Why do I need a dedicated IPv4 to serve raw TCP responses?

I create a fly.io application that gets SSL automatically. Now instead of serving HTTPS over port 443, I want to serve a raw TCP stream, with SSL terminated by Fly.io. My toml now looks sort of like this:

[[services]]
  http_checks = []
  internal_port = 4433
  processes = ["app"]
  protocol = "tcp"
  script_checks = []
  [services.concurrency]
    hard_limit = 25
    soft_limit = 20
    type = "connections"

  [[services.ports]]
    handlers = ["tls"]
    port = 443

  [[services.tcp_checks]]
    grace_period = "1s"
    interval = "15s"
    restart_limit = 0
    timeout = "2s"

When I do that, fly.io wants me to get my own IPv4. When I do that, everything works fine.

But now Iā€™m curious how fly.io dispatches traffic between applications. Why do I have to get my own IPv4 now? Is it a technical limitation? That would indicate it uses something from the HTTP request to dispatch, but a few tests suggest not.

Up until now I assumed it would use SNI, and of course it would need that to serve custom domains at all.

Any ideas why this is technically necessary? Or is this just how you guys do pricing?

Cloudflare appears to have the same limitation, so I must be missing something.

1 Like

Somebody else pointed me towards: [rejected] Feature request: Bare TLS on shared IPv4 (for non-HTTP protocols) - #2 by DazWilkin

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.