Static egress IPs for machines

You can now assign static egress IPs to your machines.!

Although most apps don’t need it, it is useful when using services like MongoDB atlas that require allowlisting a range of IPs.

You can allocate static egress IPs to your machine by running fly machine egress-ip allocate <machine ID>. These IPs survive machine migration and are not shared between machines.

Static egress IPs for machines will cost $0.005 per hour.

21 Likes

This is awesome!!!

Question, so if I have multiple machines in my app, I would need to configure one static egress ip per machine?

If you really want one static egress IP per machine, then yes. However, most use cases should not actually require this – for example, you may set up one or two machines per region to act as a proxy with static egress IPs, and have the rest of your machines connect to them for connections that require dedicated/static IPs.

That’s ~$3.6/mo per IP per machine. And for v6, too? Ouch.

You’ll get both a v4 and a v6 when you allocate a static egress IP. That $0.005 an hour includes both.

2 Likes

What about blue/green deployments – If you run a deployment will the egress IPs be moved to the new machines?

Nope, not yet. IPs are linked to a specific machine.

Is that the plan for the IP to follow a machine on a Blue Green deployment? The static egress IP is something ideal for external database connectivity as you mentioned. However, like you said, if we deploy our IP could go away or change. If we deploy a new machine, will we be able to reassign (manually for now) the static IP that was previously assigned to the new machine, or will we have to request a new one?

You can deploy a one-off machine and assign the IP to that one. This machine won’t be updated as part of a bluegreen deploy. You can update it manually with fly machine update if needed!

fly machine run -a your-app your-image.

  • Daniel

While I am very excited about this I think it’s (mostly) unusable (for us) as it currently stands. We are constantly deploying using blue green deployments throughout the week to ensure no downtime.

Excited for when we can assign a static IP to an App so that we can configure it just once then I know each app has an IP I can configure in our external services.

3 Likes

Rolling deploys update machines in place (keeping the IP), and then do a quick restart. Restarts on machines are so fast you may actually prefer rolling deployments to bluegreen.

But in general, you’re better off running 1-2 machines to proxy through for static outbound IPs.

So there’s no chance of getting static egress IPs per app?

There’s a chance! But it would just be a convenience. We’d end up implementing it as a supporting app that just has two+ machines running a proxies (or a nat gateway), and then figure out how to get apps to route some connections through those.

It’s early but I expect we’ll have an example of how to set this up soon. It’s doable the hard way today!

1 Like

Thanks Kurt, would much rather do it the easy way, I don’t particularly want to be managing that stuff myself and instead focus my time on features for my customers!

2 Likes

What kinds of things do you need to do from static IPs? If it’s just HTTP requests you can run this as an app and proxy through it pretty easily: GitHub - fly-apps/smokescreen: An example of deploying Smokescreen on Fly.io

1 Like

It would be for connecting to external services like postgres and potentially redis. Stuff like that just so we can secure by IP.

Thanks Kurt. On more question. I use a dedicated proxy and assign one machine a static IP. Say this is my nginx app. Even the nginx app has two machines (I’ve tried max_running_machines=1). Now with one machine static IP, how are the requests routed? Always through the machine with static IP?

I keep getting

Error: Could not find App

I’m pretty sure I’m using the correct machine ID, copied it from fly machine list output, is this correct?
My machines are in ams.

Can I use the same static IP for egress and ingress?

I’ve allocated an egress IP to a machine with a TCP service, it’s reachable on the external IPv6 address, but I can’t reach it on egress IPs (both v4 and v6).