Regional data "lock"?

Hi, just looking into Fly.io for the first time and it looks awesome! Hoping to move our app over.

I was wondering if it was possible to restrict regions that an app gets served from (at least from an API standpoint). A requirement is that all the data stays in Canada and flows only through Canadian servers, even if users access it from the USA/overseas/vpn.

hi! fly regions will allow you to set your region pool. This will make it so that your app only spins up instances from those regions.

Hi @Oops365,

One thing to note is that traffic will usually flow through the nearest fly.io edge when using anycast IPs.

This means that even if you only have servers configured in Canada, if a user from Los Angeles accesses your service their traffic will most likely be directed to fly.io’s lax region where the edge will then tunnel the traffic to your servers in Canada.

Hmm, is there a way to disable that behavior?

I believe the preferred way to lock your app to a region is by using volumes.

For example, this is how I recently locked an app to the lax region:

  1. Create a volume in the desired region: fly volumes create VOLUME_NAME --region lax
  2. Mount the volume to your app in your fly.toml file:
[[mounts]]
  destination = "/path/to/volume"
  source = "VOLUME_NAME"

Once you do this and re-deploy your app, the fly regions config will become obsolete. If you try to add a new region, you’ll get a message that regions are being controlled with volumes.

Hmm, is there a way to disable that behavior?

I don’t think so-- our network uses Anycast at its edge, which means that all our IPs are announced at all of our PoPs/regions, and will generally respond to requests from a client to the nearest region. You can read a little more about this behavior in this wonderful blog post:

That said, traffic from abroad has to get to your Canadian servers via the Internet one way or another, so I’d guess this really depends on how you’re interpreting ‘flows only through Canadian servers’.

We have another great blog post on how our proxying works that could come in handy here: