Internal Networking | Voters

Internal Networking

complete

Nebula

Allow for interconnection over a local network between services deployed using metro

January 13, 2022

Angelo Saraceno

marked this post as

in progress

Pinned

Moving this to "In Progress" as we do have an engineer staffed to own this experience all the way through. 
However, it's going to take some time. (I know y'all have been waiting long enough already.) In the meantime, we would appreciate any comments on how you would expect this feature to work. (Subnets? Static IPs? Something like GCP Private Network?)
The workaround as of date is to set up a Tailscale sidecar in your service Dockerfile for network isolation.

Jake Runzer

marked this post as

complete

https://docs.railway.app/reference/private-networking

Ruud Visser

Jake Runzer: From the documentation, do I understand correctly it's not possible yet to make my Postgres / Redis private? I would like to not make those accessible from outside Railways. (This seems to be something similar to a lot of other post that have been merged in). Thanks!

Ruud Visser

Jake Runzer just wanted to follow up on this to see if this is possible?

larry

Hi, How is it going now. Looking forward to the release of this feature

Angelo Saraceno

Merged in a post:

Restrict Addon External Access

Evernote

Each addon, like Redis, should have an option to disable connections from services outside the current Railway metro project.

This would be especially useful for production environments since it'd provide an extra layer of security for sensitive data.

February 7, 2023

Angelo Saraceno

Merged in a post:

private urls for service communications

Mwau Sean

Allow for the creation of private internal urls that can be used for communication between services. A service can have both public facing urls as well as the private urls and maybe include the opening of additional ports as well

February 6, 2023

Shane Thacker

Angelo Saraceno I was thinking static IPs.

Angelo Saraceno

Shane Thacker: Oh this will make it for sure. One thing, we might have to charge for this because IPv4 blocks are now going for some serious cost. (Shortage of everything it seems.)

Lekë Dobruna

I think since Railway has a sort a node-based system already in UI, it makes sense to have the setup where you can link services together, which would signify a local private connection between the two connected services. And then you have a "Public/Internet" generic node where services that you want to be public facing can connect to.

This way you can create a visual representation of how your whole system looks like.

indominablerexx

Lekë Dobruna: This is a wonderful idea. I love the visual aspect of it.
To add to this, it's important that you can link different services of different projects together as well (not only services within the same project)
(Or maybe that "public/internal" node could be used to create an internal network address that any of your services/projects can connect to; important to be able to make it private or public)

Angelo Saraceno

marked this post as

in progress

Moving this to "In Progress" as we do have an engineer staffed to own this experience all the way through. 
However, it's going to take some time. (I know y'all have been waiting long enough already.) In the meantime, we would appreciate any comments on how you would expect this feature to work. (Subnets? Static IPs? Something like GCP Private Network?)
The workaround as of date is to set up a Tailscale sidecar in your service Dockerfile for network isolation.

Veeti K

Angelo Saraceno: Could be cool to have something similar to what Docker Compose enables. There the service name acts as a dns record which is then available for other services

Agustin Banchio

Angelo Saraceno: Configurable DNS resolving, or if not just configurable static IPs in the subnet would be nice

Bruno

Angelo Saraceno: my 5c
Like kubernetes internal dns works.
<service>.<ns>.svc.cluster.local
In railway it could be:
<service>.<account>.railway.local where service and account would be a unique id and accesible only for that account.

Dan Croak

I'd like to set up a Railway project with a Postgres database and a few services (a web app, a queue, and a clock process). As a security measure, I'd like to not have the Postgres database exposed to the public internet.
Could internal networking help restrict connections to these clients? 
* other services in the project
* each environment (staging, production, and PRs)
* railway connect
 from development machine
For my use case, a private network at the project level would work great.

Angelo Saraceno

Dan Croak: Thats the goal.

To clarify,

railway connect

would be like some sort of SSH? Although we haven't thought through what would connecting to that network would look- it would be cool to optionally deploy a Tailscale exit node to expose your local machine to it.

Dan Croak

Angelo Saraceno: Some kind of Wireguard/Tailscale setup sounds good if the railway
 CLI handles it for me.
Since I’m auth’ed via railway login
 on my development machine, are there other ways to piggyback on that credential? Like maybe railway connect
 kicks off a flow that in some order downloads a Railway ca.pem
, connects to my Postgres database via sslmode=verify-full
, generates a temporary auth token that can be used for a single PG session as a PG password.
Could be the start of a later just-in-time access request flow for orgs that want expiring access credentials, Slack flows with approval for access, session logging, etc.

Dan Croak

Angelo Saraceno: Tailscale recently released a

pgproxy

tool https://tailscale.com/blog/introducing-pgproxy/ Maybe Railway could have a "Tailscale pgproxy" template? And a way to connect Tailscale proxy to your Railway Postgres and restrict Railways Postgres to only accept connections from the Tailscale proxy's IP?

Jonathan Marbutt

I think this will make the PR environments much more useful.

Jake Cooper

Merged in the Wireguard networking ticket to track this better in one place

→