You can use tailscale in Railway perfectly fine.

Merged in the Wireguard networking ticket to track this better in one place

I think this will make the PR environments much more useful.

I'd like to set up a Railway project with a Postgres database and a few services (a web app, a queue, and a clock process). As a security measure, I'd like to not have the Postgres database exposed to the public internet.
Could internal networking help restrict connections to these clients?

• other services in the project

• each environment (staging, production, and PRs)

• railway connect from development machine
  For my use case, a private network at the project level would work great.

Moving this to "In Progress" as we do have an engineer staffed to own this experience all the way through.
However, it's going to take some time. (I know y'all have been waiting long enough already.) In the meantime, we would appreciate any comments on how you would expect this feature to work. (Subnets? Static IPs? Something like GCP Private Network?)
The workaround as of date is to set up a Tailscale sidecar in your service Dockerfile for network isolation.

Angelo Saraceno: Could be cool to have something similar to what Docker Compose enables. There the service name acts as a dns record which is then available for other services

Moving this to "In Progress" as we do have an engineer staffed to own this experience all the way through.
However, it's going to take some time. (I know y'all have been waiting long enough already.) In the meantime, we would appreciate any comments on how you would expect this feature to work. (Subnets? Static IPs? Something like GCP Private Network?)
The workaround as of date is to set up a Tailscale sidecar in your service Dockerfile for network isolation.

Angelo Saraceno: Configurable DNS resolving, or if not just configurable static IPs in the subnet would be nice

> Moving this to "In Progress" as we do have an engineer staffed to own this experience all the way through.
> However, it's going to take some time. (I know y'all have been waiting long enough already.) In the meantime, we would appreciate any comments on how you would expect this feature to work. (Subnets? Static IPs? Something like GCP Private Network?)
> The workaround as of date is to set up a Tailscale sidecar in your service Dockerfile for network isolation.

Angelo Saraceno: my 5c
Like kubernetes internal dns works.
..svc.cluster.local
In railway it could be:
..railway.local where service and account would be a unique id and accesible only for that account.

I think since Railway has a sort a node-based system already in UI, it makes sense to have the setup where you can link services together, which would signify a local private connection between the two connected services. And then you have a "Public/Internet" generic node where services that you want to be public facing can connect to.
This way you can create a visual representation of how your whole system looks like.

I think since Railway has a sort a node-based system already in UI, it makes sense to have the setup where you can link services together, which would signify a local private connection between the two connected services. And then you have a "Public/Internet" generic node where services that you want to be public facing can connect to.
This way you can create a visual representation of how your whole system looks like.

Lekë Dobruna: This is a wonderful idea. I love the visual aspect of it.
To add to this, it's important that you can link different services of different projects together as well (not only services within the same project)
(Or maybe that "public/internal" node could be used to create an internal network address that any of your services/projects can connect to; important to be able to make it private or public)

Angelo Saraceno I was thinking static IPs.

Angelo Saraceno I was thinking static IPs.

Shane Thacker: Oh this will make it for sure. One thing, we might have to charge for this because IPv4 blocks are now going for some serious cost. (Shortage of everything it seems.)

I'd like to set up a Railway project with a Postgres database and a few services (a web app, a queue, and a clock process). As a security measure, I'd like to not have the Postgres database exposed to the public internet.
Could internal networking help restrict connections to these clients?

• other services in the project

• each environment (staging, production, and PRs)

• railway connect from development machine
  For my use case, a private network at the project level would work great.

Dan Croak: Thats the goal.
To clarify, railway connect would be like some sort of SSH? Although we haven't thought through what would connecting to that network would look- it would be cool to optionally deploy a Tailscale exit node to expose your local machine to it.

I'd like to set up a Railway project with a Postgres database and a few services (a web app, a queue, and a clock process). As a security measure, I'd like to not have the Postgres database exposed to the public internet.
Could internal networking help restrict connections to these clients?

• other services in the project

• each environment (staging, production, and PRs)

• railway connect from development machine
  For my use case, a private network at the project level would work great.

Angelo Saraceno: Some kind of Wireguard/Tailscale setup sounds good if the railway CLI handles it for me.
Since I’m auth’ed via railway login on my development machine, are there other ways to piggyback on that credential? Like maybe railway connect kicks off a flow that in some order downloads a Railway ca.pem, connects to my Postgres database via sslmode=verify-full, generates a temporary auth token that can be used for a single PG session as a PG password.
Could be the start of a later just-in-time access request flow for orgs that want expiring access credentials, Slack flows with approval for access, session logging, etc.

I'd like to set up a Railway project with a Postgres database and a few services (a web app, a queue, and a clock process). As a security measure, I'd like to not have the Postgres database exposed to the public internet.
Could internal networking help restrict connections to these clients?

• other services in the project

• each environment (staging, production, and PRs)

• railway connect from development machine
  For my use case, a private network at the project level would work great.

Angelo Saraceno: Tailscale recently released a pgproxy tool https://tailscale.com/blog/introducing-pgproxy/ Maybe Railway could have a "Tailscale pgproxy" template? And a way to connect Tailscale proxy to your Railway Postgres and restrict Railways Postgres to only accept connections from the Tailscale proxy's IP?

Hi, How is it going now. Looking forward to the release of this feature

https://docs.railway.app/reference/private-networking

Jake Runzer: From the documentation, do I understand correctly it's not possible yet to make my Postgres / Redis private? I would like to not make those accessible from outside Railways. (This seems to be something similar to a lot of other post that have been merged in). Thanks!

https://docs.railway.app/reference/private-networking

Jake Runzer just wanted to follow up on this to see if this is possible?