May 20, 2024

Secure site-to-site connectivity: Implement now with ngrok's how-to guides

•

702 words

•

Secure tunnels

Jan 6, 2026: We updated this post with simpler definitions and updated links to fresh guides.

Site-to-site connectivity is a secure, persistent connection between your network and the APIs, databases, devices, or other services in your customers' private network.

You install the ngrok agent inside your customer's firewall, where it creates outbound-only connections to ngrok's network. Your services then access customer resources (APIs, databases, devices) through ngrok endpoints, which means there's no inbound ports and no VPNs.

Way easier to implement than asking your customer's CISO to poke holes in their firewall, eh?

What does site-to-site connectivity look like?

Why ngrok instead of traditional solutions?

With ngrok, you:

Skip the complexity of site-to-site VPNs, VPC peering, and PrivateLink configurations
Leave customer firewalls untouched because the agent connects outbound
Deploy the same workflow in any cloud, on-prem datacenter, or hybrid environment
Enforce security at the edge with IP restrictions, mTLS, JWT validation, OAuth, or SAML
Stay online with endpoint pooling and automatic failover when an agent goes down

Meet the guides

I packed everything I've learned about building site-to-site networks into two concise how-to guides:

Both walk you through the architecture you're aiming for, plus how to:

Automate and secure the setup with Service Users and authtokens
Set up Cloud and internal endpoints to route traffic
Reserve custom domains
Secure everything with Traffic Policy

Plus, some bonus points for Endpoint Pools and whitelisting the whole shebang with custom connect URLs.

If you've already locked in ngrok as your networking infra of choice, but are just in those final steps of convincing your customer's CISO that ngrok is secure and trusted networking infrastructure, I can help with that, too:

Learn how to pitch site-to-site to your customers

Get started with ngrok for site-to-site connectivity today

Questions, issues, or features to request? Find us on X, on Discord, or directly at support@ngrok.com.

I'd love to help you design an architecture that's just right for you, walk you through any of the steps, and help you hone in that why ngrok pitch.

FAQ

How does site-to-site connectivity work with ngrok?

You install the ngrok agent inside your customer's network. The agent creates outbound TLS connections to ngrok's global network, then you configure endpoints that route traffic from your services to the agent and on to customer resources. Your customer never opens inbound ports.

Is ngrok secure enough for enterprise site-to-site connectivity?

ngrok is SOC 2 Type 2 compliant and trusted by over 9 million developers. You can enforce mTLS, JWT validation, OAuth, SAML, and IP restrictions on any endpoint. Traffic can be end-to-end encrypted, and you control exactly which services are accessible through scoped authtokens and ACLs.

What can I access through a site-to-site connection?

Anything with a network address: REST APIs, databases (PostgreSQL, MySQL, MongoDB), device APIs, internal web apps, IoT endpoints, and legacy systems. If the ngrok agent can reach it on the customer's network, you can expose it through an internal endpoint.

Do my customers need to change their firewall rules?

No. The ngrok agent connects outbound on port 443, which is typically already allowed. Your customers don't need to open inbound ports, configure NAT, or set up VPN infrastructure.

How is this different from a traditional site-to-site VPN?

VPNs require configuration on both ends, ongoing maintenance, and often dedicated hardware or software. Plus, their default config often gives you access to your customers' entire network, which is one of the many reasons they're not well-loved.ngrok collapses this into a single agent that handles encryption, load balancing, failover, and access control. The agent also has tightly scope acess by default, meaning it can only access exactly the services required and none more. All without touching your customer's network infrastructure.