Welcome to the next generation of ngrok

Hello World!

Today, I’m incredibly proud to announce the next chapter of ngrok.

I founded ngrok with a simple goal: empower developers. We started by making local development simpler with a single command: ngrok http 80. It hasn’t stopped there.

ngrok’s programmable secure tunnels are everywhere. ngrok powers production IoT connectivity on everything from point of sale machines to art installations, HVAC systems to Raspberry Pis. It runs in banks, hospitals and governments as the foundational production-grade connectivity for business-critical transactions and payments. It runs on phones, routers, laptops and in the CI environments of the Fortune 100.

ngrok is about making complex infrastructure simple. We often hear that ngrok “feels like magic”. We’re excited to announce that we’re bringing the same magical feeling and developer-first mindset to solve a whole new class of problems.

Today we are launching ngrok Cloud Edge and ngrok Secure Tunnels which transform ngrok from a developer tool into a powerful developer platform. These products not only improve ngrok for local development, but also enable developers to build and secure production applications. With Cloud Edge and Secure Tunnels, developers can ship faster and with less code by leveraging ngrok’s programmable network edge to deliver common components all applications need without building and maintaining that infrastructure themselves.

This is by far the largest product launch in ngrok’s history and it is years in the making. ngrok’s first launch was delivered by a team of one. This latest launch is brought to you by a talented and growing team of over 30. We are thrilled to share what we’ve built with you.

A Quick Tour

We believe great products speak louder than words, so let’s see it in action!

Get set up
# get yourself some tab completion :)
. <(ngrok completion)

# connect ngrok to your account

# https://dashboard.ngrok.com/get-started/your-authtoken

ngrok config add-authtoken [TOKEN]


Simple header manipulations + templating
# send geodata to your app, enforce security response header 
ngrok http 80 \
  --request-header-add='country: ${.ngrok.geo.country_code}' \
  --response-header-add='content-security-policy: self'


Add IP Restrictions, mTLS, Webhook Signature Verification
# serve files in your working directory to a specific cidr + gzip
ngrok http file://`pwd` \
  --cidr-allow=1.2.3.0/24 \
  --compression

# enforce mutual tls in front of any service

ngrok http 80 \
 --mutual-tls-cas /path/to/ca.pem

# verify incoming requests are webhooks from slack

ngrok http 80 \
 --verify-webhook=slack \
 --verify-webhook-secret=[your-slack-secret]


Identity-Aware Proxy /w Google Apps OAuth
# allow only yourself and your coworkers access to your app
ngrok http 80 \
  --oauth=google \
  --oauth-allow-email=you@gmail.com \
  --oauth-allow-domain=acme.com


Build a Github OAuth app
# serve an app that integrates with github
# user's API token is the `ngrok-auth-oauth-access-token` header
ngrok http 80
  --oauth=github \
  --oauth-scope=repo \
  --oauth-client-id=[your-client-id] \
  --oauth-client-secret=[your-client-secret]


OpenID Connect /w a custom IdP
# enforce auth via an IdP like Okta for your app
# user details are in headers, e.g. `ngrok-auth-user-email`, `ngrok-auth-user-name`
ngrok http 80 \
  --oidc=https://myorg.okta.com \
  --oidc-client-id=[your-client-id] \
  --oidc-client-secret=[your-client-secret]


Query the API with a baked-in native CLI
# with ngrok still running, in another shell list your endpoints via the API
# get your api key here: https://dashboard.ngrok.com/api
ngrok config add-api-key [API-KEY]
ngrok api endpoints list

How did that just work?

The commands above are deceptively simple. At first glance, it appears that the ngrok agent is doing the heavy lifting here, but that’s not the case. Instead ngrok’s network edge reconfigures itself in realtime to authenticate and transform traffic before it enters your protected network. You can think of ngrok as a globally distributed, programmable reverse proxy.

What’s new?

Announcing ngrok Cloud Edge and ngrok Secure Tunnels

Cloud Edge enables you to push powerful pre-packaged functionality like OAuth, OIDC, SAML, mTLS, Webhook Signature Verification, automated certificates and more in front of your applications at ngrok’s network edge with a single command.

Want to manage all of this configuration centrally and not on the command line? Our new Edges Product enables you to manage your Cloud Edge configurations via our Dashboard and API. It also enable k8s-style label-based load balancing for blue/green and canary deploys. You can even define configurations and routing on a per-path basis.

Secure Tunnels expands and improves our tunneling capability. In particular, we’ve add centralized management and observability to help make security and IT teams comfortable with ngrok running in their networks by adding features like remote agent termination, per-agent policies and the ability to enforce the use of a company ngrok account within their networks.

APIs for everything!

Our HTTP API is a first class citizen for all functionality in Cloud Edge and Secure Tunnels to integrate ngrok into your stack. There is a fully scriptable CLI for all resources in the agent (ngrok api), native API client libraries in major programming languages and a first-class terraform provider to define your ngrok infrastructure as code.

Programmable events

You may now configure your account to listen for events like resource creation and deletion or traffic log events when a new HTTP request or TCP connections transits one of your tunnel endpoints. ngrok will send JSON log events in real-time to a destination sink of your choice like Cloudwatch, S3 (via Firehose) or Kinesis. Build your own event consumers or integrate ngrok events with you SIEM.

New major version (3.0) of the ngrok agent

This latest version of the ngrok agent includes all of the new functionality in Secure Tunnels and Cloud Edge. The ngrok agent is now packaged and distributed via your favorite package managers including homebrew, chocolatey, apt and snap. We publish a first party native Docker container as well.

  • Your v2 agents will continue to work indefinitely. You do not need to upgrade to the v3 agent.
  • Be aware that the v3 agent is not fully backward compatible. Please consult our agent upgrading guide to help you through the transition.

Security, compliance and trust

ngrok recently completed its first SOC2 audit and is continuing to invest in additional security and compliance initiatives. Our customers can be confident that both ngrok's security and operations have been independently audited.

Changes to pricing

ngrok’s previous pricing model was often frustrating for customers who wanted to use ngrok as infrastructure. Our new pricing allows customers who grow beyond developer tool usage to scale up on-demand with a pay-as-you-go model.

  • If you’re on an existing paid plan your pricing will not change. All existing paying customers have been grandfathered into their existing plans.
  • Later this year, we will begin enforcing usage restrictions on bandwidth and connection rate for free tier accounts. If you’re over those limits, we’ll reach out to you first with adequate lead time to help you before those limits are enforced.

What’s Next

Our mission has always been to empower developers to build for the internet. What we’ve launched today with Cloud Edge and Secure Tunnels is a transformational step forward on that journey. But it’s only the beginning. Look for us to build on what we’ve launched today as we continue to make delivering complex software infrastructure feel like magic.

I’d love to hear what you think! Drop me a line. I'm inconshreveable@ngrok.com.

<3 inconshreveable and the ngrok team



PS - Do you love developer tools and infrastructure? Come join our Community Slack and say hi! Or come join us full time to work with a great team. We’re hiring across all roles.