I know Fly terminates TLS at the edge and sends the unencrypted plaintext to my app. Is the fly internal network encrypted? For compliance reasons, my app needs to have the incoming data be encrypted at every step.
I know Fly terminates TLS at the edge and sends the unencrypted plaintext to my app.
Yes, all comms on Fly’s backhaul is encrypted with WireGuard (ref).
Is the fly internal network encrypted?
Note, internal network between two apps in the same Fly org (6pn) is also on Fly’s WireGuard backhaul: 6PN addressing clarification - #2 by kurt
We run a WireGuard mesh between all of our hosts; once traffic hits our edge, there’s no point at which it goes back out over the Internet in plaintext.
That goes for traffic between apps as well, though you should know that two apps on the same host will be speaking directly to each other (in plaintext) over the host’s local routing. If you want more assurance than that, you can build an image that does TLS or WireGuard between your apps; it’s probably not worth it, but it’s a thing you can do.
For compliance purposes, both traffic from the Internet and traffic between apps is reliably encrypted.