RailwayDocs

How Private Networking Works

Railway's private networking creates secure, isolated communication channels between services within a project environment, without exposing traffic to the public internet.

Architecture overview

Under the hood, Railway uses encrypted Wireguard tunnels to create a private mesh network between all services within an environment. This allows traffic to route between services without exposing ports publicly.

Internal DNS

Every service in a project and environment gets an internal DNS name under the railway.internal domain that resolves to the internal IP addresses of the service.

DNS resolution

  • New environments (created after October 16, 2025): DNS names resolve to both internal IPv4 and IPv6 addresses
  • Legacy environments: DNS names resolve to IPv6 addresses only

The DNS name follows the pattern: <service-name>.railway.internal

For example, a service named api would be reachable at api.railway.internal.

Supported traffic

Any valid IPv6 or IPv4 traffic is allowed over the private network, including:

  • TCP - HTTP, databases, custom protocols
  • UDP - Real-time applications, game servers
  • HTTP/HTTPS - Web services, APIs

Note: When communicating internally, use http:// rather than https:// since traffic is already encrypted via Wireguard.

Encryption & security

All traffic between services is encrypted using Wireguard, a modern VPN protocol known for its:

  • Strong encryption: Uses state-of-the-art cryptography (ChaCha20, Curve25519, BLAKE2s)
  • Performance: Minimal overhead compared to other VPN protocols
  • Simplicity: Small attack surface with ~4,000 lines of code

Traffic never leaves Railway's infrastructure and is not exposed to the public internet.

Network isolation

Private networks are isolated at the project and environment level:

  • Services in different projects cannot communicate over the private network
  • Services in different environments (e.g., production vs staging) cannot communicate over the private network
  • Each environment has its own isolated network namespace

This isolation ensures that:

  • Production and development environments remain separate
  • Multi-tenant projects don't leak data between customers
  • Security boundaries are enforced at the infrastructure level

Build VS. Runtime

Private networking is only available at runtime, not during the build phase. This means:

  • Build scripts cannot reach other services over the private network
  • Database migrations that require internal connectivity should run as part of the start command, not the build
  • Health checks and service discovery happen after deployment

Performance characteristics

Private networking offers several performance advantages:

  • Lower latency: Traffic stays within Railway's infrastructure
  • No public internet hops: Direct service-to-service communication
  • No egress costs: Internal traffic doesn't count toward egress billing