Back to Case Studies
Security

Secure Developer Tunneling Without Exposing Internal Networks

Enabling a distributed team to access sensitive internal resources securely without the friction of traditional VPNs.

Sana Iqbal

Sana Iqbal

Security Program Lead, Verity Stack

"The identity-aware tunnel model reduced both onboarding friction and audit ambiguity."

The Challenge

A distributed team needed access to private staging environments and internal databases securely. Traditional VPNs were causing significant friction, slowing down onboarding, and creating a "hard shell, soft center" security perimeter that was vulnerable to lateral movement if breached.

The existing VPN solution required manual certificate management and had poor performance for international contractors. Furthermore, once inside the VPN, a user had broad network access, violating the principle of least privilege. The challenge was to move to a Zero Trust architecture where access effectively authenticated per-request, not just per-session.

Constraints & Requirements

  • No public ingress ports allowed on internal networks
  • Granular access control per service, not just per network segment
  • Seamless developer experience (minimal local config)
  • Complete audit trail of all connections and commands

System Considerations

What had to be true

  • Identity-aware proxy for all requests (authenticating via IDP)
  • Outbound-only connections from internal agents to the control plane
  • Short-lived distinct certificates for every session

Non-negotiables

  • Zero Trust principles applied to every request
  • No persistent static credentials on developer machines
  • Performance impact must be negligible compared to direct connection

Architecture Approach

We implemented an identity-aware proxy architecture. Internal resources run lightweight agents that establish outbound, persistent TLS connections to a central edge control query plane. When a developer authenticates (via SSO), their distinct request is tunneled through this existing connection. This eliminates the need for opening inbound firewall ports.

Policies are enforced at the edge, meaning unauthorized requests never reach the internal network infrastructure. This setup allows for "Just-in-Time" access grants for specific databases or services. See Cloudflare's explanation of Zero Trust for the foundational concepts used here.

Figure 3: Identity-Aware Proxy Tunnel

Trade-offs & Decisions

Prioritized

  • Granular security and observability/auditing
  • Developer onboarding speed (SSO-driven)
  • Reduction of attack surface (no open ports)

Intentionally Not Optimized

  • Raw throughput for massive file transfers (not a primary use case)
  • Support for legacy non-TCP protocols (UDP requires specific tunneling)
  • Decentralized management (centralized policy enforcement was a feature, not a bug)

Outcome

Developers can now spin up environments and access production-like data securely from coffee shops or home offices without managing VPN keys. The security team has full visibility into who accessed what service and when, down to the query level for some protocols.

Onboarding time for network access reduced from 2 days to 5 minutes

Zero exposed public ports across the entire internal fleet

100% audit coverage for internal service access

Security doesn't have to be a blocker. By shifting from network-centric to identity-centric access, we simultaneously improved the security posture and the developer experience.