Can't connect through Digital Ocean firewall with a new organisation running the same service

I have 2 organisations. One for my dev environment and one that I’m trying to set up for live. I’ve set up a hasura service on both of these

I have a separate service running on a digital ocean VM protected by a firewall, which I need both hasura instances to be able to connect to.

The dev organisation was set up a while ago and the hasura that’s running in there can connect to the DO service when I add the external IP to the DO firewall.

The hasura in new organisation cannot connect to the DO service when I add the IP address to the firewall.

Why? As far as I can see I’ve set them up exactly the same.


That does seem strange :thinking:

Do you mean the request goes:

a) request → DigitalOcean →


b) request → → DigitalOcean?

Only the issue you might be running into is that you can whitelist the Fly-provided IP for incoming connections (to the Fly network, on to the VM). Since that is fixed and you know what it is. So that’s fine for (a).

However you can’t get a fixed outgoing IP from Fly. If your setup is (b). You can’t fix the IP the request will come from. You could grab the current one that happens to be used. But that is subject to change so I wouldn’t want to rely on that for production (I assume if you have a dev environment using that approach that’s not so much of a problem as that wouldn’t matter if the IP did change).

Hey @greg thanks for the reply.

The use case is that the hasura service running in fly has to be able to connect to the service running on DO over https.

The thing running on DO has to be protected by a firewall - so it looks like we just simply can’t use fly for this?

1 Like


No problem.

Ah. It would seem not then. Since if your DO server has a firewall that only allows incoming connections from known IPs (e.g is allowed to access port 1234) … you can’t guarantee the IP your Fly VM will use to connect to DO.

You could maybe check this thread for any ideas but I guess it would involve some kind of additional peer/proxy/complexity:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.