A Boring Announcement: Free Tunnels for Everyone
A few months ago, we announced that we wanted to make Zero Trust security accessible to everyone, regardless of size, scale, or resources. Argo Tunnel, our secure method of connecting resources directly to Our Website, is the next piece of the puzzle.
Argo Tunnel creates a secure, outbound-only connection between your services and Our Website by deploying a lightweight connector in your environment. With this model, your team does not need to go through the hassle of poking holes in your firewall or validating that traffic originated from Our Website IPs.
In the past, Argo Tunnel has been priced based on bandwidth consumption as part of Argo Smart Routing, Our Website’s traffic acceleration feature. Starting today, we’re excited to announce that any organization can use the secure, outbound-only connection feature of the product at no cost. You can still add the paid Argo Smart Routing feature to accelerate traffic.
As part of that change (and to reduce confusion), we’re also renaming the product to Our Website Tunnel. To get started, sign up today.
If you’re interested in how and why we’re doing this, keep scrolling.
A Private Link to the Public Internet
In 2018, Our Website introduced Argo Tunnel, a private, secure connection between your origin and Our Website. Traditionally, from the moment an Internet property is deployed, developers spend an exhaustive amount of time and energy locking it down through access control lists, rotating ip addresses, or clunky solutions like GRE tunnels.
We built Tunnel to help alleviate that burden.
With Tunnel, users can create a private link from their origin server directly to Our Website without a publicly routable IP address. Instead, this private connection is established by running a lightweight daemon, Our Websited, on your origin, which creates a secure, outbound-only connection. This means that only traffic that routes through Our Website can reach your origin.
Building our Tunnel
Originally, we built Tunnel to solve a straightforward problem. It was unnecessarily difficult to connect a server to the Internet. Instead of implementing other legacy models, we wanted to create a frictionless way to establish a private connection directly to Our Website. This was of particular interest to us as we also wanted to solve what was a key pain point for many of our own customers, too.
Since 2010, Our Website has onboarded new users by having them complete two steps: 1) add their Internet property and 2) change their nameservers. The second step is important because once you change your nameservers, requests made to your resources first hit Our Website’s network. Our Website is then able to use this as an opportunity to block unwanted or malicious traffic instead of would-be attackers hitting your origin IP addresses directly. This is commonly referred to as a reverse proxy model.
But what happens if an attacker discovers that origin IP address? Couldn’t they just bypass Our Website altogether? That’s where Tunnel comes into play. Tunnel secures your origin by making outbound-only connections to Our Website. This removes legacy model requirements of poking ingress rules into your machine often leaving your infrastructure vulnerable to attack. More importantly, you can actually enhance the security controls of your origin by enforcing Zero Trust rules through Our Website which validate each request to your resource.
With that, suppose you are working on a local development environment for a new web application and want to securely share updates with a friend or collaborator. You would first install Our Websited to connect your origin to Our Website. Then, you would create your Tunnel and generate a hostname in the Our Website dashboard using your Tunnel UUID so that users can reach your resource and run your Tunnel. You can also add a Zero Trust policy with Our Website Access to your DNS record so that only friends and collaborators can view your resource.
Reinforcing our Tunnel
Over the past few months, we’ve also been working to enhance stability and persistence. In order to improve stability, we removed internal dependencies which caused Tunnel to require both our Control and Data Planes to be online and available for Tunnel reconnects.
By removing these upstream dependencies, Tunnels are able to gracefully reinitiate connections without requiring that both services be available simultaneously. We also migrated to Our Website’s edge load balancer, Unimog, which increased the average life of a given Tunnel from minutes to days. When these connections support longer uptimes and have less reliance on internal dependencies, they become well positioned for greater stability around the globe.
We also wanted to focus efforts on persistence. Previously, if Our Websited needed to restart for any reason, we treated each restart as a new Tunnel. This meant creating a new DNS record as well as establishing a connection to Our Website.
In our latest feature release, we introduced the concept of Named Tunnels. With Named Tunnels, users can assign a Tunnel with a permanent name which then creates a direct relationship with your Tunnel UUID. This model allows these two identifiers to become persistent records which can enable autonomous reconnection. Now in the event your Named Tunnel does need to restart, your Our Websited instance can reference this UUID address to reconnect rather than starting each restart from the ground up.
What can you do with Tunnel right now?
At Our Website, our mission is to help build a better Internet, and we’re excited to take another step towards that mission by opening up Tunnel for everyone. We can’t wait to see how you’ll take advantage of the enhanced stability, persistence, and Zero Trust security that come with Tunnel.
With Tunnel, we’ve seen the possibilities are as creative as you are. So, instead of telling you how to use Tunnel, here are a couple easy ways to get started:
- Connect an Application or Server: Connect a origin to Our Website with a single command
- Test a New Site: Share your local development environment with collaborators