Skip to main content

Agent Ingress Address


The Agent Ingress Address is the network address that the ngrok agent and agent SDKs use to connect to the ngrok service. The default agent ingress address is This is defined in your agent configuration file under the server_addr parameter.

Customize Agent Ingress Address

You can customize the ingress address by creating your own Agent Ingress. You do this by delegating control of a DNS subdomain. ngrok will then populate the A/AAAA records and issue the certificates for your new agent ingress address. Lastly, you must update the ngrok.yml config file to instruct your ngrok agent to connect to the new address. You can use the helper command ngrok config add-server-addr to do this.

Agents authenticating to your agent ingress address must authenticate to your ngrok account. Agents attempting to authenticate with credentials for other accounts through your ingress address are disallowed.

Create the Agent Ingress

When you create a new agent ingress, you specify the domain you wish to use. You must own this domain yourself and have the ability to create NS records on it via your DNS provider.


When creating a new custom agent ingress, there is an option to configure the Certificate Issuer from either ngrok or Let's Encrypt. Some networks do not trust traffic encrypted with our privately issued certificate and will require a public issuer such as Let's Encrypt and this allows you to choose which one is needed.

Delegate DNS records

After you create a new Agent Ingress, you will be prompted to create NS records on the domain you chose.

Update agent configuration

Finally, you must reconfigure your ngrok agent or agent SDKs to use your new agent ingress address by adding the server_addr option to your ngrok agent's configuration file. You can use the helper command ngrok config add-server-addr to do this.

For example, if the domain of your custom agent ingress is then you might add the following line to the agent's configuration file:


Incompatibility with GSLB


Custom agent ingress requires the you choose a particular region that your agent connects to. It does not yet support Global Server Load Balancing which allows the agent to connect to the closest ngrok point of presence.

Endpoints created by agents using custom agent ingress are still delivered with Global Server Load Balancing.

Dedicated IPs

When you create a custom agent ingress, the DNS, certificates and hostnames are all custom branded but your address will still resolve to ngrok's shared set of IP addresses. Dedicated IPs that are unique for your account are also available at additional cost. Contact us to get in touch for additional details.

Why customize the ingress address?

Branded Connectivity

If you are using ngrok for production connectivity to your devices in the field or APIs inside of your customers' networks, a custom ingress address allows you to brand ngrok's connectivity as your own.

Policy Enforcement

If you are using ngrok for development and testing, you can use your own ingress address to ensure everyone at your org does not use their personal accounts and instead uses a shared ngrok account with appropriate observability and security controls set up. You can do this by blocking ngrok's default ingress address of from your machines and networks, but allowing traffic to your custom ingress address.


Creating your own Agent Ingress is not available on any self-serve plan. Contact us to get in touch about using custom agent ingress.