Transport security between proxy and fly machine

Your documentation mentions the following

The TLS middleware terminates TLS using application certificates, then forwards a plaintext connection to the application process. This is useful for running TCP services and offloading TLS to the Fly Proxy.

For performance purposes, the Fly Proxy will terminate TLS on the host a client connects to, and then forward the connection to the nearest available application instance.

While I do like that approach, I am wondering how in-flight data is kept secure between the proxy and the actual fly machine. I assume that you would use the privat network connection and that the traffic is only visible for all the machines part of the same app. Can you confirm that?

Thanks a lot, Ralph

Hello Ralph, You’ll be happy to know that all our servers are bound together with a WireGuard mesh which means everything is encrypted in transit. Furthermore, each organization has its private network, which we call a 6PN. For this, we use some eBPF rules to make sure things from different 6PN private networks can’t talk to each other. If you want some of your apps to be even more isolated you can pull them off the default org’s network and into a custom one by specifying the --network flag while creating the app fly apps create.

You can find more about this at these links:


Thanks for the swift reply rugwiro. So if I understand correctly the fly edge proxy would connect to my apps private network via wireguard, right?

1 Like

Yep, that’s exactly how it goes.

Excellent, thanks

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.