Jan 6, 2026: We updated this post with simpler definitions and updated links to fresh guides.
Site-to-site connectivity is a secure, persistent connection between your network and the APIs, databases, devices, or other services in your customers' private network.
You install the ngrok agent inside your customer's firewall, where it creates outbound-only connections to ngrok's network. Your services then access customer resources (APIs, databases, devices) through ngrok endpoints, which means there's no inbound ports and no VPNs.
Way easier to implement than asking your customer's CISO to poke holes in their firewall, eh?
With ngrok, you:
I packed everything I've learned about building site-to-site networks into two concise how-to guides:
Both walk you through the architecture you're aiming for, plus how to:
Plus, some bonus points for Endpoint Pools and whitelisting the whole shebang with custom connect URLs.
If you've already locked in ngrok as your networking infra of choice, but are just in those final steps of convincing your customer's CISO that ngrok is secure and trusted networking infrastructure, I can help with that, too:
Questions, issues, or features to request? Find us on X, on Discord, or directly at support@ngrok.com.
I'd love to help you design an architecture that's just right for you, walk you through any of the steps, and help you hone in that why ngrok pitch.
You install the ngrok agent inside your customer's network. The agent creates outbound TLS connections to ngrok's global network, then you configure endpoints that route traffic from your services to the agent and on to customer resources. Your customer never opens inbound ports.
ngrok is SOC 2 Type 2 compliant and trusted by over 9 million developers. You can enforce mTLS, JWT validation, OAuth, SAML, and IP restrictions on any endpoint. Traffic can be end-to-end encrypted, and you control exactly which services are accessible through scoped authtokens and ACLs.
Anything with a network address: REST APIs, databases (PostgreSQL, MySQL, MongoDB), device APIs, internal web apps, IoT endpoints, and legacy systems. If the ngrok agent can reach it on the customer's network, you can expose it through an internal endpoint.
No. The ngrok agent connects outbound on port 443, which is typically already
allowed. Your customers don't need to open inbound ports, configure NAT, or set
up VPN infrastructure.
VPNs require configuration on both ends, ongoing maintenance, and often dedicated hardware or software. Plus, their default config often gives you access to your customers' entire network, which is one of the many reasons they're not well-loved.
ngrok collapses this into a single agent that handles encryption, load balancing, failover, and access control. The agent also has tightly scope acess by default, meaning it can only access exactly the services required and none more. All without touching your customer's network infrastructure.
