Skip to main content

Getting Started

A typical first project

Prepare the organization

Begin by identifying your first Frontdoor account or creating one to host your initial services. Make strategic decisions about your public naming approach, choosing between existing standard Frontends with NetFoundry-provided domains or requesting Custom Frontends for vanity hostname requirements.

Run the Frontdoor Agent next to your service

Select the appropriate deployment method for your Frontdoor Agent based on your infrastructure, whether as a sidecar container, DaemonSet in Kubernetes, systemd service on a VM, or process on a developer laptop. Create an enrollment token that the Agent will use to bootstrap its access to the NetFoundry fabric during the initial connection process.

Establish your Environment

Enroll the Agent to automatically create an Environment record that represents your live presence within the platform. Adopt a consistent naming convention that encodes the environment's purpose, such as dev, pr-1234, or prod-us-east, to make dashboards and monitoring more meaningful and manageable.

Define your first Share

Map a specific host and optional path on your chosen Frontend to the internal URL where your service listens for connections. Select one of the available Frontends and configure access by choosing from the available Auth Providers. Note that Custom Frontends require you to configure an Auth Provider before creating the Share, as detailed in the Auth Provider documentation.

Design tips

Start with a simple configuration using one Frontend, one Environment, and one Share to confirm everything works properly before expanding your setup.

Use clear, descriptive naming conventions for both Environments and Shares that reflect their purpose, such as dev/qa/prod designations.

Implement proper separation of concerns by handling authentication at the edge while maintaining business-specific authorization within your application, avoiding over-reliance on edge-only authentication. Instrument your applications appropriately so that Frontdoor metrics can be effectively correlated with backend logs and APM traces for comprehensive monitoring.

Security and trust model

Frontdoor operates on a zero-trust security posture that eliminates the need to open inbound ports to your private networks, instead of relying on identity and policy to drive access control decisions.

The platform implements mutual authentication where Agents authenticate to the NetFoundry fabric while inbound callers authenticate at the Frontend through your configured Auth Providers.

This architecture maintains clear policy separation by allowing platform administrators to define global security guardrails while enabling application teams to manage app-specific Shares and authentication within those established boundaries.

DNS, certificates, and TLS

NetFoundry Hosted standard Frontends include fully managed SSL certificates that require no additional configuration, while Custom Frontends require domain ownership verification through DNS validation steps before certificates can be issued and activated. When client-certificate authentication is required for your use case, you should configure an Auth Provider that validates client certificates and maps the certificate identities to appropriate authorization rules within your security framework.

Where to go next

If you prefer a hands-on walkthrough with API calls and concrete examples, you should explore each guide, they contain detailed resources and comprehensive API call documentation to help you implement and manage your Frontdoor configuration effectively.

Troubleshooting checklist

  • Frontend reachability: Does DNS for the Frontend resolve? Is the TLS certificate valid?
  • Auth alignment: Are issuer/audience/keys for your Auth Provider current? Do callers present the expected credentials?
  • Environment presence: Is the Frontdoor Agent enrolled and connected? Did the Environment recently flap?
  • Share mapping: Does the Share route to the correct internal address/port? Any path or header rewrite mismatches?
  • Health and metrics: Do Health Checks pass? Any spikes in 4xx/5xx or latency that correlate with deployments?

Glossary

  • Frontdoor or Account: Organizational ingress boundary and control scope for your externally reachable services. Think of this as your account.
  • Frontend: Public-facing address and listener managed by NetFoundry for your organization (standard or custom).
  • Frontdoor Agent or Agent: Lightweight component that runs near your backend and connects it to the fabric.
  • Environment: A live, enrolled presence created by a Frontdoor Agent; a place where Shares run.
  • Share: The configuration that binds a Frontend route/port to a backend endpoint.
  • Auth Provider: Configuration that determines how inbound callers authenticate/authorize.
  • Health Check: A probe that tests a Share’s backend availability and correctness.
  • Execution: A record of a change that was applied to your Frontdoor; useful for historical analysis.
  • Metrics/Sparklines: Time-series indicators for traffic, health, and performance.