Long Running Anycast IPv4 Support, BYO Certs?

Hi There!
We’re down the road building our new Passive DNS offering on top of Fly (see: NCT Token Rewards for Cyber Security Data for background) . I really like what you’ve done with the platform and most things have been super smooth so far, thanks for that. We’ve got an end to end working so far and we plan on scaling quite a bit across all your regions however, I’ve got two big questions:

  1. We’ll need to ensure that our application has long-lived IPv4 addresses associated with it. Users of our DNS service will need to bootstrap into these fixed IPv4’s for their service, having them change is a support nightmare. Do we have any options for getting you guys to bind 2x IPv4’s to our account for the long run? What about bringing in an 2x ‘vanity’ IPs for our DNS resolvers?
  2. We’re big fans of Let’s Encrypt, but they don’t issue IP address bound certs. Is there an option to push in our own cert for DNS-over-HTTPS (DOH) from a CA that supports IPv4 CNs?

Thanks!

Is there an option to push in our own cert for DNS-over-HTTPS (DOH)

This discussion has pointers: Use Cloudflare Certs to FlyIO - #8 by ignoramous

What about bringing in an 2x ‘vanity’ IPs for our DNS resolvers?

Re: BYoIP: Cloudflare and Vultr let one anycast any IP. Fly.io should too, but I don’t think they currently do. Though read: BYO compute resources and external ip addresses - #2 by kurt

We’ll need to ensure that our application has long-lived IPv4 addresses associated with it.

This should be the case as long as Fly.io’s operational (but would it be… I don’t know, perhaps see Fly.io Terms of Service Section 1d, and then trigger 1e, because Section 8a and 8c make for an ominous read ;).

The first is easy! You can run flyctl ips allocate-v4 to add IPs to your app.

The second is more difficult:

  1. We have an unsupported GraphQL mutation for importing certificates you can try, but I don’t think we even serve certificates for raw IP addresses
  2. You can do your own TLS termination within your VMs. Just turn our tls, http handlers off.

We don’t support vanity IPs yet, though.