I put one startup on fly.io just because it was too difficult to communicate AWS intricacies to the founders. I'm ok having a fixed secret to authorize client A to talk to API B where needed, and the actual inner network is all inside wireguard tunnels, automatically provided by Fly.