Ports not exposed internally, only externally

I’m deploying a few different applications: one nextjs app, which also serves a graphql API, a python fastAPI application which also serves a graphql API and and graphql API gateway which needs to connect to both of the graphql APIs.

All of them are currently exposed to the internet while I’m getting this up and running, but they are using the internal addresses to communicate since the idea is that only a reverse proxy will be exposed in the end.

Most of it works. I can access all 3 services from the internet, and I can verify that I can connect to one graphql API via the API gateway. But for some reason, it looks like the python service, which listens on port 8000, only exposes that port to the internet, but not the internal address.

I’ve tried SSHing into various services and connecting to the python service. I can ping it just fine, but I can’t curl/wget it. If I setup a wireguard tunnel and run a port scan on the internal address, I only get port 22. If I scan the other services, their internal ports are open as expected.

The Dockerfile command is

CMD ["uvicorn", "main:app", "--host", "" , "--port", "8000"]

I’ve also tried :: based on some threads I’ve managed to find by googling, but this makes the deployment fail because the healthchecks don’t pass. In fly.toml, internal_port = 8000.

I feel like I must be missing something, but I’ve really spent an unreasonable amount of time on this issue at this point and would really appreciate any and all input.

Update: I tried disabling the tcp_checks part of the service section and listening on ::. This makes it work, insofar that it now accessible internally, but is no longer accessible from the internet.

The problem you have is that (AFAIK) the Fly health-checks/proxy connections are IPv4 and Fly’s private networking/Wireguard is IPv6. If you want external IPv4 connectivity/health-checks and private networking for your service - it will need to listen on both IPv4 and IPv6.

It appears this functionality has been discussed recently - Dual stack (IPv4/IPv6) support #1529, although my reading of that suggests it may not currently be possible with Uvicorn?