@thomas thanks for circling back to my question.
To circle back to my use case: I would like to know if the following is possible from a development machine:
https://<custom-domain>.internal/... and it resolves the address then sends traffic to the server process.
https://https://<custom-domain>/... and it does not resolve for those not on the private network.
- Each device would be a member of the organization to avoid #2.
I understood zero services section meant no public internet for a given service. I got this understanding from the App Configuration
No services section: The application has no mappings to the external internet - typically apps like databases that talk over 6PN private networking to other apps.
I am pretty sure there is documentation putting all this together, but I can not seem to find what the appropriate configuration is to accomplish my goal.
For example, I tried the following command:
flyctl dig AAAA <custom-domain>.internal:<$INTERNALPORT> --app ... -o ...
;; QUESTION SECTION:
;<custom-domain>.club.internal:$PORT. IN AAAA
;; AUTHORITY SECTION:
. 2475 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2022012600 1800 900 604800 86400
For reference when I run the same dig command for the custom domain I get:
flyctl dig AAAA <custom-domain> --app ... -o ...
;; opcode: QUERY, status: NOERROR, id: 52569
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;<custom-domain>. IN AAAA
;; ANSWER SECTION:
<custom-domain>. 900 IN CNAME $FLY_APP_DOMAIN.
$FLY_APP_DOMAIN. 3600 IN AAAA .....
I hope this is a greater context to understand what I am trying to accomplish.
Moreover: they’ll need to be pointing to the DNS server in the WireGuard configuration (not always super convenient to get this working on desktop OSs).
I am running on Mac OS and yeah this is not pleasant. I did not update my DNS entry at the system level prior to this conversation, but I have that setup now. Unfortunately after updating the settings a ping to the internal host/port does not resolve.