Autostart and autostop private apps

You have a private, or internal, app that communicates only with other apps on your private network. This private app might be a database, authentication server, or any other “backend” app that you don’t want exposed to the public Internet. You want the app’s Machines to stop when they’re not serving requests from your other apps, and start again automatically when needed.

To use the Fly Proxy autostart and autostop feature you need to configure services in fly.toml, like you would for a public app. But instead of using a public Anycast address, you assign a Flycast address to expose those services only on your private network.

This blueprint focuses on using autostart and autostop to control Machines based on incoming requests. But when you use Flycast for private apps you also get other Fly Proxy features like geographically aware load balancing.

Learn more about Flycast.

Create a new private app with a Flycast address

When you run fly launch to create a new app, it automatically assigns your app a public IPv6 address and a shared public IPv4 address. If you know your app won’t need to be reachable from the Internet, you can inform Fly Launch with the following option:

fly launch --no-public-ips

Then allocate a Flycast address to your app:

fly ips allocate-v6 --private

Next steps: Configure and deploy a private app.

Use Flycast for an existing app

If you already have an app and you want to make it private and use Flycast, it’s important to make sure you remove the app’s public IP addresses.

Add a Flycast address

fly ips allocate-v6 --private

Remove public IP addresses

List your IPs to check whether your app has public IP addresses:

fly ips list

Example output:

VERSION IP                      TYPE                REGION  CREATED AT
v6      2a09:8280:1::2d:1111    public (dedicated)  global  Sep 1 2023 19:47
v6      fdaa:2:45b:0:1::11      private             global  Mar 16 2024 18:20
v4      66.241.124.11           public (shared)             Jan 1 0001 00:00

This example app has public IPv4 and IPv6 addresses. These are the addresses automatically assigned to an app on first deploy.

Copy the public IP addresses and run the release command to remove them from your app:

fly ips release <ip address> <ip address> ...

For example:

fly ips release 2a09:8280:1::2d:1111 66.241.124.11

Next steps: Configure and deploy a private app below.

Configure and deploy a private app

Whether you’re creating a new app or making an existing app private, there are a few things you’ll need to check or configure.

Add services in your fly.toml config file

If your app was private, you might not have configured an [http_services] or [services] section in fly.toml because you didn’t want it reachable through the public Internet. Now that you removed the public IPs, you can safely add services to allow access to the app on your private network and enable Fly Proxy to control Machines and load balance traffic.

Here’s an example fly.toml snippet:

[http_service]
  # the port on which your app receives requests over the 6PN
  internal_port = 8081
  # must be false - Flycast is http-only
  force_https = false
  # Fly Proxy stops Machines based on traffic
  auto_stop_machines = true
  # Fly Proxy starts Machines based on traffic
  auto_start_machines = true
  # Number of Machines to keep running in primary region
  min_machines_running = 0
  [http_service.concurrency]
    type = "requests"
    # Fly Proxy uses this limit to determine Machine excess capacity
    soft_limit = 250

Important: Set force_https = false since Flycast only works over HTTP. HTTPS isn’t necessary because all your private network traffic goes through encrypted WireGuard tunnels.

Learn more about Fly Launch configuration and the autostart and autostop feature.

Make sure your app binds to 0.0.0.0:<port>

To be reachable by Fly Proxy, an app needs to listen on 0.0.0.0 and bind to the internal_port defined in the fly.toml configuration file.

Deploy the app

Run fly deploy for the configuration changes to take effect.

Other apps in your organization can now reach your private app using the Flycast IP address or <appname>.flycast.

Read more

We’ve talked about Flycast in some past blog posts: