Just to clarify, the following works?
- Create an app, specify
network to be anything
- Create a WireGuard peer, set
network to be the same as the app?
This isolates the WireGuard peer to only apps that share the
network a globally-unique value or an organizationally-unique value?
Is there a way to connect an app to more than one network? For example, I want to isolate client connections to their own instances running in Fly that I manage and I also want to be able to connect via WireGuard without network isolation.
If I omit the
network on the WireGuard peer does that provide global access to all apps, even if the app specifies a
network? What about Postgres? Does that mean that if I have Postgres and a
network specified on the app, the app cannot communicate with an untagged Postgres HA in Fly (without
I ask because I want to establish a WireGuard connection between the managed app instances and agents that communicate with the cloud instance. Right now, the agent checks in with a server, but I’d prefer to go the other way when possible to avoid polling or streaming commands. My current implementation uses user-land WireGuard from Go and establishes a peer for each app instance in the cluster for a client, and each agent as a peer.
This should work, but if WireGuard peering is already available as part of Fly I won’t need to build both ends. I don’t want to abuse the Fly implementation for fear of it breaking suddenly, but if this is an intended use case I’d love to use it.