I've been trying to set up a prometheus collector for a Redpanda cluster that can be accessed via public HTTPS, but I keep getting TCP_INVALID_SYN errors. The Railway agent told me this:

This is a Railway infrastructure issue, not a config problem. The pattern is clear:

srcAddr: 3.136.56.55 — Railway's egress IP (consistent across all errors)

dstAddr: 10.x.x.x — Internal Railway network address (different each time)

dropCause: TCP_INVALID_SYN — Railway's edge is rejecting the outbound connection

The problem: Your collector's outbound traffic is being routed through Railway's internal network instead of the public internet, even though you're trying to reach a public Redpanda endpoint.

This is a routing/NAT misconfiguration at Railway's edge. The connection is being intercepted and dropped before it reaches the actual Redpanda server.

Immediate actions:

Contact Railway support with these details:

Service ID: 12064de1-2476-40bb-b1d2-3b0810560790

Target endpoint: console-blah.byoc.prd.cloud.redpanda.com:443

Error: TCP_INVALID_SYN on outbound HTTPS to public endpoint

This appears to be a routing issue where egress traffic is being looped back through internal Railway IPs