Configure Secure Access to Remote IoT Devices
ngrok is a universal gateway, which means it allows you to connect to any app, IoT device, or service without networking expertise.
This guide will walk you through an example scenario using ngrok to set up a secure, controlled remote access solution for IoT devices. The solution will enable you to grant trusted parties access to critical systems without exposing those systems to the public internet or relying on complex VPN setups.
What you'll need
- An ngrok account. If you don't have one, sign up.
- An ngrok agent configured on your local machine. See the getting started guide for instructions on how to install the ngrok agent.
- An ngrok API Key. You'll need an account first.
Example scenario
Consider a situation where a network of smart factories is coming online, each with IoT-connected machines, telemetry sensors, and a real-time monitoring dashboard.
In this scenario, each factory's network blocks inbound connections, but the technicians need temporary access to the dashboard. The telemetry API and sensor database must remain permanently accessible from the company's cloud, and access to the dashboard must be authenticated via Microsoft Entra ID.
Each factory would only need one ngrok agent running.
Why only one ngrok agent per factory?
Traditionally, you might assume that every device inside the factory needs its own ngrok agent, but this isn't necessary. A single ngrok agent is installed on a network-accessible machine inside the factory, and it:
- Acts as a central gateway (jumpbox) that can reach any machine on the local network, eliminating the need for multiple agents.
- Creates Internal Endpoints so that each API, database, and dashboard is securely exposed inside ngrok, never publicly visible.
- Uses Cloud Endpoints for controlled access, where external cloud apps can access only what they need, and the dashboard is only started when requested.
- Runs as a background service configured to automatically start on boot, restart after crashes, and log events.
- Dynamically manages tunnels, as The agent API can start and stop tunnels as needed.
This setup minimizes security risks, simplifies deployment, and ensures continuous uptime for mission-critical services.