I think that can be done with multiple ports, i.e., by giving each Machine a distinct internal_port+port pair† in its services block.
Thus, the second VM would get:
"services": [
{
"protocol": "tcp",
"internal_port": 2223,
"ports": [
{"port": 8023}
]
}
]
Another classic approach is to have a single intermediary Machine that everyone on the outside SSHes into first, and then they SSH again to the specific <machine-id>.vm.<appname>.internal address once they have a shell inside.
(I’ve used both in the past, at different organizations…)
A third thing that should work is to use kernel-mode WireGuard to connect into the whole .internal network. This doesn’t require the flyctl CLI on the clients, but it may give them more access to other stuff than you intended…
†Edit: It would probably be prudent to make the internal_ports on their own be unique, actually. I.e., have only one of them be 2222.