JIT WireGuard

Source: fly.io Date: 2025-02-12 URL: https://fly.io/blog/jit-wireguard-peers/

Summary

Engineering writeup on Fly.io’s “JIT WireGuard” system: peer configurations are now fetched on-demand when clients connect rather than pre-provisioned to all gateways. Gateways intercept incoming WireGuard handshake packets via BPF filters, decrypt the initiator’s public key using the Noise Protocol, and fetch matching peer config just-in-time from their API. This reduced stale peer counts on production gateways from hundreds of thousands to near-zero.

Implications

Edge deployment economics / infrastructure substrate. WireGuard mesh networking is how Fly.io connects its global fleet — this fix is load-bearing for the platform’s scale. JIT peer provisioning is also the kind of technique that becomes necessary when the network has to support thousands of ephemeral agent VMs (Sprites, Machines) that spin up and tear down constantly. Static peer pre-provisioning doesn’t survive that workload. The deeper implication: the networking layer Fly is building is designed for churn — which is exactly what agent-heavy workloads produce. Vercel and Render’s networking stacks aren’t designed for this, which is a durable infrastructure advantage for Fly in the agent runtime space.