EU / US Isolation for GDPR and HIPAA

Hey,

We have customers in the EU that require us to only use EU based servers and DBs. It is possible to ensure that only EU based users go through EU based regions.

On the flip side. We have been asked about HIPAA and can data only flow through US based regions and DBs.

Is it possible to enforce this kind of isolation on Fly?

I think your best bet would be to deploy two app stacks with different region pools.

This would require you to have different domains for your app (e.g. eu.my.app and us.my.app ) but this is the most common method for high-sensitivity applications that need to be available with isolated data silos in different physical regions.

One way you could streamline management is to leverage your CI to manage deployments across these regions.

For example with github actions you could have something like the following:

name: Deploy Applications
on: [push]

jobs:
 deploy:
   name: Deploy App to Fly
   strategy:
       matrix:
           region: [eu, us]

   steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install flyctl
        uses: superfly/flyctl-actions/setup-flyctl@master
      - name: Generate fly.toml
        run: envsubst fly.template.toml > fly.template.toml
        env:
           REGION: ${{matrix.region}}
      - name: Deploy
        run: flyctl deploy --remote-only


If you then have ${REGION} as a placeholder in fly.template.toml you can generate fly.toml’s for each permutation of the matrix and deploy them similtaneously.

Thanks. Yes, that’s how most people do it but I have seen other companies use some sort of routing to isolate traffic. So they don’t need to do any sub-domains

I was hoping Fly could be that routing. Maybe I will reach out to support@fly.io and see what they say. Unless there is a Fly employee who can jump in on this?