Controlling egress and ingress traffic on untrusted Fly Machines

Hello.

I want to build a service, part of which will involve the execution of untrusted code. I want to use Fly Machines for the isolation of this untrusted code compilation-and-execution. Therefore, those Fly Machines will be untrusted.

At the moment, I have 1 Fly App per Fly Machine, which Fly App is the only one in its network. Therefore, I might have thousands of Fly Apps, each with their own network and their own code-execution Fly Machine.

The only problem now is, how exactly do I control egress and ingress traffic on those Fly Machines? It’s not enough to set up a proxy in the Fly Machine itself, because the Fly Machine is assumed to be under the user’s control - and therefore under the control of a would-be attacker.

Can you expand on this? What are you trying to achieve?

If you are looking for networking rules, you can find information here New Feature: Network Policies - Fresh Produce - Fly.io. Do note that these rules do not apply to fly-proxy traffic.

I want to limit egress and ingress bandwidth for machines, and also log all traffic.

That feature link is very interesting, but I can’t find it documented anywhere else. Is the only option to configure port limitations on traffic? I don’t think that’s enough for my requirement.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.