The ngrok network edge is the globally distributed infrastructure that ngrok operates. It accepts incoming traffic to your services' endpoint URLs, applies your module configurations and routes those connections to the appropriate connected ngrok agents.
Points of Presence
ngrok's globally distributed network edge runs on points of presence all around the world to enable fast, low latency traffic to your applications.
We continuously expand our regional points of presence. As we add each new point of presence, your applications become faster for global customers without any changes. The current points of presence are:
|sa||South America (São Paulo)|
|us||United States (Ohio)|
|us-cal-1||United States (California)|
IPs used by the ngrok edge are dynamic. They may change frequently and without notice. There are no static IPs. If you hardcode any of ngrok's IPs or rely on DNS records past their TTL, your applications will break. There is no API to query ngrok's IPs at this time.
When you resolve any of ngrok's IPs via DNS, you will receive a partial list of IPs because ngrok uses global server load balancing, which means that DNS queries will return different sets of IPs depending on where you are located in the world.
Please contact us if you need dedicated static IPs for a custom agent ingress address.
Don't forget that ngrok supports IPv6 when configuring IP Restrictions. If you forget to specify records to allow IPv6 traffic, you may unintentionally cause connectivity failures if connections to your endpoints use IPv6.
ngrok terminates TLS traffic at its edge for HTTPS endpoints and configurably for TLS endpoints. Regardless of the type of endpoint, when the ngrok edge terminates TLS on incoming connections, it uses the TLS certificate attached to the Domain it is terminating for. By default, ngrok automatically attaches an appropriate TLS Certificate when a Domain is created, provisioning one automatically if necessary.
|HTTPS||ngrok always terminates TLS on connections to HTTPS endpoints at the ngrok edge. Traffic is re-encrypted with TLS as it is transmitted to your upstream service via the Agent.|
|TLS||TLS endpoints may be configured to terminate TLS at the ngrok edge or not to terminate TLS. When a TLS endpoint is configured not to terminate TLS at ngrok's edge, we call this Zero-Knowledge TLS.|
|TCP||TCP endpoints are unaware of higher layer protocols like TLS and thus never terminate TLS.|
ngrok helps protect your service from distributed denial of service (DDoS) attacks. You can use the following measures with ngrok to protect your service from DDoS attacks:
First, ngrok automatically applies a layer of DDoS protection to all of your endpoints without any configuration. Our software monitors all traffic flows into ngrok's edge by scanning for malicious sources, patterns and threats in real-time. ngrok proactively blocks incoming connections when an attack is detected.
Second, you can prevent attacks by enforcing authentication with modules like OAuth, OpenID Connect, SAML and IP Restrictions. Authentication modules are enforced at the ngrok edge so that only legitimate traffic reaches the upstream service in your network. ngrok's edge absorbs all of the unauthenticated traffic.
Third, you can also recover more quickly from attacks by enabling the Circuit Breaker module. This module protects your application services when they become overloaded by blocking traffic at the ngrok edge until they can recover.