Reference
Edge Network

Edge Network: Load Balancing and TLS

All Koyeb Apps are automatically accessible via a subdomain of koyeb.app routed via our Global Edge Network. Subdomains are constructed using the following format:

<YOUR_APP_NAME>-<YOUR_KOYEB_ORG>-<HASH>.koyeb.app

Our Global Edge Network provides native load balancing, TLS encryption.

HTTP load balancing

Koyeb's Edge Network provides global load balancing for applications running on the platform.

Koyeb allows you to deploy multiple Instances of your Services to various regions for availability and scaling. Within a region, requests are load balanced between all healthy Instances of the Service. If no healthy Instances are available within the region, the request may be passed to Instances in another region.

Routing and HTTP paths

When you deploy a publicly accessible Service, you define which ports it listens on and which HTTP paths should route to it.

Requests made to Services are first directed to the edge location closest to the request's origin. At the edge, routing rules are evaluated and the request is forwarded to the nearest region where the Service is deployed.

Subpaths

If you route a subpath (for example, /api/) of your domain instead of the root path (/), the path prefix will be stripped from the request when it is passed to your Service.

For example, suppose that your App domain is myapp-myorg-hash.koyeb.app and you route requests for /api/ to your Service. Requests made to https://myapp-myorg-hash.koyeb.app/api/ will be seen by your Service as https://myapp-myorg-hash.koyeb.app/:

Here are few more examples to illustrate the routing behavior:

  • A request for https://myapp-myorg-hash.koyeb.app/api/list will be passed to the Service as https://myapp-myorg-hash.koyeb.app/list
  • A request for https://myapp-myorg-hash.koyeb.app/api/resource/list will be passed to the Service as https://myapp-myorg-hash.koyeb.app/resource/list

Headers that Koyeb sets

Koyeb sets the standard x-forwarded-for and x-forwarded-host headers for requests to your application so that you can identify the IP address of the client and the original domain they requested.

We follow the standard for x-forwarded-for headers and append the IP which was used to connect to Koyeb to the end of the header. From a security perspective, the last IP of the x-forwarded-for is the only IP we can certify as valid.

Built-in TLS

When you create an App with a public Service, external connections to the Service using the Service's koyeb.app subdomain are automatically encrypted with TLS.

TLS connections are terminated at the edge to increase performance and are securely transported within the encrypted Service Mesh to your application.

Unencrypted HTTP connections

Koyeb's Edge Network does not automatically redirect HTTP traffic to HTTPS.

If you use the Service's .koyeb.app subdomain however, browsers will automatically use HTTPS because the .app top-level domain is included on the HSTS preload list (opens in a new tab). HTTP connections can be made using a CLI tool like curl or in your code.

If you would like to redirect all HTTP traffic to HTTPS, you can vote and track this feature on our public roadmap (opens in a new tab).

Service Mesh & DiscoveryLocal SSD Storage