Skip to content
New: see your fit and get a tailored quote in minutes.Try the estimator
Menu
Request a demo Sign in
Operate

Hybrid Connectivity

Reach tools in your network with an outbound-only bridge

Govern tools that live inside a customer network without opening inbound holes. A lightweight bridge agent enrolls from inside the network and dials out, so the control plane can dispatch work to connectors on the other side while secrets stay on the customer edge.

  • Internal tools become governable from the control plane without any inbound firewall change
  • Credentials never leave the customer network
  • Bridge connections are visible, audited, and revocable by operators
Request a demo Read the docs

The problem

Your team runs tools inside a private network, behind a firewall, or in an air-gapped environment. To govern those tools from a central platform, someone has to open an inbound hole, copy credentials out of the network, or build a one-off tunnel. Each option creates a security problem or gets blocked by the network team before it starts.

Without IntegraCI

  • Inbound firewall rules opened for every tool the platform needs to reach
  • Credentials copied out of the network so the control plane can use them
  • No platform visibility into tools that live behind the perimeter
  • One-off tunnels or proxies built separately for each internal system

With IntegraCI

  • A bridge agent that dials out with no inbound port to open
  • Credentials that stay on the customer edge, never sent to the control plane
  • Enrolled bridges that heartbeat and are visible to operators
  • Work dispatched through a queue to connectors on the other side of the bridge

What you get

Outbound-only

The bridge agent dials out, so there is no inbound hole to open.

Secrets stay edge-side

Credentials live on the customer edge, not in the control plane.

Enrolled and revocable

An operator enrolls a bridge, sees it heartbeat, and can revoke it.

Dispatch over the queue

Work is routed to connectors across the bridge through a queue.

How it works

  1. 1

    Enroll the bridge

    An agent enrolls from inside the network with a one-time token.

  2. 2

    It dials out

    The bridge maintains an outbound connection and heartbeats.

  3. 3

    Dispatch work

    The control plane routes connector work across the bridge.

How it stays governed

The same gates everyone passes, applied here.

Gated by policy

Bridge enrollment is controlled by a one-time token, and each bridge is revocable by an operator at any time. Policy as code governs which connectors are reachable through the bridge, so only authorized tools receive dispatched work and an unenrolled bridge stops receiving it immediately.

Recorded, tamper-evident

Each enrollment, heartbeat, and dispatch event writes to a tamper-evident audit trail. Operators can see when a bridge enrolled, confirm it is active, and inspect what work was routed across it, without relying on network logs that may be outside the platform's control.

Works with your stack

Connect the tools you already run.

Any connector that targets a tool inside a private network can be routed through the bridge, including internal SCMs, CI systems, infrastructure targets, and security scanners.

  • Atlassian
  • Gerrit
  • Gitea
  • GitHub
  • GitLab
  • Microsoft
  • Akuity
  • Amazon Web Services
  • Buildkite
  • CircleCI
  • CNCF Tekton
  • Drone CI
  • Harness
  • Jenkins
  • Apple
  • Argo Project
  • AWS
  • Cloudflare
  • +43 more

Who it’s for

Where teams reach for it.

Connect an on-premises source control server

Teams running an internal Git server behind a corporate firewall enroll a bridge inside that network. The control plane reaches the repository through the bridge without any inbound rule change on the customer side.

Govern internal security scanners

Security tools that run inside the perimeter can receive connector work through the bridge. IntegraCI routes jobs to them and collects results, so findings reach the same governance pipeline as tools hosted in the cloud.

Operate inside an air-gapped environment

Regulated teams that prohibit inbound internet connections deploy the bridge agent inside the boundary. The agent dials out, so the control plane can dispatch work to internal tools without violating the network policy.

Questions, answered.

Does setting up a bridge require opening a firewall port?

No. The bridge agent dials out from inside the network and holds an outbound connection open. The control plane sends work through that connection, so no inbound rule needs to change on the customer side.

Where do tool credentials live?

Credentials stay on the customer edge. The bridge agent holds them locally and uses them to run connector work inside the network. They are never transmitted to the control plane.

How does an operator know a bridge is healthy?

An enrolled bridge sends regular heartbeats that appear in the platform. If a bridge goes silent, that state is visible. An operator can revoke a bridge at any time, which stops it from receiving dispatched work.

Can IntegraCI reach more than one private network at the same time?

Yes. Each bridge enrolls separately with its own one-time token and operates independently. You can run bridges in different networks or network segments, each carrying connector work for the tools inside that boundary.

Related capabilities

Secure

Access Governance

Just-in-time, time-bound access instead of standing keys

 Govern

Policy as Code

Write governance rules as versioned, tested code

 Operate

Multi-Target Deployment

Deploy and manage across Kubernetes, VMs, serverless, and static sites

Put Hybrid Connectivity on your stack.

Request a demo, or read the docs to see how it fits the tools you already run.

Request a demo Read the docs