Private Networking

Private Networking refers to a feature within Railway that enables private communication between services in a project and environment. This is helpful for situations where you want to have a public gateway for your API but leave internal communication private.

How it works

Under the hood, Railway is using encrypted Wireguard tunnels to create an IPv6 mesh network between all services within an environment. This allows traffic to route between services without exposing ports publicly.

Note: You cannot use private networking to communicate with services in other environments.

Internal DNS

Every service in a project and environment gets an internal DNS name under the railway.internal domain that resolves to the internal IP address of the service.

This allows communication between services in an environment without exposing any ports publicly. Any valid IPv6 traffic is allowed, UDP, TCP and HTTP.

Preview of What The Guide is Building


During the feature development process we found a few caveats that you should be aware of:

  • Private networking is not available during the build phase.
  • You will need to establish a wireguard tunnel to external services if you wish to vendor requests in your application.
  • You will need to bind to a IPv6 port to receive traffic on the private network.
  • Private networking is enabled automatically for new projects/environments. If you want to use private networking in an existing environment, you will have to enable it manually in the settings panel of one of the environment services.
  • Private networks take 100ms to initialize on deploy, we ask that you set initial requests on a retry loop.
  • We don't support IPv4 private networking
  • Alpine-based images may not work with our internal DNS due to how it performs resolution. Click here for a workaround.


For information on how to use Private Networking, check out this guide.

Edit this file on GitHub