Support the most basic of firewalls: Let apps be declared as private in
fly.toml (and/or provide a nice chonky button to toggle this in the dashboard). Make it a prominent control & non-optional selection during app init.
- Public app (default): Reachable from the public internet on allocated public ips (
appname.fly.dev). The way things work today.
- Private app: Only reachable within organization’s private network. (Up to you if there are still public ips allocated).
Rationale: Prevent oopses like private infra leaking to the public internet as a result of being unintentionally public. I think its a lesson learned by many systems before us (s3, mongo comes to mind, etc). Can find examples browsing this forum too…