How Pangolin Works
Pangolin is a zero-trust access platform that provides secure, identity-centric access to applications and infrastructure - without opening firewall ports or deploying traditional VPNs. Let's walk through how the system works.
.png)
When teams expose services across multiple environments, the biggest challenges are usually consistency and scale. You might run a mix of cloud services, on‑prem systems, or even IoT devices in the field. Each environment has different access methods and security considerations, but you still need a single way to expose them securely, apply authentication, and control traffic.
Pangolin Blueprints provide a way to define this centrally. Instead of applying reverse proxy rules manually in different places, you describe each resource once using a declarative configuration. Pangolin then applies that configuration, ensuring that proxies, authentication, and target mappings stay consistent no matter where the service runs.
A Blueprint for a single HTTP service can be described in YAML. Below, a Grafana instance in a VPC is exposed at a domain with SSO enabled:
proxy-resources:
grafana:
name: Grafana
protocol: http
full-domain: grafana.example.com
auth:
sso-enabled: true
targets:
- hostname: localhost
port: 3000
method: http
For containerized workloads, you can define the same setup directly in a docker-compose.yml file using labels. The Newt agent detects these at startup and automatically provisions them in Pangolin:
services:
grafana:
image: grafana/grafana
container_name: grafana
labels:
- pangolin.proxy-resources.grafana.name=Grafana
- pangolin.proxy-resources.grafana.full-domain=grafana.example.com
- pangolin.proxy-resources.grafana.protocol=http
- pangolin.proxy-resources.grafana.auth.sso-enabled=true
- pangolin.proxy-resources.grafana.targets[0].method=http
- pangolin.proxy-resources.grafana.targets[0].port=3000
This approach means you don’t need to configure the proxy separately. Your Compose stack definition and your network access controls live in one place.
This short walkthrough shows a Grafana service being exposed with a Pangolin Blueprint, both through YAML and Docker labels.
Once services can be declared as code, a wide set of use cases follow naturally:
Blueprints also make it easier to handle traffic distribution and availability. You can attach multiple targets to a single resource, allowing Pangolin to automatically balance requests across services or fail over if one goes offline.
Here’s an example of a resource with two HTTP backends:
proxy-resources:
webapp:
name: WebApp
protocol: http
full-domain: app.example.com
targets:
- hostname: localhost
port: 8080
method: http
site: "aws-vpc-01"
- hostname: localhost
port: 8080
method: http
site: "aws-vpc-02"
For developers and operators, this keeps traffic rules explicit. Adding or removing targets is done through the config file rather than by re‑entering settings into a UI.
Another advantage of Blueprints is centralization. Access policies, authentication rules, and connection definitions are applied at the proxy layer and enforced the same way across all resources. For example:
Because these settings are declarative, they can be versioned, audited, and reviewed in the same way as application code. This reduces configuration drift and makes it easier for teams to collaborate on network and access policies.
Pangolin Blueprints provide a way to treat reverse proxy configurations as code and deploy applications that exist on any network anywhere. Whether you define YAML files checked into Git, or embed labels in Compose stacks, service definitions and access controls are created automatically when infrastructure comes online.
That makes it straightforward to manage reverse proxies, authentication policies, load balancing, and site‑to‑site connections from a single place without duplicating manual steps across environments.
Learn more by reading our documentation.
