Your documentation mentions the following
TLS middleware terminates TLS using Fly.io-managed application certificates, then forwards a plaintext connection to the application process. This is useful for running TCP services and offloading
TLS to the Fly Proxy.
For performance purposes, the Fly Proxy will terminate TLS on the host a client connects to, and then forward the connection to the nearest available application instance.
While I do like that approach, I am wondering how in-flight data is kept secure between the proxy and the actual fly machine. I assume that you would use the privat network connection and that the traffic is only visible for all the machines part of the same app. Can you confirm that?
Thanks a lot, Ralph
Hello Ralph, You’ll be happy to know that all our servers are bound together with a WireGuard mesh which means everything is encrypted in transit. Furthermore, each organization has its private network, which we call a 6PN. For this, we use some eBPF rules to make sure things from different 6PN private networks can’t talk to each other. If you want some of your apps to be even more isolated you can pull them off the default org’s network and into a custom one by specifying the
--network flag while creating the app
fly apps create.
You can find more about this at these links:
Thanks for the swift reply rugwiro. So if I understand correctly the fly edge proxy would connect to my apps private network via wireguard, right?
Yep, that’s exactly how it goes.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.