I have a question about pricing on the free tier.
In this thread, @kurt from Fly.io says:
With the exception of bandwidth, you only pay for what you manually provision… we probably won’t build a way to prevent accounts from using paid services
So does that mean that some unexpected use of lots of bandwidth will give me a bill, even though I didn’t opt-in to paid services? E.g. say some malicious person or bot finds my app and refreshes it over and over.
Perhaps this situation is unlikely… but I am still a bit worried at the thought of it.
Thanks if anyone has any info, it would be much appreciated.
I don’t have an answer but I would also be curious to know if the Fly.io team has any plans about this, I would love to be able to cap the maximum amount of outbound bandwidth to prevent any bad surprises.
If your app exhausts the generous 160G/mo in free-tier bandwidth, yes, you’d have to pay up. Though, Fly does send an email when it detects abnormally high bandwidth use. So, you’ll probably not end up with a huge surprise bill. Fly also runs some form of rudimentary DDoS shield across its edge, so it isn’t like a bot is going to have a field day. Even if it did, Fly probably refunds you for your troubles.
If your app is publicly accessible, this is a potential problem, yes. At the cost of some latency, you can choose to front your web server (ie HTTP/S-only) on Fly behind
cloudflared and add rate limit rules (which are completely unmetered as of this month, while DDoS has always been free).
Yet another alternative is to run private Fly apps with no exposed public IP (which more or less have unmetered bandwidth as long as traffic stays within
6pn, Fly’s WireGuard backhaul).
Yet another is to guard a public-facing app with some form of auth (ex: HTTP basic auth).
Besides, one can always bake in admission control themselves for the runtime / language / server / image they deploy.
@ignoramous Thank you for this detailed response, I very much appreciate it.
I looked at rate limiting with Cloudflare, but I think I need my own domain for that if I’m right… since Cloudflare asks you to change your nameservers with your domain registrar, and obviously I don’t control the fly.dev domain.
But yes, thanks for your post. Perhaps I will look at the other solutions you suggested.