New Feature: Application Private IPs

In your org’s private network, instances of your application communicate directly with each other. This traffic doesn’t benefit from load balancing, rate-limiting or other proxy features, because it doesn’t go through fly-proxy, our internal proxy. But as of now, you can route internal traffic via fly-proxy and get all that proxy goodness, by assigning private IPV6 addresses to your applications. We’ve even come up with a great name for them, Flycast IPs

The command in flyctl to allocate a Flycast IP is

flyctl ips allocate-v6 --private

Allocated application private IPs show up in flyctl ips list . Their type field will be set to private

VERSION	IP                 	TYPE   	REGION	CREATED AT
v4     	37.16.24.216       	public 	global	2022-07-05T21:44:44Z
v6     	2a09:8280:1::6:4fc4	public 	global	2022-07-05T21:44:54Z
v6     	fdaa:0:XXXX:0:1::2 	private	global  2022-06-21T08:45:56Z

Yes, we know it’s confusing that it doesn’t show in flyctl ips private. We’re working on improving the UX.

We’re planning on making improvements to this feature. At present, you cannot send traffic to Flycast IPs from your personal device when connected to WireGuard. We also don’t automatically generate DNS records for these IPs. However, you can do this yourself if you own a custom domain.

We’ll get those features out to you soon though! In the meantime, give it a try and let us know if you run into any issues.

Do the internal proxies have the same limitations as external proxies? e.g. timeouts

All traffic to fly applications over public IPs goes through the internal proxy. You can expect the same behaviour for your private traffic if you use flycast IPs. Speaking to timeouts specifically, we do have them. If no data is sent for 60 seconds, we close the connection.

Are there any plans to offer load balancers (even if its an extra cost) that don’t have the limitations of the fly proxy?

At the moment we don’t have any plans for that. Interested to hear what issues you’re running into caused by fly proxy?

Do Flycast IPs work with Machines (like start a stopped machine, for instance)? I can try, but I am rather lazy.

@senyo Are there any news about sending traffic via WireGuard to a Flycast IP? It would be nice if that would work (including DNS lookups).

My current use-case: Connect to my Postgres cluster from my laptop. Instead of just using the connection string generated by the appropriate flyctl pg ... commands, one needs to run fly machines list to get an internal IPv6 to connect to. And if one wants to connect to the primary instance, add another flyctl status to that and match machine IDs.

You should be able to do this already. For DNS, you can configure it manually on your machine by adding an entry to /etc/hosts.

You are right. Earlier I just tried to connect with Postico which shows this error:

connection to server at "<private_v6>", port 5432 failed: SSL SYSCALL error: Undefined error: 0

Using psql instead seems to work.

Working DNS lookups for .flycast through WireGuard would be nice, though

You may need to add ?sslmode=disable to your connection string. I also noticed that some Go libraries seem to choke on the pg_tls handler (couldn’t connect to Postgres via Terraform or the postgres provider via SSL).

Hi @senyo , does this mean I can curl http://[private-v6]:3000 from another fly app and it’ll handle the load balancing?

It doesn’t appear to work for me. I have a [http_service] web app that gets scaled down to 0, when I curl the public address (from another unrelated app instance), eg: curl http://my-app.fly.dev, then the load balancer autostarts the web app. But when I curl http://[ipv6-private]:3000, it connects to the instance but the connection gets dropped and does not autostart the app.

It should work. Are you sure you’re using a flycast IP and not the instance’s private ipv6 address?