launch firecracker and forward all traffic to it

[urbien]

@pirate thank you for your guide!!
I am trying to figure out the following scenario, which Fly.io describes, but never described in a way that can be implemented:

app on mobile / web connects over the internet ->
  public IP addr on some container on bare metal Linux ->
     wireguard (borintun implementation) -> 
        1. checks client is legit and launches VM via FireCracker    
        2. routes encrypted traffic to code in VM

Why Boringtun? Because Windscribe released changes to add a script on client connect:
https://blog.windscribe.com/introducing-wireguard-76a1670700a6
https://github.com/Windscribe/boringtun

[pirate]

if you're ok with having the VM always running, you could put some code in the VM that just sleeps your app until it gets a request.

Otherwise this gets a lot harder to do in a stable way, I assume it takes 10+sec for the VM to launch, so all your initial traffic is going to time out by time the VM is up and running.

[urbien]

would it still timeout with Firecracker's MicroVM startup time of 125ms?

[urbien]

even better, may it is possible to get IP of the newly launched MicroVM and tell wireguard client to re-connect directly to the wireguard running in MicroVM, bypassing a shared wireguard instance. Could this work?