Static Outbound IPs Not Working

a month ago

We're seeing outbound requests from our application use IPs that are not the one we have configured. This is causing 401s with an upstream service as it allows only a single IP per API key.

The earliest instance we have of this is June 3rd at 09:18 UTC and it appears to be ongoing. See second image for the actual IPs this service was receiving requests from.

FWIW, we host this service on Railway in a different project. The project linked to this help thread is the one with the configured static outbound IP.

image.png

image.png

34 Replies

a month ago

During build the static IP is not used.


a month ago

It's not during build.


a month ago

It would be during build.


a month ago

Our last deployment was 18 hours ago, all of the 401s we've seen are since then.


a month ago

Tho I'll clarify that in my original post I typo'd June 2nd instead of June 3rd - this started today.


a month ago

(I'll fix that)


a month ago

Besides, all of these outgoing requests are user-triggered which can only happen from an active deployment.


a month ago

That is a DataCamp IP. We use DataPacket for builds; zero user workloads run on them.


a month ago

I promise you that these requests are not occuring during builds. We have 0 code paths that could ever hit this. It requires an active user session which simply could not exist at build time, unless your build agents know how to OAuth login with Google.


a month ago

It is occurring during some build somewhere on the platform, again we do not run user workloads on DataPacket.


a month ago

Nor do we run the egress gateways on DataPacket.


a month ago

root@57ffbad2fe04:/var/www# wget -O - https://utilities-eu-west.up.railway.app/raw
--2026-06-03 20:48:02--  https://utilities-eu-west.up.railway.app/raw
Resolving utilities-eu-west.up.railway.app (utilities-eu-west.up.railway.app)... 69.46.46.76
Connecting to utilities-eu-west.up.railway.app (utilities-eu-west.up.railway.app)|69.46.46.76|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 399 [text/plain]
Saving to: 'STDOUT'

-                                       0%[                                                                        ]       0  --.-KB/s               GET /raw HTTP/1.1
Host: utilities-eu-west.up.railway.app

Accept: */*
Accept-Encoding: identity
User-Agent: Wget/1.21.3
X-Forwarded-For: 162.220.234.15, 89.222.103.194
X-Forwarded-Host: utilities-eu-west.up.railway.app
X-Forwarded-Proto: https
X-Railway-Edge: railway/us-east4-eqdc4a
X-Railway-Request-Id: eMV12z-GSWSFQAqfO8poTA
X-Real-Ip: 162.220.234.15
X-Request-Start: 1780519682973
-                                     100%[=======================================================================>]     399  --.-KB/s    in 0s      

2026-06-03 20:48:03 (67.6 MB/s) - written to stdout [399/399]

a month ago

X-Forwarded-For: 162.220.234.15, 89.222.103.194


a month ago

Thats inbound, this thread's title says outbound.


a month ago

I mean, it's technically both I guess. We send a request from a service in one project, out over its public URL, and then back into a service in another project.


a month ago

It at least appears that the outbound IP is incorrect.


a month ago

I get what you are saying, but it's not both; they are very distinct.

89.222.103.194 in X-Forwarded-For is the CDN's IP.


a month ago

I gave this answer with the limited information available at the time, so with this new information, this is no longer correct.


a month ago

That's my bad, I didn't think to actually hit it in the terminal.


a month ago

The application is likely using X-Forwarded-For, not X-Real-Ip


a month ago

But I am confused why it has worked for weeks and suddenly the extra IP has come in <:thinkingbread:935682467124359258>


a month ago

Also, friendly bit of insider information, since you said "only a single IP per API key."

See that "Enable HA Static IPs" button? Eventually, that will be automatically enabled for all workloads in the future and then you will need to whitelist multiple IPs. We will, of course, send out multiple communications long before this happens, so me saying this is just giving you an extra long heads-up.

So in short, modify your code to use X-Real-IP and accept multiple IPs for the allowlist.



a month ago

I appreciate that, but unfortunately this is an off-the-shelf product we use for support ticket handling. I can maybe write a patch for the build stage to fix it up, but time is against me. <:madman3D:605090841102647297>


a month ago

Totally missed it. 😂 It's been a mad few weeks. <:Peepo_Cry:832227339161174027>


a month ago

We haven't even put a date on the hard cutover; you have plenty of time.


a month ago

My favourite solution to this would be inter-project networking, but we can dream ;P


a month ago

Anyways, I appreciate your help in figuring this out! Thanks so much! ❤️


a month ago

Maybe the best solution is to not use IP allowlists. You don't need to be a Railway employee to know that anyone can get the same IPs you are using just by paying for Pro.


a month ago

Could technically be done with Tailscale.


a month ago

I'll just disable the IP check I think. Never been a fan of them anyway. The key itself is large enough that I doubt it'll ever matter.


a month ago

Sounds good


a month ago

And it's a write-only API anyway, so what are they gonna do... send us support requests? 😂


a month ago

As a support engineer, that is about the worst thing you can have happen to you.


Welcome!

Sign in to your Railway account to join the conversation.

Loading...