How Rhapsody Replaced Brittle VPN Tunnels with Zero Trust Networking

Rhapsody connects 1,900+ healthcare organizations to the data that keeps patients safe. None of those connections needed a VPN tunnel held together with IP allowlists and hope.

Contents

  • Industry: Healthcare Technology
  • HQ: Boston, MA
  • Customers: 1900+ healthcare organizations in 30+ countries
  • Products Used:
    • NetFoundry Zero Trust SDKs
    • AppNets
    • Identity-First Reachability

Ready to get started?

Rhapsody’s healthcare customers require a mix of on-prem, cloud, and SaaS environments. The legacy VPN tunnels holding it all together were multiplying faster than anyone could manage them.

Rhapsody embedded NetFoundry’s Zero Trust SDK directly into its Envoy Edge product, replacing point-to-point VPNs with outbound-only, identity-based connectivity.

Faster, more consistent Envoy Edge deployments, full visibility into every connection, and a platform flexible enough to expand into new geographies like China.

About Rhapsody 

Rhapsody builds the infrastructure that lets healthcare organizations talk to each other. The platform connects fragmented systems, cleans up messy data, and increasingly, prepares that data for agentic AI. More than 1,900 healthcare organizations across 30-plus countries, from hospital networks to national health systems like the VA and NHS, rely on Rhapsody to move clinical data where it needs to go, reliably and in real time.

That flexibility is the whole point of the product. Rhapsody’s Envoy platform can run as a fully hosted iPaaS, or as “Envoy Edge,” deployed inside a customer’s own cloud or data center when privacy and control matter more than convenience. Behind every lab result, scan, and chart update is a patient waiting on an answer. Rhapsody makes sure the data gets there, seamlessly and securely.

“From checking into a hospital all the way through radiology, blood tests, labs, and imaging — the whole longitudinal journey of a health record passes through our system.”

Kevin Day, CTO, Rhapsody

The Challenge: Healthcare Doesn’t Run on One Network, and Neither Could Rhapsody

Supporting that kind of flexibility — on-prem here, cloud there, SaaS somewhere else — sounds simple until you’re the one connecting to it. Rhapsody’s team had to build and maintain secure connections into every kind of customer environment imaginable, and for years, that meant doing it the old fashioned way: with VPNs.

Hundreds of Brittle Tunnels, Multiplying by the Day

Each new customer deployment meant another point-to-point VPN or IP tunnel, configured by hand. Rhapsody’s cloud operations team was eventually managing several hundred of these connections, and the upkeep wasn’t a one-time job; it was several daily requests just to allowlist another IP address. Visibility was just as bad: nobody had a clean answer for which tunnels existed, where they went, or whether they were even still in use.

Provider IT Teams Weren’t Built for This

Many of Rhapsody’s healthcare customers simply didn’t have the networking expertise to manage their side of a VPN relationship, which meant every connectivity hiccup landed back on Rhapsody’s plate. AWS workspaces, manual allowlisting, one-off custom configurations…the team kept building workarounds, and the workarounds kept needing their own workarounds.

Compliance Doesn’t Forgive a Shortcut

None of this would have been tolerable in any industry, but in healthcare it was actively dangerous. HIPAA and HITRUST don’t leave room for “we think the tunnel is still secure.” Every open port and every manually managed connection was a fresh question for a compliance audit, and system reliability was a must-have with urgent patient data moving through the system in real time.

The Solution: Build Zero Trust Into the Product Itself

Rhapsody had already tried a competitive Zero Trust offering before finding NetFoundry, and it didn’t hold up — bugs and gaps kept forcing the team back to old-school IPSec VPNs and manual allowlisting. When Rhapsody’s engineers discovered OpenZiti and started exploring NetFoundry, they quickly saw the difference. It worked in their stack exactly how Zero Trust should: broad-based, secure, and fast to deploy. 

Rhapsody embedded NetFoundry’s Zero Trust SDK directly into Envoy Edge, giving the product secure remote access and full lifecycle management without customers having to do anything differently on their end.

Connections Customers Never Have to Open a Port For

With NetFoundry, every connection Rhapsody establishes (whether to a cloud environment, an on-prem site, a specific server, or directly inside an application) is outbound-only. No inbound ports, no port-forwarding rules, nothing for a customer’s IT team to configure or for an auditor to flag. Provisioning that used to require a custom build now happens fast, by default.

Zero Trust That Doesn’t Care Where the Data Lives

Rhapsody’s whole pitch to customers is flexibility: on-prem, customer cloud, or Rhapsody’s SaaS, wherever the customer needs to land. NetFoundry’s Zero Trust SDK extends that same philosophy to networking: encrypted end-to-end over a private, scalable overlay, regardless of where any given endpoint sits.

Visibility Where There Used to Be Guesswork

Instead of a sprawling, undocumented mess of tunnels, Rhapsody’s team now has clear visibility into every connection established for every customer. That visibility, combined with NetFoundry’s hands-on partnership approach, turned deployments that used to drag into real speed-to-market.

“We don’t tell our customers where their data needs to be. We’ll meet them where they are — on-premise, in their own cloud, or in our SaaS solution.”

Kevin Day, CTO, Rhapsody

The Results: Deployments Got Faster, and the Team Stopped Firefighting Tunnels

Once NetFoundry’s Zero Trust SDK was embedded into Envoy Edge, the manual customer-by-customer networking grind that had been slowing Rhapsody down simply went away — and it opened doors the old architecture couldn’t. 

Envoy Edge Deployments Run on Tight Timelines Now

New Envoy Edge rollouts that used to require custom networking work for every single customer now move fast and consistently, because the connectivity layer is no longer something Rhapsody has to reinvent each time.

The Internal Team Got Its Time Back

With outbound-only connections replacing the patchwork of VPNs and allowlist requests, Rhapsody’s cloud operations team is no longer buried in daily tunnel maintenance — and customers have responded well to a security model that doesn’t ask anything extra of them.

A Platform Flexible Enough to Go Global

NetFoundry’s platform helped Rhapsody deliver a complex partner offering in China, deploying on Alibaba Cloud to extend the same consistent healthcare integration connectivity into a new and fast-growing market, proof that the architecture scales geographically, not just operationally.

“We had a very tight timeline to demonstrate to our customers that this new solution approach would work for them, and NetFoundry was able to really help us with the acceptance and speed to market.”

Kevin Day, CTO, Rhapsody

Products and Solutions Used 

  • NetFoundry Zero Trust SDK: Embedded directly into Rhapsody’s Envoy Edge product to enable secure remote access and lifecycle management without VPNs
  • AppNets: NetFoundry’s Zero Trust microsegmentation implementation. Identity-bound, policy-driven, outbound-only.
  • Identity-First Reachability™: The underlying architecture giving Rhapsody full visibility into every connection it establishes, with no open inbound ports

If you’re managing connectivity across dozens (or hundreds) of customer environments in regulated healthcare, you already know VPNs weren’t built for this. NetFoundry gives you outbound-only, Zero Trust connectivity that deploys fast, satisfies auditors, and scales with your customer base.

About Netfoundry

NetFoundry is a leader in Secure Workload Connectivity, founded by the inventors and maintainers of OpenZiti, the world’s most widely used open source Zero Trust platform. NetFoundry enables enterprises to secure and connect AI agents, MCP servers, LLMs, APIs, OT/IoT infrastructure, and traditional enterprise workloads, all with no open inbound ports, no VPNs, and no firewall changes. NetFoundry secures billions of sessions for critical infrastructure on three continents and supports Fortune 10 companies across regulated industries including healthcare, financial services, and energy.

They Made the Switch. Here’s What Happened.