> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Implement the 'Front Door' Pattern

> By using Cloud Endpoint and internal Agent Endpoints together, you loosely double your gateway and services for extra flexibility.

export const domain_0 = undefined

The Front Door pattern is a common API gateway design where a single public endpoint serves as the centralized entrance to your upstream services.

Why use this pattern? It creates a clear boundary between your public-facing gateway and your internal services and creates a consistent interface for exposing them to the public internet.
This simplifies how you manage ingress, helps you route traffic to multiple services, and gives you a unified place to apply gateway-wide policies like authentication, rate limiting, and more.

With this pattern, you can:

* Host any number of services under a single hostname (for example, `your-company.com`) by routing via path, subdomain, headers, or any other [Traffic Policy variable](/traffic-policy/variables).
* Apply certain policies like authentication at your gateway, then layer in other policies for specific services.
* Prevent your services or their host systems from being exposed to the public internet.
* Give infrastructure and platform teams control over creating consistent global policy while also allowing developers to manage how traffic reaches their services.

## 1. Create an endpoint for your service

Start an internal [Agent Endpoint](/gateway/agent-endpoints/), replacing `$PORT` based on where your service listens.
You can also use one of the [SDKs](/agent-sdks) or the [Kubernetes Operator](/k8s).

```bash theme={null}
ngrok http $PORT --url https://service.internal
```

## 2. Reserve a domain

Navigate to the [**Domains** section](https://dashboard.ngrok.com/domains) of the ngrok dashboard and click **New +** to reserve a free static domain like {<code>{domain_0}</code> || `https://your-service.ngrok.app`} or a [custom domain](/gateway/custom-domains/) you already own.

We'll refer to this domain as `$NGROK_DOMAIN` from here on out.

## 3. Create a Cloud Endpoint

Navigate to the [**Endpoints** section](https://dashboard.ngrok.com/endpoints?sortBy=updatedAt\&orderBy=desc) of the ngrok dashboard, then click **New +** and **Cloud Endpoint**.

In the **URL** field, enter the domain you just reserved to finish creating your [Cloud Endpoint](/gateway/cloud-endpoints/).

## 4. Add routing to your service with Traffic Policy

While viewing your new Cloud Endpoint in the dashboard, copy the policy below and paste it into the Traffic Policy editor.

```yaml theme={null}
on_http_request:
  - actions:
      - type: forward-internal
        config:
          url: http://service.internal
```

**What's happening here?** The Traffic Policy engine forwards all HTTP requests to the internal Agent Endpoint you created at `https://service.internal`.

## 5. Try out your endpoint

Visit the domain you reserved either in the browser or in the terminal using a tool like `curl`.
You should see the app or service at the port connected to your internal Agent Endpoint.

## Optional: Add a second service and routing

If you have another service to host under the front door pattern, start another agent.

```bash theme={null}
ngrok http $PORT --url https://service-two.internal
```

Next, update your policy to route traffic based on the path.
Copy and paste the policy below into the ngrok dashboard, replacing `/one` and `/two` with the paths you'd like to use for routing traffic to each service.

```yaml theme={null}
on_http_request:
  - expressions:
      - "req.url.includes('/one')"
    actions:
      - type: forward-internal
        config:
          url: http://service.internal
  - expressions:
      - "req.url.includes('/two')"
    actions:
      - type: forward-internal
        config:
          url: http://service-two.internal
```

**What's happening here?** The Traffic Policy engine forwards all HTTP requests to the `/one` path to the internal Agent Endpoint at `https://service.internal` and requests to the `/two` path to `https://service-two.internal`.

## What's next?

* Explore [more routing options](/traffic-policy/examples/route-requests/) like routing by path, header, cookie, geographic location, or IP intelligence.
* [Add authentication](/traffic-policy/examples/add-authentication/) to your endpoints with OAuth, OIDC, JWT validation, or Basic Auth.
* View your traffic in [Traffic Inspector](https://dashboard.ngrok.com/traffic-inspector) to find potential issues or observe patterns of traffic you may want to [block using additional policies](/traffic-policy/examples/block-unwanted-requests/) on your Cloud Endpoint.
