Type | Description |
|---|---|
none | No internal access allowed |
same-gvc | Allow access from all workloads in the same GVC |
same-org | Allow access from all workloads in the same organization |
workload-list | Allow access only from specific workloads listed in workloads |
Do not set
internalAccess.type to none. NATS replicas must be able to communicate with each other across the cluster and gateway ports for the super cluster to function.Extra NATS Configuration
nats_extra_config— Any additional valid NATS server configuration appended to the server config at startup. Use this to setmax_payload, configure accounts, or add other NATS server options:
Connecting to NATS
Internally (from workloads in the same GVC), connect on the standard NATS client port:External References
NATS Documentation
Official NATS documentation
JetStream
NATS JetStream persistence and streaming
NATS Template
View the source files, default values, and chart definition