The Front Door pattern is a common API gateway design where a single public endpoint serves as the centralized entrance to your upstream services. Why use this pattern? It creates a clear boundary between your public-facing gateway and your internal services and creates a consistent interface for exposing them to the public internet. This simplifies how you manage ingress, helps you route traffic to multiple services, and gives you a unified place to apply gateway-wide policies like authentication, rate limiting, and more. With this pattern, you can:
  • Host any number of services under a single hostname (e.g. your-company.com) by routing via path, subdomain, headers, or any other Traffic Policy variable.
  • Apply certain policies like authentication at your gateway, then layer in other policies for specific services.
  • Prevent your services or their host systems from being exposed to the public internet.
  • Give infrastructure and platform teams control over creating consistent global policy while also allowing developers to manage how traffic reaches their services.

1. Create an endpoint for your service

Start an internal Agent Endpoint, replacing $PORT based on where your service listens. You can also use one of our SDKs or the Kubernetes Operator. 
ngrok http $PORT --url https://service.internal

2. Reserve a domain

Navigate to the Domains section of the ngrok dashboard and click New + to reserve a free static domain like https://your-service.ngrok.app or a custom domain you already own. We’ll refer to this domain as $NGROK_DOMAIN from here on out.

3. Create a Cloud Endpoint

Navigate to the Endpoints section of the ngrok dashboard, then click New + and Cloud Endpoint. In the URL field, enter the domain you just reserved to finish creating your Cloud Endpoint.

4. Add routing to your service with Traffic Policy

While still viewing your new Cloud Endpoint in the dashboard, copy and paste the policy below into the Traffic Policy editor. 
on_http_request:
  - actions:
      - type: forward-internal
        config:
          url: http://service.internal
What’s happening here? The traffic policy engine forwards all HTTP requests to the internal agent endpoint you created at https://service.internal.

5. Try out your endpoint

Visit the domain you reserved either in the browser or in the terminal using a tool like curl. You should see the app or service at the port connected to your internal Agent Endpoint.

Optional: Add a second service and routing

If you have another service to host under the front door pattern, start another agent. 
ngrok http $PORT --url https://service-two.internal
Next, update your policy to route traffic based on the path. Copy and paste the policy below into the ngrok dashboard, replacing /one and /two with the paths you’d like to use for routing traffic to each service. 
on_http_request:
  - expressions:
      - "req.url.includes('/one')"
    actions:
      - type: forward-internal
        config:
          url: http://service.internal
  - expressions:
      - "req.url.includes('/two')"
    actions:
      - type: forward-internal
        config:
          url: http://service-two.internal
What’s happening here? The traffic policy engine forwards all HTTP requests to the /one path to the internal agent endpoint at https://service.internal and requests to the /two path to https://service-two.internal.

What’s next?