How We Implemented the Dedicated Egress Feature on App Platform

Sr. Software Engineer at DigitalOcean has implemented a feature called Dedicated Egress on their App Platform, which allows users to route outbound app traffic through a fixed public IP that is not shared by other App Platform users or apps. This addresses security concerns by allowing users to control the source IP address of their app's network traffic. The feature was built by solving two main technical challenges: allocating and assigning public IP addresses to dedicated egress-enabled apps, and routing egress app traffic via these public IP addresses. To achieve this, DigitalOcean created gateway Droplets that are paired with an app, use Network Address Translation (NAT) to change the source IP address of packets, and configure networking on Kubernetes workers using Container Network Interface (CNI) plugins. The feature provides high availability by creating two Droplets per app and automatically pivoting egress traffic to a healthy gateway Droplet if one is offline.