Private networking example?


I’m a bit confused about private networking and would really appreciate to have this explained a bit more.

So let’s say I have a website that communicates with an API, and they’re both within the same organization. Does private networking mean the website can communicate with the API without exposing the api to a public ip/domain?

According to the docs, if I understand it correctly, I don’t have to do anything special to get this working. So could I just do a request to the API using the IPv6 address or even the .internal domain? What confuses me is the part about DNS in the docs.

A really basic explanation and code example of how this would look would be super helpful.


To begin with all, all the apps in one of your organisations run on the same internal network inside Fly — they can make requests out to the internet, but no requests reach them from the internet. They can talk to each other, though — app.internal is a DNS call you can make from any app inside the organisation that will return a list of all the IP addresses of instances of that app. Just making a request straight to app.internal should route the request straight to an instance of the app as well.

You can join this internal organisation network like a VPN using the instructions here: Private Networking — this should let you call your applications like you’re inside the Fly org network.

Finally, if your apps need to be exposed to the internet, you can open a port using the config mentioned here: App Configuration (fly.toml) — choose which port the app is listening on, which port you want to expose publicly, and if you want Fly to add managed handlers for TLS termination or HTTP normalisation.

Does that help?

Ok, so in other words I’m able to simply make an Ajax request from one app to another like so:
fetch('https://my-app-name.internal/get-stuff') ?

If so, can I count on the request to get routed to the same region, or if not in the same, the closest one?

Thanks for your help!

It’s http, not https, but yes. These are requests are internal in the network and unless you’re managing certs yourself on the app HTTPS won’t be necessary.

Right now, app.internal routes to one of the instances (no guarantees as to which one), but we’ll soon announce another address that goes to an instance in the nearest region.

1 Like

Aha, that’s cool! So until is available, can I take the FLY_REGION environment variable and then use it in <region>.my-app-name.internal?
Or is that unnecessary / a stupid idea?

1 Like

That’s a good idea, as long you’ve fixed one or more instances to that region using volumes or scaling counts (Scaling and Autoscaling has more info). If you have a replica or primary database server running there, for instance, that’s a very good way to get a fast connection.