Right now I’m using firewall rules on my AWS RDS db and external Redis db to only allow incoming connections from my droplets.
Switching to the App Platform, how can this be handled? Since there doesn’t seem to be an option to assign a static IP (or a set of IPs) to the containers that are spun up, I would have to update the list of allowed IPs each time in an after deploy job I guess?
Is that the recommended approach?
If so, how can I access the container’s IP in the job? I don’t see a env var for this…

1 comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers

App Platform apps do not have a static-IPs. We’ve heard requests for static IPs as an add-on feature and are considering it. In the mean time, we recommend using TLS encryption and strong authentication to secure connections to external resources.

  • Ok thanks!

    I could imagine that lots of people have this requirement. Since DO already provides floating IPs for droplets, I kinda expected to be able to assign an IP to an app/container as well. :)

    Is there a way to access the container’s IP in an after-deploy job?

    • I have the same issue. I set up a managed Postgres cluster and I want it shared by a couple of App Platform apps, so I want to restrict access to just those apps.

      After you’ve deployed your App Platform app, I found that you can go to the Console tab and run ifconfig and look for the IP address listed under inet addr.

      Doesn’t seem very useful if we can’t guarantee that it will always have the same IP, though.

      If I could create a managed Postgres instance in the same VPC as my App Platform applications then I could use the private connection hostname instead of the public one, but it doesn’t look like we can group App Platform and other managed resources into the same VPC, unless anyone knows different?

      • The IPs shown with ifconfig (or ip addr) are not publicly routable and will change as new updates are deployed or during maintenance.

        VPC support is not currently available but is on our roadmap. We’re also looking at allowing App Platform applications to be listed as trusted-sources for our managed databases. Both features are being researched and no firm timeline has been publicly released.

        • Agreed - that shows the IP of the container, but it’s not usable in this scenario.

          It’s a shame - this is a complete show-stopper. We can’t afford to have our databases publicly accessible.

    • You might be able to find the public IP using a tool like OpenDNS’s myip by running dig +short myip.opendns.com @resolver1.opendns.com.

      That said, I would caution you in using this approach for building firewall rules. First, and most importantly, traffic from other App Platform apps may egress with the same public IP address. Also, there’s not necessarily a 1-to-1 mapping of app instances to public IP addresses. App Platform may reschedule containers if the underlying host becomes unhealthy, for maintenance, or rebalancing resources. When possible, to avoid downtime we first start the new replacement containers before terminating the old. This means two or more containers may be running for a brief period. We also use a similar strategy when rolling out new deployments of your app.

      For this same reason, we cannot assign a floating-IP or other stable IP directly to your application. It defeats the technologies we use to keep your application up and safe.

      Our long-term plans include VPC support for App Platform which would let you communicate with your database on a private network. We’re also considering allowing App Platform apps to be specified as trusted-sources in the managed database product.

  • Please add static IP a lot of services require static IP :(

Facing the same issue. I need to redirect the non-www to www domain using the App platform of digital ocean. I had to migrate because of this reason of static Ip’s. Can DO team share when it will be published for end-users?