Skip to main content

Frontdoor overview

The new front door of the internet isn't built on brittle public IPs and static ports—it's a streaming, identity-aware HTTP tunnel, activated when you need it and invisible when you don't. Using NetFoundry's zero trust native overlay, NetFoundry Frontdoor proxies global web traffic through hardened frontends and a zero-trust overlay network so your backend stays tucked quietly behind closed doors. No inbound port mappings, no DNS chaos, no firewall fatigue—just elegant, encrypted HTTP conversations routing securely from the world to your app.

Forget the complexity and risk of traditional methods. Frontdoor is your modern internet edge, providing a hardened, globally distributed entry point that seamlessly connects services across your data center, Kubernetes clusters, and multi-cloud environments.

Architecture

Why deploy complexity when you can simply connect? We do the heavy lifting of edge hardening and continuous security by leveraging the OpenZiti fabric. Lightweight Agents establish outbound-only connections, creating dark, identity-based tunnels for your services.

Going beyond basic tunneling, Frontdoor provides a single control plane for centralized management, access control, and observability. This is frictionless security that delights developers and satisfies the CISO.

NF Frontdoor architecture

Features

  • Share an enterprise service or API: Securely expose internal web services, enterprise APIs, or company websites by proxying a target web server specified as an HTTP/S URL.
  • Custom DNS and branding: Use your own domain names for publicly exposed services, allowing for complete custom branding and seamless integration with existing DNS infrastructure.
  • Zero trust: Uses OpenZiti's mesh overlay network to continuously authenticate and authorize every user, device, and application.
  • Easy to use: Features a simple management console allowing you to start sharing quickly.
  • Controlled access: Restrict service access by integrating with auth provider such as OIDC-compliant systems, Google OAuth, or GitHub OAuth to enforce policies based on user identity, email domains, or organization membership.
  • Hardened entry point: All managed frontends automatically handle failover and use a Web Application Firewall (WAF) with protection rules to filter and mitigate malicious traffic and anonymous abuse from the web.
  • Secure backhaul: The data link between the frontends and your Frontdoor agent is automatically encrypted and can't be eavesdropped, impersonated, or manipulated.
  • Convenient deployment: The lightweight Frontdoor agent installs easily as a Linux package.
  • Management console: Provides beautiful visualization of usage metrics over useful time frames.
  • Activity logs: Logs every request your share service handles on your server.

Hit next to get started with Frontdoor!