Secure Endpoints

For GRAX-Hosted and GRAX-Managed deployments of the GRAX application, customers can take advantage of GRAX-provided secure endpoint technology to reduce cost, improve security posture, reduce infrastructure complexity, and shorten initial deployment time.

What is a Secure Endpoint?

GRAX utilizes a third party service, ngrok, to expose applications at controlled domain names. Each application generates a subdomain on secure.grax.io when it first starts and this subdomain is used to access the application. This subdomain is unique to the application and is secured with a globally unique set of credentials. Every time the GRAX application launches, it establishes a connection with the ngrok services, creates a tunnel, and begins serving content at the associated subdomain.

What is ngrok?

ngrok is third-party service that provides secure networking tools for internal and production use cases. Their website can be found here, and their trust site with compliance and security information can be found here. GRAX uses the ngrok product as a SaaS component of select provided services.

Why does GRAX use Secure Endpoints?

Cost and Complexity

In a traditional cloud infrastructure stack designed to run a monolithic internet facing application, the following components are required just to get traffic in to the application securely (some data storage resources are absent from this list for simplicity):

  1. Public Domain Name
  2. Application Load Balancer
  3. DNS entry to direct traffic to the Load Balancer
  4. Web Application Firewall
  5. Application Server

In GRAX-managed deployments, only the application server is necessary to serve traffic. This reduces complexity of the infrastructure and reduces the overall cost of ownership of GRAX. This also means that all GRAX-managed and hosted deployments share the same ingress pattern (not secrets), making all applications part of a consistent monitoring, security, and maintenance process regardless of Cloud Provider and installation environments.


Environments deployed to use a secure endpoint are, at the infrastructure level, configured with zero means of external ingress to any resource. The application server is not reachable from outside the containing security group or VPC/VNET and data stores are only accessible from the application server. This means that there is a reduced risk of extraneous or accidental exposure of attack surfaces as doing so would require substantial changes to network security resources instead of a mere misconfiguration of a security group or VPC/VNET.

Additionally, since the GRAX application never binds to a static pre-determined port in these deployments, the opportunity for a malicious service to take over that port and serve traffic from your ALB is eliminated. The GRAX application creates, maintains, and protects the tunnel to the ngrok service as part of the application lifecycle, not as a static configuration within the server file system. The secrets that are used to establish the tunnel are unique to the application and are not shared with any other application, and are not stored locally on the server.

If customers wish to take a advantage of additional features of ngrok such as custom domains, integrated WAF, DDoS protection, etc., they can do so by contacting GRAX Support.

Deployment Time

Requiring a public domain name, DNS changes, and an ingress path infrastructure that may be run in an otherwise isolated network segment can add significant time and complexity to any deployment of GRAX. This often means that several teams need to be involved immediately in the deployment process before even the first resource gets deployed. A secure endpoint avoids the need for those resources, allowing the GRAX application to be deployed and running in minutes instead of hours or days.


GRAX is an enterprise solution under constant development and improvement. This includes reliability, efficiency, performance, cost, security, and portability improvements that allow the application and service to meet the goals of a varied customer base. Architectures that reduce the dependency on cloud provider specific services and resources allow GRAX to install across competing providers (AWS, Azure, GCP), across environments of different scales (Cloud, On-Prem, Docker, or a Laptop), and across different deployment models (Managed, Hosted, Self-Managed) with minimal inconsistencies between environments.

This also means that the application environment itself is more portable since connectivity of end users is controlled by the application. Failing over to an alternative geographic zone or region does require changing the ingress path or modifying DNS rules on the fly. Simply boot the application with data stores that contain the same information in a new region, account, zone, or even cloud provider, and focus on the rest of your business.

How does the GRAX Secure Endpoint System Work?

GRAX-managed and GRAX-hosted applications are designated to use a secure endpoint upon creation within GRAX Platform. When the infrastructure deployment is completed, the application checks in with hq.grax.com for purposes of licensing, telemetry, and secure endpoint management. The application then establishes a connection with the ngrok service based on data retrieved from hq.grax.com. This interaction with ngrok happens entirely within the GRAX application via the ngrok Agent SDK for Go. When the GRAX application is offline, a default error page is displayed by ngrok automatically whenever someone tries to access the application subdomain.


If you have any remaining questions about GRAX secure endpoints, please reach out to GRAX Support for more information.