Is there a way to allow traffic only from whitelisted IP addresses for an app? For example, in AWS we can use security groups to block all traffic except from a certain IP range (e.g. allow traffic only from Cloudflare IPs). This prevents a ton of traffic from bots.
I don’t believe so since I asked the same a while back. It would be a nice feature to have.
If you want to see some approaches to being able to limit by IP, there are some replies with some suggestions:
https://community.fly.io/t/best-way-to-allow-access-to-my-app-to-only-certain-ips
Ah, somehow missed your question when I was searching for this in the forum.
This is a bit of a deal breaker for us. After deploying a demo app, I see a ton of calls from bots. These requests eat up bandwidth and processing power, leading to more costs. We really like fly, but this is an absolute essential for us to move our API from AWS.
No problem, I’d like the equivalent of a security group too.
Since there isn’t one, maybe you could proxy via Cloudflare? That may create other problems for you but they seem to be pretty good at blocking bots.
Are you trying to limit an API to internal only use? The “right” way to do this is to connect to the API over the internal private network.
When you enable public services on an app, you get a dedicated IP. The downside to this is that people like to crawl public IP space, so you get a bunch of garbage traffic like you’re seeing. It’s usually low impact, though.
You actually don’t need us to implement IP whitelisting though! You can run API requests through nginx and implement any kind of web filtering you’d like, including IP restrictions if that makes sense for your API. We’ve been meaning to do an example app with that config – we’re just a little overwhelmed and behind at all times these days. 
@greg - we can frontend with Cloudflare, but the problem is that the API is still accessible using the fly IP address / CNAME. We would like to block traffic at this level since bots can still access the API directly bypassing Cloudflare.
@kurt - Nginx is definitely an option, but this adds one more server, cost and moving component to the deployment. A built-in solution like security groups makes the whole process hands-off and we need to worry only about the application and not bother about infrastructure too much.
Our present setup is a public API and uses AWS Elasticbeanstalk behind a load balancer. Only traffic from Cloudflare IPs is allowed in using security groups. This is very easy to manage and I hope fly can provide an option to have this kind of setup in future.
3 Likes
I wanted to share a workaround, though it may be obvious to some.
I implemented authentication with Clerk
And you can whitelist email addresses in Clerk’s “Allowlist”. This means only those on the allowlist can get past your sign-in/landing page; thus, protecting the rest of the app.
Totally free and took me about 30 minutes to get everything up and running.
1 Like