Quickstart
Cloud endpoints are persistent and live until they are deleted. They are created via the ngrok Dashboard or API. Traffic Policy controls how a Cloud Endpoint handles traffic. See the Cloud Endpoints Quickstart for a step-by-step guide on how to create a Cloud Endpoint in the ngrok Dashboard. The following example uses the API to create a Cloud Endpoint which returns aHello world! 200 OK response.
Command line
traffic-policy.yml
URLs
URLs are validated differently depending on their binding. Consult the following documentation for details on valid URLs for TLS endpoints: There is no standard scheme for TLS URLs so ngrok renders them astls://.
Bindings
TLS endpoints supportpublic and internal bindings. kubernetes binding is
not supported.
Traffic Policy
Attach Traffic Policy to endpoints to route, authenticate and transform the traffic through your TLS endpoints.Authentication
When you create public TLS endpoints, you often want to secure them with authentication. You can secure your TLS endpoints with the following Traffic Policy actions. There is a limited set of actions available to authenticate TLS traffic because the TLS protocol is low-level.TLS Termination
TLS Endpoints provide you with the flexibility to define where TLS termination occurs. You may configure your endpoint to terminate TLS at the ngrok cloud service or you can achieve end-to-end encryption by terminating at the agent or your upstream service. When you use end-to-end encryption, the ngrok cloud service can not see payload that transit through your endpoints. Consult the documentation on TLS Termination Locations for additional details.Example
To terminate TLS Cloud Endpoint traffic at an agent or an upstream service, you must create a Cloud Endpoint, then use theforward-internal action to forward traffic to an internal endpoint.
-
Create a TLS Cloud Endpoint in the dashboard, or with the following CLI command, adding your Traffic Policy file:
Command line
-
Create a Traffic Policy file to forward traffic to the internal endpoint, adding
.internalto your domain for the url. For example, if you’re usingexample.ngrok.dev, your internal endpoint url should betls://example.internal:traffic-policy.yml -
Create an internal endpoint using the same url that your Traffic Policy references.
- At the upstream
- At the Agent
Certificates
It is very common to encounter certificate errors when working with TLS endpoints. When terminating TLS at ngrok’s cloud service, ngrok will automatically select, provision, and manage certs for you. When performing end-to-end encryption by terminating at the upstream service, you become responsible for provisioning, managing, and distributing certificates. Consult the documentation on TLS Certificates for details about certificate selection, provisioning and management.Compatible clients
SNI
TLS endpoints only work with modern TLS clients that populate the SNI extension. See the documentation on TLS Termination for additional details on compatible clients.STARTTLS
Protocols that begin in plain text and upgrade to TLS via a mechanism like STARTTLS in SMTP, IMAP, etc are not supported. If you need to support connections which upgrade to TLS, use a TCP Endpoint.Observability
Traffic Inspector
Traffic Inspector does not support TLS endpoints.Log exports
You can export logs of traffic to TLS endpoints with ngrok’s events system. The following events are published for log exporting:| Log | When |
|---|---|
| tcp_connection_closed.v0 | Published when a TCP connection to a TCP endpoint completes. |
Limits & timeouts
Contact Support if you need to configure limits and timeouts on connections to TLS endpoints.Connections
| Limit | Name | Notes |
|---|---|---|
| 3 seconds | ClientHello Timeout | Time between connection establishment and ClientHello received |
| 5 minutes | Client Idle Timeout | Time since data was last transmitted by the upstream service |
| 5 minutes | Server Idle Timeout | Time since data was last transmitted by the upstream service |
| No limit | Data transmitted | Data transmitted by the client or upstream service |