Hello! I am working on deploying the backend server of my ExpressJS project on Fly.io. The server connects to MongoDB Database (Atlas, the free version). I was successfully connecting to it when running the server locally by simply adding my IP to the Network Access section on MongoDB.
After deploying my server to Fly.io. I was getting errors where the server could not connect to MongoDB due to unauthorized IP. So I set the database to “Allow access from anywhere” and it connected successfully and everything works. But now I am stuck trying to find out how I can connect to the MongoDB database securely without allowing access from any IP. I tried adding the shared public IPv4 associated with my backend fly.io application to MongoDB but this does not work.
Could someone please help me know what options I have to fix this so I can have it set up professionally for the future (scales properly and secure)?
From what I see, fly does not publish outgoing ips, or even a regional ip.
Then there is the fly machine egress-ip list command, but it’s not clear what means.
I would also at least lock it down to region/country/continent as we run apps very in very specific regions.
It is surprising that Fly.io cannot at least indicate a continental list of ip ranges.
[Edit: actually, there is a now a small subsection in the Machines overview. Sorry, guys!]
Personally, I consider the static egress IP facility to be a crucial primitive that is mainly geared toward advanced users, at least in its present state—but that’s just my own opinion. Many PaaS-style customers (for lack of a better phrase) are surprised by its current limitations and relative inconvenience.
Hope this helps a little!
Aside: Perhaps someone with security expertise can briefly comment on the OP’s implication that a list of allowed IP addresses is really essential to be considered “professional security” these days, …
Thank you for the replies! For anyone else running into issues with connecting their MongoDB Database to Fly.io:
If the Database connects properly when network access is set to “Allow from anywhere” then the main issue is that the shared IP provided in flyctl ips allocate-v4 --shared is the inbound IP and we need an outbound IP to allow access to MongoDB. If we allocate a dedicated IPv4 that would also be inbound as far as I know. Mongo needs a specific outbound IPv4 to allow network access as IPv6 is not allowed for connecting to Mongo.
So, in order to connect securely to Fly.io Machine’s IP specifically we need to set a static Egress IP for the specific machine using fly machine egress-ip allocate <machine ID> this will set a specific outbound IP for that machine which can be given network access by MongoDB database by providing the IPv4 of the egress-ip to MongoDB. This will cost $0.005 per hour for every machine you add the static egress ip to. So, in order to save costs it might be a good idea to proxy, so only have one machine using the IP.
This is all I have come to find about this issue, please correct me if there are any mistakes. Let’s make sure everyone has a well-informed and smooth journey deploying their projects!
…