3 months ago
Important: if this whole question makes me sound like someone very comfortable with a lot of details, that's just because after a lot of back and forth with Claude about my issue, and after I drafted what I wanted to ask, I then asked Claude to improve it. That's why it may sound I'm more experienced than I actually am, but I wanted it to be well structured to make my question easier to understand, coming from a "newbie" 😉
As someone newer to deployment, I'm learning as I go, and I want to make sure that once something is working and authorized, I won't have to worry that in the future hundreds of users try to sign up but can't because Railway's IP changed. Until I notice the email notification, those users can't sign up and I have no way to reach them. Hope that context helps frame my questions.
My setup:
- GitHub Codespaces for development on a dev branch
- Railway Hobby plan for hosting, with separate staging and production services
- Brevo for transactional emails (signup verification, password reset) via their HTTP API
- Brevo API key stored as an environment variable in Railway's Variables
What happened: Everything worked fine in development (Codespaces). After merging dev into main and Railway deploying to production, the first signup attempt triggered a Brevo security email about an unauthorized IP (Railway's). I authorized it and everything works now, but Brevo assigned a /24 range around that IP.
What I've been told by Claude, and want to confirm with the community:
- On the Hobby plan, Railway's outbound IP is not guaranteed to stay the same
- Each Railway service (staging, production) may have a different IP, meaning authorizing staging's IP doesn't guarantee production's IP falls within the same /24 Brevo authorized
- Railway's infrastructure per region spans a /23 block, which is larger than the /24 Brevo auto-assigns, meaning Railway could assign an IP within their range but outside what Brevo authorized
Here's some information about Brevo, if that helps: https://help.brevo.com/hc/en-us/articles/5740111683858-Authorize-and-block-IP-addresses-for-API-security
My questions:
1. Do staging and production services in the same Railway region reliably share the same IP range? If so, would authorizing once in Brevo be enough to cover both?
2. Since my Brevo API key is stored securely in Railway's Variables and never exposed publicly, is it safe to disable IP restriction in Brevo entirely? This would disable it across all apps I build, so is that an acceptable security tradeoff?
3. Is there a way to get notified of Railway IP changes automatically, so I can re-authorize in Brevo before it affects real users?
What's the recommended approach for someone on the Hobby plan who wants signup and email flows to work reliably without manual intervention?
Thank you!
2 Replies
Status changed to Awaiting Railway Response Railway • 3 months ago
3 months ago
Where did you get the information that Railway’s IP spans /23?
Only Pro plans are guaranteed static outbound IPs. Nothing can be guaranteed for Hobby, Free, or Trial plans.
Asides from upgrading to Pro, you’d need to find an alternative way to authorize Railway requests to Brevo other than using IP/IP ranges. If they don’t offer that option, I’d recommend using a different service such as Resend or Mailtrap.
3 months ago
The /23 information was Claude's assumption. As I mentioned, I'm still learning, so a few things are still a bit new to me. I assumed Claude's information was reliable enough. Maybe not?
Today I spent a little bit more time asking Claude and ChatGPT about this. I asked all the questions, challenged both with different cases, etc. It seems that as long as I'm using the API (which I am) and I don't share it or no one steals it, I can disable the Blocking unauthorized IP addresses feature in Brevo. The API is already being used in a Railway variable, so I guess that's the way to do it to keep it safe? I also have it saved in my password manager, so it's also protected with a strong password.
As a new project, it's still not worth it upgrading to Railway Pro to get the static IP. Eventually, I will and when that happens, then I will enable Blocking unauthorized IP addresses in Brevo again and add that static IP.
I checked the mail services you mentioned, but for the things I'm building, including my Discourse installations, I need multiple domains, which Brevo provides. The two you mentioned, are limited when it comes to this, on their free plans.
So, I guess that for now this is a good approach? API in a variable, disable the blocking feature?
