Secure Tunnels

ngrok establishes secure tunnels between the ngrok cloud service and your local machine. These tunnels allow you to receive traffic from the internet on your localhost without exposing your machine directly or opening inbound ports.

How tunnels work

When you run ngrok http <port>, the ngrok agent on your machine opens an outbound TLS connection to the ngrok cloud. ngrok assigns a public URL and routes incoming requests through this encrypted tunnel to your local port.

Outbound-only connections: The agent connects outbound on port 443. No firewall changes or port forwarding required.
TLS encryption: All traffic between the ngrok cloud and your agent is encrypted with TLS.
Automatic HTTPS: ngrok automatically provisions and manages TLS certificates for your public endpoint.

Supported protocols

ngrok supports tunnels for multiple protocols:

Protocol	Command	Use case
HTTP/S	`ngrok http 8080`	Web apps, APIs, webhooks
TLS	`ngrok tls 8443`	TLS passthrough for custom certificates
TCP	`ngrok tcp 3389`	Databases, RDP, game servers

For more details, see the protocols documentation.

Agent Endpoints

Each tunnel creates an Agent Endpoint: an endpoint that exists only while the agent is running. You can configure Agent Endpoints with Traffic Policy to add authentication, rate limiting, header manipulation, and more.

Next steps

Quickstart: create your first tunnel in minutes
Agent CLI reference: full command reference for the ngrok agent
Traffic Policy: add security and traffic management to your tunnels

Use cases

The ngrok platform

How tunnels work

Supported protocols

Agent Endpoints

Next steps

Use cases

The ngrok platform

​How tunnels work

​Supported protocols

​Agent Endpoints

​Next steps

How tunnels work

Supported protocols

Agent Endpoints

Next steps