From 2ec97086d545c82cb7ef1eab7f91de626fcd214e Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Wed, 17 Dec 2025 17:40:42 -0500 Subject: [PATCH 1/5] Add documentation for app-scoped egress IPs --- networking/egress-ips.html.md | 62 ++++++++++++++++++++++++++++---- networking/services.html.markerb | 4 +++ 2 files changed, 59 insertions(+), 7 deletions(-) diff --git a/networking/egress-ips.html.md b/networking/egress-ips.html.md index e022e956ae..6afe158164 100644 --- a/networking/egress-ips.html.md +++ b/networking/egress-ips.html.md @@ -9,10 +9,10 @@ date: 2025-10-02 ## Overview - By default, outbound (egress) IPs from Fly Machines are **unstable** and may change. -- You can allocate **static egress IPs** per machine (both IPv4 and IPv6) via `fly machine egress-ip`. -- Static egress IPs come with trade-offs: cost, binding to machine lifecycle, and deployment quirks. -- A common workaround is to front outbound traffic through a **proxy** app that _does_ have static egress IPs. -- App-scoped egress IPs are in development and may simplify this in the future. +- You can allocate **static egress IPs** for an app (both IPv4 and IPv6) via `fly ips allocate-egress`. +- App-scoped Static egress IPs are per-region: you need one for every region where you have machines. +- Static egress IPs come with trade-offs: cost, concurrent machines / connections. +- Legacy machine-scoped static egress IPs are still availble, but no longer recommended due to their limitations and quirks. --- @@ -26,8 +26,52 @@ Some external services—APIs, databases, payment providers—require allowlisti --- +## Static Egress IPs (App-Scoped) + +App-scoped static egress IPs can be shared between multiple machines in a region belonging to the same app, and will not be deleted when machines are recreated. They are recommended over our legacy, machine-scoped static egress IPs. + +### Allocate an App-scoped Static Egress IP + +```bash +fly ips allocate-egress --app -r +``` + +This allocates a pair of static egress IPv4 and IPv6 for your app in a region. + +If your app has Machines in multiple regions, you must allocate at least 1 app-scoped static egress IP address __per region__. +Only machines located in the same region can use static egress IPs allocated in the region. + +
+You can allocate multiple pairs of static egress IPv4 and IPv6 in the same region. Machines will randomly choose a pair from all static Egress IPs available in the region. +
+ +### View and Manage + +```bash +fly ips list +fly ips release-egress +``` + +### Billing + +Each app-scoped static egress IPv4 cost $3.60/mo, billed hourly. IPv6 is currently free, but must be allocated along with an IPv4. + +### Caveats + +- Each static egress IP can support up to 64 Machines. If you need more than 64 Machines in one region, you will need to allocate multiple static egress IPs. +- When using App-scoped static egress IPs, a Machine can make up to 1000 connections to _each_ external IP address. There is no limit on the _total_ number of concurrent connections. + - We do not expect this to be a concern for most apps. However, feel free to talk to us if this limits your use case! +- When you have multiple static egress IPs assigned in one region, there is currently no way to specify exactly which IP each machine will use. +- When new machines are created, there might be a brief window when an app-scoped egress IP is not applied to the machine. This may happen more often with more machines or during bluegreen deployment. Allocating multiple pairs of static egress IPs alleviates the issue. + +--- + ## Static Egress IPs (Machine-Scoped) +
+Machine-scoped static egress IPs are considered a legacy feature and may be removed in the future. This document section is kept for reference purposes only. New apps should use [app-scoped static egress IPs](#static-egress-ips-app-scoped). +
+ ### Allocate a Static Egress IP ```bash @@ -45,7 +89,7 @@ fly machine egress-ip release --app ### Caveats -Static egress IPs are **per-machine**, not per-app. +Because legacy static egress IPs are **per-machine**, not per-app: - IPs are released when a machine is destroyed. - IPs don’t automatically transfer across deploys. @@ -54,12 +98,16 @@ Static egress IPs are **per-machine**, not per-app. - Extra latency and connectivity issues are possible in some regions.
-Static egress IPs are billed per hour per machine. +Machine-scoped static egress IPs are billed per hour per machine.
--- -## The Proxy Pattern +## The Proxy Pattern (for Machine-Scoped Static Egress IPs) + +
+This section only applies to existing apps using machine-scoped static egress IPs. New apps should use [app-scoped static egress IPs](#static-egress-ips-app-scoped) instead. +
To avoid assigning static IPs to every machine, route traffic through a shared proxy app. diff --git a/networking/services.html.markerb b/networking/services.html.markerb index 8ad57a4d74..d65fd8946f 100644 --- a/networking/services.html.markerb +++ b/networking/services.html.markerb @@ -12,6 +12,10 @@ Fly.io has public and private network services available. The public network ser IPv6 addresses and shared IPv4 Anycast addresses are free. Dedicated IPv4 addresses are [billed](/docs/about/pricing/#anycast-ip-addresses) monthly. +
+Anycast IP addresses described on this page are __not used__ for outbound connections made from within a Machine. See [Egress IP Addresses](/docs/networking/egress-ips/) for details. +
+ ### About Anycast We announce global IP blocks from all of our datacenters over BGP, otherwise known as Anycast. Anycast is a core internet routing mechanism that connects clients to the "nearest" server advertising a block of IPs. You can read [all about it on Wikipedia](https://en.wikipedia.org/wiki/Anycast+external). From e16837db9dc61ada4f55841f7412eae717a08910 Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Wed, 17 Dec 2025 17:43:31 -0500 Subject: [PATCH 2/5] oops --- networking/egress-ips.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/networking/egress-ips.html.md b/networking/egress-ips.html.md index 6afe158164..40e789ff75 100644 --- a/networking/egress-ips.html.md +++ b/networking/egress-ips.html.md @@ -69,7 +69,7 @@ Each app-scoped static egress IPv4 cost $3.60/mo, billed hourly. IPv6 is current ## Static Egress IPs (Machine-Scoped)
-Machine-scoped static egress IPs are considered a legacy feature and may be removed in the future. This document section is kept for reference purposes only. New apps should use [app-scoped static egress IPs](#static-egress-ips-app-scoped). +Machine-scoped static egress IPs are considered a legacy feature and may be removed in the future. This section is kept for reference purposes only. New apps should use [app-scoped static egress IPs](#static-egress-ips-app-scoped).
### Allocate a Static Egress IP From 158a3f38ea07f53611e1779542ee09c89d59f50b Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Wed, 17 Dec 2025 17:45:57 -0500 Subject: [PATCH 3/5] Delete future work and unneeded best practices --- networking/egress-ips.html.md | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/networking/egress-ips.html.md b/networking/egress-ips.html.md index 40e789ff75..da25147cad 100644 --- a/networking/egress-ips.html.md +++ b/networking/egress-ips.html.md @@ -139,16 +139,5 @@ Example implementation: [fly-apps/fly-fixed-egress-ip-proxy](https://github.com/ ## Best Practices - Use static egress only when required. -- Prefer the proxy pattern for maintainability. - Test connectivity after assigning egress IPs. -- Avoid destroying machines unnecessarily. -- Monitor for failures during deploy-time migrations. - ---- - -## Future Work - -App-scoped egress IPs are in development. These will simplify routing and avoid per-machine binding. - -Until then, static IPs and proxy patterns remain the best tools available. - +- Monitor for failures during deploy-time migrations. \ No newline at end of file From f7d1c57e6095e355506b4a8406c5030ceb51331f Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Thu, 18 Dec 2025 09:33:30 -0500 Subject: [PATCH 4/5] Update --- networking/egress-ips.html.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/networking/egress-ips.html.md b/networking/egress-ips.html.md index da25147cad..7e2a84b01f 100644 --- a/networking/egress-ips.html.md +++ b/networking/egress-ips.html.md @@ -10,9 +10,9 @@ date: 2025-10-02 - By default, outbound (egress) IPs from Fly Machines are **unstable** and may change. - You can allocate **static egress IPs** for an app (both IPv4 and IPv6) via `fly ips allocate-egress`. -- App-scoped Static egress IPs are per-region: you need one for every region where you have machines. -- Static egress IPs come with trade-offs: cost, concurrent machines / connections. -- Legacy machine-scoped static egress IPs are still availble, but no longer recommended due to their limitations and quirks. +- App-scoped static egress IPs are per-region: you need one for each region where you have machines. +- Static egress IPs come with trade-offs: they cost more, and limit how many machines you can run at once. +- Legacy machine-scoped static egress IPs are still availble, but are no longer recommended due to their limitations and quirks. --- @@ -28,7 +28,7 @@ Some external services—APIs, databases, payment providers—require allowlisti ## Static Egress IPs (App-Scoped) -App-scoped static egress IPs can be shared between multiple machines in a region belonging to the same app, and will not be deleted when machines are recreated. They are recommended over our legacy, machine-scoped static egress IPs. +App-scoped static egress IPs can be shared between multiple machines in a region belonging to the same app, and will not be deleted when machines are recreated. They are recommended over our legacy machine-scoped static egress IPs. ### Allocate an App-scoped Static Egress IP @@ -36,13 +36,13 @@ App-scoped static egress IPs can be shared between multiple machines in a region fly ips allocate-egress --app -r ``` -This allocates a pair of static egress IPv4 and IPv6 for your app in a region. +This allocates a pair of static egress addresses, IPv4 and IPv6, for your app in a region. If your app has Machines in multiple regions, you must allocate at least 1 app-scoped static egress IP address __per region__. Only machines located in the same region can use static egress IPs allocated in the region.
-You can allocate multiple pairs of static egress IPv4 and IPv6 in the same region. Machines will randomly choose a pair from all static Egress IPs available in the region. +You can allocate multiple pairs of IPv4 and IPv6 static egress addresses in the same region. Machines will randomly choose a pair from all static egress IPs available in the region.
### View and Manage @@ -54,7 +54,7 @@ fly ips release-egress ### Billing -Each app-scoped static egress IPv4 cost $3.60/mo, billed hourly. IPv6 is currently free, but must be allocated along with an IPv4. +Each app-scoped IPv4 static egress address costs $3.60/mo, billed hourly. IPv6 addresses are currently free, but must be allocated along with an IPv4. ### Caveats From 9c962acc7803dfd521840808fb4fb27e41e84a2f Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Thu, 18 Dec 2025 11:55:58 -0500 Subject: [PATCH 5/5] Update networking/egress-ips.html.md Co-authored-by: Kristin Martin --- networking/egress-ips.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/networking/egress-ips.html.md b/networking/egress-ips.html.md index 7e2a84b01f..7883eba728 100644 --- a/networking/egress-ips.html.md +++ b/networking/egress-ips.html.md @@ -39,7 +39,7 @@ fly ips allocate-egress --app -r This allocates a pair of static egress addresses, IPv4 and IPv6, for your app in a region. If your app has Machines in multiple regions, you must allocate at least 1 app-scoped static egress IP address __per region__. -Only machines located in the same region can use static egress IPs allocated in the region. +Machines can only use static egress IPs that were allocated in their own region.
You can allocate multiple pairs of IPv4 and IPv6 static egress addresses in the same region. Machines will randomly choose a pair from all static egress IPs available in the region.