[loloquwowndueo]

One can try to push Fly.io to implement dynamic routing to get persistent outbound IP addresses. This is full of foot guns and dragons.

Or one can push the other vendor to implement vpn support on their side such that their service can talk to Fly.io-hosted ones in an end-to-end secure channel so the actual services can trust that a lot more. This is the solution often suggested in Fly.io forums.

If the other vendor is sending ostensibly private traffic over the public internet and relying on a combination of “the Postgres protocol is safe and passwords are strong enough” and “oh but they really aren’t so we will limit this service to talk to only one IP address” it seems to me it’s them who should be nudged towards a more secure and versatile solution.