Create VPC around applications in same fly organization?

We are using Fly Machines to package and run some code from our users. By default, every app inside an organization is networked to each other, and machines can directly talk to other machines within the private network using the hostnames <id>.vm.<app-name>.internal.

Is there a way to disable this behavior or to set up my own VPC around each app that I deploy so that the apps can still have outside internet connectivity, but can’t access other apps or machines in the VPC? Is the workaround to create a new organization for each of my users? If so, is there a way to programatically do it and is there a limit to the number of orgs i can create?

When you create the App, you can pass a network name to isolate it from other Apps in the Organization. Assuming you’re also using the Machines API to create the app, the field name is network in the request body when POSTing to the /v1/apps endpoint.

I don’t think our DNS is isolated yet based on the networks so it queries will still return results but connectivity will be denied.

1 Like

Thanks! I think that’s exactly what I’m looking for.

I was trying to find more documentation on the custom network id field; is it just some string that is unique to the organization? By default, if the --network field is omitted when creating an app, that means the app has connectivity to all other apps in the org, right?

Yep!

Correct, every organization has a default network that is used if one is not defined for a specific App.

Thanks! Is there a max number of networks that an org and a fly account as a whole may create?

We do have some limits on the number of Apps an Organization is allowed to create based on plan and use case. If you reach the limit, email support and we’ll help get it worked out.