Network Edge
Overview
The ngrok network edge is the globally distributed infrastructure that ngrok operates. It accepts incoming traffic to your services' endpoint URLs, applies your module configurations and routes those connections to the appropriate connected ngrok agents.
Points of Presence
ngrok's globally distributed network edge runs on points of presence all around the world to enable fast, low latency traffic to your applications.
We continuously expand our regional points of presence. As we add each new point of presence, your applications become faster for global customers without any changes. The current points of presence are:
| Region Code | Location |
|---|---|
| ap | Asia/Pacific (Singapore) |
| au | Australia (Sydney) |
| eu | Europe (Frankfurt) |
| in | India (Mumbai) |
| jp | Japan (Tokyo) |
| sa | South America (São Paulo) |
| us | United States (Ohio) |
| us-cal-1 | United States (California) |
IP Addresses
IPs used by the ngrok edge are dynamic. They may change frequently and without notice. There are no static IPs. If you hardcode any of ngrok's IPs or rely on DNS records past their TTL, your applications will break. There is no API to query ngrok's IPs at this time.
When you resolve any of ngrok's IPs via DNS, you will receive a partial list of IPs because ngrok uses global server load balancing, which means that DNS queries will return different sets of IPs depending on where you are located in the world.
For the avoidance of doubt, this includes but is not limited to all IPs used by Domains, TCP Addresses, Agent Ingress, the Dashboard and API.
Please contact us if you need dedicated static IPs for a custom agent ingress address.
IPv6 Support
ngrok's network edge universally supports IPv6. DNS lookups for all
Domains and the host portion of all TCP
Addresses will return AAAA DNS records.
Don't forget that ngrok supports IPv6 when configuring IP Restrictions. If you forget to specify records to allow IPv6 traffic, you may unintentionally cause connectivity failures if connections to your endpoints use IPv6.
The Agent and Agent SDKs may also connect to the ngrok edge over IPv6. DNS lookups for the domain of the agent ingress address will return AAAA records.
TLS Termination
ngrok terminates TLS traffic at its edge for HTTPS endpoints and configurably for TLS endpoints. Regardless of the type of endpoint, when the ngrok edge terminates TLS on incoming connections, it uses the TLS certificate attached to the Domain it is terminating for. By default, ngrok automatically attaches an appropriate TLS Certificate when a Domain is created, provisioning one automatically if necessary.
| Endpoint Type | Behavior |
|---|---|
| HTTPS | ngrok always terminates TLS on connections to HTTPS endpoints at the ngrok edge. Traffic is re-encrypted with TLS as it is transmitted to your upstream service via the Agent. |
| TLS | TLS endpoints may be configured to terminate TLS at the ngrok edge or not to terminate TLS. When a TLS endpoint is configured not to terminate TLS at ngrok's edge, we call this Zero-Knowledge TLS. |
| TCP | TCP endpoints are unaware of higher layer protocols like TLS and thus never terminate TLS. |
DDoS Protection
ngrok helps protect your service from distributed denial of service (DDoS) attacks. You can use the following measures with ngrok to protect your service from DDoS attacks:
-
First, ngrok automatically applies a layer of DDoS protection to all of your endpoints without any configuration. Our software monitors all traffic flows into ngrok's edge by scanning for malicious sources, patterns and threats in real-time. ngrok proactively blocks incoming connections when an attack is detected.
-
Second, you can prevent attacks by enforcing authentication with modules like OAuth, OpenID Connect, SAML and IP Restrictions. Authentication modules are enforced at the ngrok edge so that only legitimate traffic reaches the upstream service in your network. ngrok's edge absorbs all of the unauthenticated traffic.
-
Third, you can also recover more quickly from attacks by enabling the Circuit Breaker module. This module protects your application services when they become overloaded by blocking traffic at the ngrok edge until they can recover.