Zero Trust Site-to-Site Connectivity

Connect Everything. Expose Nothing.

NetFoundry connects your sites, clouds, OT environments, and partner and customer networks over outbound-only paths — and exposes none of them.

  • Every service stays unreachable by default.
  • Each site can only reach what identity-based policy allows, so a breach in one location can’t spread laterally to the rest.
  • No inbound ports, no public IPs, and no listening services for anyone to find.
zero trust site-to-site connectivity
0inbound ports open at any connected site
0lateral movement — a breach at one site can’t reach the rest
1identity-based policy model across sites, clouds, OT, and partners
Anyenvironment — on-premises, cloud, OT, partner, or customer
The challenge

More Sites, More Tunnels, More Attack Surface

SASE and ZTNA connect your people to applications, but your sites, clouds, OT environments, and machine workloads still have to reach each other some other way. Teams fill that gap with a different tool per site and per cloud, and each one opens inbound ports to the internet.

  • Every connection needs an inbound firewall rule and a reachable public IP. Each new link becomes more attack surface
  • Site-to-site VPNs connect whole networks and trust everything inside the tunnel. One breached site widens the blast radius across the rest
  • SD-WAN improved how links are managed and steered but kept the flat trust model. A connected site still reaches whole networks rather than specific services
  • MPLS locks you to a single carrier and takes weeks to provision, and none of these models reach multi-cloud, OT, or partner environments cleanly
  • Every new site multiplies tunnels, routes, and rules until the fragmented estate itself becomes the risk
The NetFoundry solution

Identity-First Connectivity That Leaves Nothing Reachable

NetFoundry connects any two environments — sites, clouds, OT, partner and customer networks — over an outbound-only fabric where every service is unreachable by default. Each endpoint first proves a cryptographic identity, then reaches only the services policy authorizes, so an attacker can’t use a compromised service to move laterally in your environment.

  • Outbound-only connections. No site opens an inbound port or exposes a public IP
  • Every service is unreachable by default until policy authorizes a specific identity-to-service connection
  • Identity-based, application-layer segmentation that stops lateral movement
  • One consistent model, policy, and fabric for every site
  • A managed control plane you consume as a service, with FIPS-validated cryptography for regulated deployments
How it works

Connect a Site in Five Steps

No carrier to provision, no inbound ports to open, and no public IP to assign. Just deploy an endpoint at each end and let them dial out and prove who they are.

1

Deploy an endpoint at each site

Run a NetFoundry software endpoint on a host, gateway, or device you already have. It receives a cryptographic identity and needs no new public IP or inbound firewall change.

2

Each site dials out — nothing listens

Endpoints initiate outbound, mutually authenticated connections, so no site opens a port and each stays invisible to the network.

3

Authorize specific service connections

Policy is evaluated before any path exists, so a site reaches only the services you authorize, encrypted end to end with key rotation handled by the platform.

4

NetFoundry runs the platform for you

NetFoundry operates the control plane, the certificate lifecycle, and key rotation as a managed service, with FIPS-validated cryptography, so there is no networking backend for you to stand up or scale.

5

You manage connectivity through policy

You add, move, and retire sites by editing policy in one console — no ports to open, no firewall rules to change, no circuits to provision, and no tunnel meshes to rebuild as the estate grows.

Where it fits

One Connectivity Model for Every Environment

Branches, data centers, clouds, OT sites, and the partner and customer networks you connect to all share one requirement: they must reach each other without becoming reachable to everyone else.

Branch & remote offices

Connect locations without MPLS or VPN concentrators

Link branches, retail sites, and remote offices to data centers and cloud applications over outbound-only paths — no carrier circuit, no VPN concentrator, no inbound rules — each reaching only the services you authorize.

Hybrid, multi-cloud & edge

Join data centers, clouds, and edge on one fabric

Connect on-premises data centers, AWS, Azure, Google Cloud, and any other public or private cloud, plus edge locations, through one policy model instead of per-cloud gateways and one-off tunnels for each provider.

OT & industrial sites

Reach plants and facilities without exposing them

Connect factories, substations, and remote facilities to central systems using identity-based, application-layer segmentation. Sites stay invisible with no inbound exposure, alongside the OT security tools already in place.

Partner & customer environments

Extend connectivity without opening either side

Connect to partner and customer networks over paths scoped to a specific service by identity, so a partner reaches exactly what you authorize and nothing else — and neither side exposes an inbound port.

Visibility & logging

See Who Connected to What — by Identity, Not IP Address

NetFoundry authorizes and logs every connection by cryptographic identity. Each record already shows a named site, user, or workload reaching a named service — with no need to correlate DHCP, NAT, and firewall data after the fact.

  • Every connection is logged as a named identity reaching a named service, not an IP-to-IP tunnel
  • Real-time visibility into which sites and workloads are connected and what they reach
  • Access decisions and audit records share one identity model, so logs match policy
  • Identity-based logs stream to your SIEM and existing security tooling, so this visibility lands in the systems your team already uses
  • Revoking or changing a site’s access is an identity action that shows up immediately in the record
VPN / MPLS / SD-WAN vs. NetFoundry

The Same Connection, a Smaller Blast Radius

Site-to-site VPN, MPLS, or SD-WAN

  • Connects whole networks and trusts everything inside the tunnel or overlay
  • Requires inbound firewall ports and reachable public IPs at every site
  • A different tool per site and per cloud, each with its own configuration and risk
  • MPLS provisioning takes weeks and locks you to a single carrier
  • You operate the tunnels, routes, and rules yourself as the estate grows
  • Logs show IP addresses and tunnels, so you reconstruct who did what after the fact

NetFoundry site-to-site connectivity

  • Authorizes specific identity-to-service connections, so services stay unreachable by default
  • Outbound-only; no inbound ports and no public IPs at any site
  • One software endpoint per site — no appliance to ship and no carrier circuit
  • One fabric and one policy model across sites, clouds, OT, and partner networks
  • A managed control plane you consume as a service instead of infrastructure you operate
  • Logs tied to named identities, so you see who reached which service in real time
Outcomes

Fewer Tunnels to Manage. A Smaller Surface to Defend.

A contained blast radius

A compromise at one site reaches only what policy allows, so one foothold stays one foothold instead of spreading across the estate.

No inbound attack surface

Outbound-only connections mean no site opens a listening port or exposes a public IP, so there is nothing for an attacker to scan.

Connect any environment

Sites, clouds, OT, and partner networks connect to each other by dialing out and proving identity, with no carrier provisioning and no inbound firewall change.

Change access with a policy edit

Tighten or extend a site’s access with a policy update that takes effect immediately — no change-control cycle, no firewall rules, and no tunnel to rebuild.

Reduced compliance scope

Identity-based isolation shrinks the systems in audit scope and maps to the segmentation requirements behind standards such as PCI-DSS, IEC 62443, and NIST 800-207.

No network redesign

NetFoundry runs over what you already have. Deploy incrementally and connect sites progressively, leaving your existing networking infrastructure untouched.

The creators of OpenZiti, run at scale

Open-Source Roots, Enterprise-Grade Delivery

NetFoundry created OpenZiti, the open-source Zero Trust networking project, and builds on it with the managed control plane, FIPS validation, and global scale that production deployments in regulated and global markets require. The same fabric that connects two sites connects thousands.

Supports compliance and regulatory requirements including:

PCI-DSS IEC 62443 NIST 800-207 NIST 800-171 NERC CIP NIS2 DORA HIPAA EU CRA SOC 2 Type II FIPS CJIS
3,000companies use NetFoundry
2 of 5largest US companies connect with NetFoundry
8 of 10largest US banks connect with NetFoundry
1B+sessions per month across global infrastructure

Built by the creators and maintainers of OpenZiti, the world’s most-used open-source Zero Trust networking platform.

Connect Your Sites the Zero Trust Way

See how NetFoundry connects branches, data centers, clouds, and edge sites over identity-based, outbound-only paths — no VPNs to mesh, no MPLS to provision, no inbound ports to open, and no firewall rules to change.

Questions & answers

Site-to-Site Connectivity FAQ

What is site-to-site connectivity?

NetFoundry defines site-to-site connectivity as a secure, private connection between separate locations, such as branch offices, data centers, cloud regions, factories, and edge sites, so systems in one location can reach systems in another. NetFoundry connects those sites over identity-based, outbound-only paths instead of VPN tunnels or MPLS circuits, so no location opens a firewall port or exposes a public IP to another.

How is NetFoundry different from a site-to-site VPN?

NetFoundry differs from a site-to-site VPN by replacing the always-on tunnel and open inbound ports with outbound-only connections that carry a cryptographic identity. A site-to-site VPN connects whole networks and trusts everything inside the tunnel, which widens the blast radius if one side is compromised. NetFoundry authorizes each identity-to-service connection before any path exists, so a connected site reaches only the applications policy permits and nothing else on the far network is exposed.

Does NetFoundry require opening inbound firewall ports?

NetFoundry requires no inbound firewall ports at any site. Every connection is initiated outbound and authenticated by cryptographic identity, so each location keeps its firewall closed to inbound traffic and exposes no public IP or listening port. There is nothing for an attacker to scan and nothing for a security team to approve as an inbound exception.

Does NetFoundry require a hardware appliance at each site?

NetFoundry requires no dedicated hardware appliance at a site. NetFoundry connects a site with a single software endpoint on a host, virtual machine, or device the site already has, so there is nothing to ship, rack, or replace. The endpoint dials out to a managed control plane and carries the site’s cryptographic identity, so connecting the tenth site is as quick as connecting the first.

Can NetFoundry connect on-premises sites to multiple clouds?

NetFoundry connects on-premises sites, private data centers, and any public or private cloud over one fabric, without per-cloud VPN gateways or carrier interconnects. The same identity-based model spans AWS, Azure, Google Cloud, and any other cloud, along with on-premises sites and edge locations, so a hybrid or multi-cloud estate is governed through one policy model.

Can NetFoundry connect to partner and customer networks?

NetFoundry connects your environment to partner and customer networks over outbound-only paths that are scoped to a specific service by identity. Neither side opens an inbound port or exposes a public IP, and a partner reaches only the service you authorize and nothing else on your network. This lets you extend connectivity beyond your own sites without extending your attack surface.

Is NetFoundry suitable for connecting OT and industrial sites?

NetFoundry connects operational technology and industrial sites using identity-based, application-layer segmentation, so a plant or remote facility reaches only the systems it is authorized to use. Connections are outbound-only with no inbound exposure, so industrial sites stay invisible on the network while still reaching the cloud applications, vendors, and central systems they depend on. NetFoundry works alongside the OT security tools already deployed rather than replacing them.

Does NetFoundry stop lateral movement between sites?

NetFoundry stops lateral movement by making every service unreachable by default and authorizing each connection to a specific service by identity. Because a connected site reaches only what policy allows, an attacker who compromises one service cannot use it to move laterally across the rest of your environment. One foothold stays one foothold instead of becoming a network-wide intrusion.

Is NetFoundry a software-defined networking (SDN) or SD-WAN solution?

NetFoundry delivers software-defined connectivity, but it differs from traditional SD-WAN in a way that matters for security. An SD-WAN overlay steers traffic across links yet still connects whole networks and trusts what is inside the overlay. NetFoundry defines connectivity by cryptographic identity and authorizes each connection to a specific service, so a connected site reaches only what policy permits and no location exposes an inbound port or public IP.

How does NetFoundry log site-to-site activity, and does it work with a SIEM?

NetFoundry logs site-to-site activity by cryptographic identity rather than by IP address, so each record shows a named site, user, or workload connecting to a named service. These identity-based logs stream to your SIEM and existing security tooling, so the visibility lands in the systems your team already uses. Because the same identity authorizes and records the connection, teams get real-time, audit-ready visibility that maps directly to policy.

How does NetFoundry help with compliance?

NetFoundry helps with compliance by using identity-based isolation to shrink the systems in audit scope and by encrypting every connection with FIPS-validated cryptography. This maps to the segmentation and data-protection requirements behind frameworks such as PCI-DSS, IEC 62443, NIST 800-207, HIPAA, and DORA. Identity-based logging also gives auditors a record of which identity reached which service, instead of IP-and-port data to reconstruct after the fact.

Does NetFoundry require a network redesign?

NetFoundry requires no network redesign. NetFoundry runs over your existing infrastructure as an outbound-only overlay, so you can deploy it incrementally and connect sites progressively while leaving your existing networking infrastructure untouched. There are no inbound firewall changes to make and nothing in the underlying network to rebuild.

How long does it take to deploy NetFoundry site-to-site connectivity?

NetFoundry site-to-site connectivity is typically deployed in hours rather than the weeks or months an MPLS circuit or meshed VPN buildout can take. A site connects by running a software endpoint that dials out to the managed control plane and registers its identity, with no new public IP, no carrier provisioning, and no inbound firewall change. Because NetFoundry operates the control plane as a service, there is no networking backend to stand up before the first site connects.

Still have a question we didn’t cover? Talk to an engineer — a real one will answer it.