NetFoundry Frontdoor
NetFoundry Frontdoor is a zero-trust ingress platform that enables you to securely expose your internal services to the public internet without opening inbound firewall ports or modifying your network security configuration. Whether your services run on laptops, in data centers, Kubernetes clusters, or cloud environments, Frontdoor provides centrally managed, secure access through lightweight agents and encrypted tunnels.
What is NetFoundry Frontdoor?
NetFoundry Frontdoor solves the challenge of securely sharing internal services with external users by providing a zero-trust networking solution that eliminates traditional security perimeter concerns. Instead of deploying complex VPNs, opening firewall ports, or creating DMZ environments, Frontdoor uses lightweight Agents that establish outbound connections to NetFoundry's global infrastructure, creating secure tunnels for your services.
The platform goes beyond simple tunneling by providing centralized management, identity-based access controls, and comprehensive observability across all your exposed services. This approach enables organizations to maintain security while providing seamless access to internal resources for development teams, external partners, customers, and stakeholders.
Core Concepts and Terminology
Understanding Frontdoor's architecture requires familiarity with several key components that work together to provide secure service exposure:
Frontdoor Account
Your Frontdoor Account serves as the organizational boundary where you manage all externally reachable services. This account provides centralized control over Frontends, Environments, Shares, and Auth Providers while offering comprehensive metrics and monitoring capabilities for understanding service performance and usage patterns.
Frontends
A Frontend acts as the public entry point that consumers use to access your services. Frontdoor supports two types of Frontends:
- Standard Frontends: Pre-provisioned, globally available endpoints using NetFoundry-provided domains (e.g.,
https://your-service.shares.netfoundry.io
) - Custom Frontends: Branded endpoints using your own domain names while remaining fully managed by NetFoundry
Frontends handle SSL/TLS termination, provide DDoS protection, and can host multiple services through hostname and path routing.
Agents and Environments
The Frontdoor Agent is a lightweight software component that you install near your backend services. When an Agent enrolls with NetFoundry, it automatically creates an Environment - a secure, addressable presence within the NetFoundry fabric. Environments represent the runtime context where your services operate and can be created across different deployment scenarios like development, staging, production, or even per-feature branch environments.
Shares
A Share establishes the connection between your backend service and a public Frontend, defining exactly how incoming requests are routed to your internal services. Shares map Frontend URLs to internal endpoints (like http://127.0.0.1:8080
or Kubernetes service names) and can include optional authentication requirements through Auth Providers.
Auth Providers
Auth Providers define authentication and authorization mechanisms for controlling access to your services. They integrate with external identity providers including OIDC-compliant systems, Google OAuth, GitHub OAuth, and custom authentication solutions. Auth Providers enable you to restrict access based on user identity, email domains, or organization membership.
Security Architecture
Zero-Trust Foundation
Frontdoor operates on zero-trust principles where no implicit trust is granted based on network location. Every connection requires explicit authentication and authorization, whether from external users accessing your services or Agents connecting to NetFoundry infrastructure.
Outbound-Only Connectivity
Agents only establish outbound connections to NetFoundry infrastructure, eliminating the need to open inbound firewall ports. This approach maintains your existing network security posture while enabling external access to internal services.
End-to-End Encryption
All traffic between Agents and NetFoundry infrastructure uses end-to-end encryption with cryptographic identity verification. SSL/TLS termination occurs at NetFoundry's edge, providing automatic certificate management and security updates.
Centralized Access Control
Authentication and authorization policies are managed centrally through Auth Providers while maintaining separation of concerns between platform security and application-specific business logic. This approach enables platform administrators to establish security guardrails while allowing development teams to manage their specific service requirements.
How it fits together
The complete request flow begins when consumers connect to a Frontend address based on the share name, such as https://my-share.shares.netfoundry.io/my-service/v1/path. The Frontdoor control plane then authenticates and authorizes the incoming request using the Share's configured Auth Provider settings before securely bridging the request over the fabric to your Frontdoor Agent running inside your network.
Finally, the Agent establishes the connection to your backend service using localhost, pod DNS names, or private IP addresses without requiring any inbound ports to be exposed on your network perimeter.
Next Steps
- Read our Getting Started Guide to get started with Frontdoor