Skip to main content

Agents overview

The NetFoundry Frontdoor agent is the core component that enables secure connectivity between your local infrastructure and NetFoundry's global network. Acting as a lightweight, secure proxy, the agent creates and manages Environments that serve as the foundation for exposing your backend services through Shares without requiring inbound firewall ports or complex network configuration.

What is an agent?

A NetFoundry Frontdoor agent is a software component that you install and run on your infrastructure to establish secure connectivity with NetFoundry's network. The agent acts as the bridge between your local services and the global NetFoundry infrastructure, enabling you to share your applications and services with external users securely and efficiently.

The agent is designed as a lightweight binary that runs seamlessly across various platforms and operating systems, requiring only outbound network connections without any inbound firewall ports. Upon successful bootstrapping, it automatically creates secure Environments and implements zero-trust security through cryptographic identity and secure tunneling protocols. The Agent operates in a self-managing capacity, handling connection maintenance, authentication, and resource management automatically while providing comprehensive cross-platform support for Windows, Linux, macOS, and containerized deployments.

Agent management

Agent lifecycle management

Installation Begin by downloading and installing the appropriate agent binary for your platform or using a docker image. Configure the system service or process management according to your infrastructure needs, choosing between running the agent as a system service, daemon, or manual process management. Prepare the bootstrap token for initial enrollment before starting the agent.

Operation The agent runs continuously as a system service or daemon, maintaining secure connections automatically while handling share creation and traffic routing transparently without manual intervention.

Removal Agents can be deleted to completely remove access to NetFoundry infrastructure. This deletion process removes all associated Environments and Shares, ensuring clean removal with no orphaned resources remaining in the system.

Security and best practices

Agent security

  • Cryptographic identity: Each agent receives a unique, cryptographic identity that cannot be spoofed or replicated.
  • Outbound-only connectivity: Agents only make outbound connections, eliminating the need for inbound firewall rules
  • Secure tunneling: All traffic between Agents and NetFoundry infrastructure is encrypted end-to-end.
  • Token aecurity: Bootstrap tokens are time-limited and attempt-limited to prevent unauthorized use.

Deployment best practices

  • Strategic placement: Install Agents close to your backend services to minimize latency while considering network topology and bandwidth constraints when planning deployment locations. Deploy multiple Agents across different locations to ensure high availability and effective load distribution.
  • Resource planning: Ensure adequate system resources are available for optimal agent operation by monitoring performance and resource utilization continuously. Plan for scaling requirements based on expected traffic patterns and usage growth to maintain service quality.
  • Security hardening: Follow established system security best practices for agent host systems, including regular software updates to the latest agent versions. Monitor agent logs consistently for security events and anomalies that may indicate potential threats or operational issues.
  • Bootstrap token management: Generate bootstrap tokens immediately before agent installation and use them promptly before expiration to maintain security. Distribute tokens securely only to authorized personnel and implement monitoring for token usage and expiration to prevent unauthorized access.

Integration with other components

Relationship with environments

Agents serve as the foundation for Environments, with the installation and bootstrapping process automatically creating an environment for each agent. Each agent maintains exactly one environment, which represents the secure runtime context that the Agent provides for service operations.

Connection to shares

Agents enable share functionality by routing traffic through secure tunnels to backend services while handling all the necessary secure tunneling operations. Share performance directly depends on agent connectivity quality, and a single agent can efficiently support multiple shares operating simultaneously.

Frontend integration

Agents work with frontends through Shares to create a complete connectivity path from the public internet to private services. Frontends receive public traffic and route it to Shares, while agents receive the Share traffic and deliver it securely to the designated backend services.