We’ve got a flurry of new fleatures arriving at Fly and I’m taking a minute to talk about two of them.
The first is Private Networking. Enable it in your
We’ll add your application to a private IPv6 network (we call them 6PNs — or at least I do, and I’m trying to make it a thing) for your organization, and link instances of that application to DNS so you can find them.
Every app running on Fly now has an additional IP address —
fly-local-6pn — that has connectivity only within its private network. If you want to run a private service, like Serf or NATS or Pgbouncer, bind it to
fly-local-6pn and only apps in your organization will be able to reach it.
We do some rudimentary DNS. With 6PN enabled, an app called
fearsome-bagel-43 can do a TXT query of
regions.fearsome-bagel-43.internal to discover what regions it’s deployed on:
$ dig -t TXT fearsome-bagel-43.internal ... ;; ANSWER SECTION: regions.fearsome-bagel-43.internal. 1500 IN TXT "ord,nrt"
Since it’s deployed on
nrt,ord, you can use
nrt.fearsome-bagel-43.internal as a DNS name and it should just work.
global.fearsome-bagel-43.internal selects from all regions.
To make this work, we inject the nameserver
fdaa::3 into your resolv.conf (that’s what the [experimental] option I mentioned triggers). But you can just talk to
fdaa::3 directly if you want, or use dnsmasq, or Golang’s DNS libraries, or whatever. Importantly:
fdaa::3 recurses, to 184.108.40.206, for non-.internal names, so it works as your app’s primary nameserver as well.
You should be able to run any protocol you like between your applications on your 6PN — again, the 6PN is private to your organization and spans all the apps in that organization — and we’ll be posting examples of what we’ve been doing with it internally.
The other feature I want to talk about is WireGuard Peering. You can now link your private network to other networks using WireGuard.
To do that, update
flyctl, and then run
flyctl wireguard create. Select the organization to peer to, and the region you want WireGuard to connect to (note: right now, the only region you can use is “dev”, but that’ll change). Give the peering link a name. We’ll generate a WireGuard configuration for you, which will work with the macOS WireGuard.app, Windows WireGuard, and Linux
Your WireGuard peering connection has the same connectivity apps in your organization do, and we give them a local DNS server that sees the same names your apps do. You can see the IPv6 address of the local nameserver in the WireGuard config we generate for you.
You can use WireGuard peering to manage and talk to your apps directly from your laptop, and to bridge it to third-party services.
I’m a little biased but I’m psyched about how useful WireGuard peering turns out to be. Because it’s WireGuard and not OpenVPN or IPSEC, it pretty much just always works. I open my laptop, I close my laptop, I go make a sandwich, whatever, I’m always connected to the apps in my organization, as if they were just on my local IPv6 network. I hope you all find interesting things to do with it and interesting bugs for me to hunt down.