Cloud Access Proxy for Internal Apps

Problem Context

Companies need to expose internal tools (like Grafana, dashboards) to employees but lack a VPN. They try NLB + IP whitelisting or OAuth/OIDC, but both are manual and risky. Without a secure way to restrict access, they either leave tools exposed or deal with downtime when IPs change.

Pain Points

Manual IP whitelisting is error-prone and breaks when company IPs change. OAuth/OIDC adds complexity and doesn’t fully replace IP restrictions. No automated way exists to enforce ‘company-IP-only’ access while keeping tools private. Current solutions require heavy lifting (VPNs, NLBs) or leave gaps in security.

Impact

Downtime from misconfigured access costs hours of lost productivity. Security risks from public exposure can lead to breaches. Teams waste time manually updating IPs or troubleshooting broken access. Missed revenue opportunities if internal tools (like dashboards) are unavailable to critical teams.

Urgency

This is a blocking issue—internal tools must stay accessible, but exposing them publicly is a security risk. Companies can’t ignore it because manual workarounds fail over time. A single IP misconfiguration can cause outages or breaches, making this a high-priority fix.

Target Audience

DevOps/SRE engineers, Cloud Architects, and Security Teams at mid-sized to large companies using AWS/GCP. Any organization with internal cloud apps (Grafana, monitoring tools) that needs secure, non-VPN access for employees. Startups and enterprises without VPNs but with cloud infrastructure also face this.

Solution Approach

A cloud-native proxy service that automatically restricts access to internal apps based on company IP ranges and enforces OAuth/OIDC. It sits between users and internal tools, acting as a secure gateway without requiring VPNs. The service auto-updates whitelisted IPs and logs all access for auditing.

Key Features

1. OAuth/OIDC Enforcement: Requires company credentials before granting access, eliminating public exposure risks.
2. Envoy Gateway Integration: Works seamlessly with existing Kubernetes setups (no NLB or ingress changes).
3. Access Logging: Tracks who accessed what and when, helping with security audits and troubleshooting.

User Experience

Teams set it up in minutes via a cloud provider integration. Employees access internal tools as usual, but the proxy silently checks their IP and OAuth credentials. Admins get alerts for failed access attempts and can revoke IPs instantly. No VPN setup or complex networking—just secure, automatic access control.

Differentiation

Unlike VPNs or NLBs, this is a lightweight proxy that doesn’t require client software or heavy infrastructure. It combines IP whitelisting (for network-level security) with OAuth/OIDC (for user-level auth), which no other tool does natively. Works with existing Envoy Gateway setups, so no migration is needed. No dominant giant solves this exact problem—most options are either too heavy (VPNs) or too manual (IP whitelisting).

Scalability

Starts with a single team and scales to enterprise via seat-based pricing. Supports multiple cloud providers (AWS, GCP) and can add more over time. Enterprise features (like advanced logging or SSO) unlock as teams grow. The proxy model ensures low overhead, even for large user bases.

Expected Impact

Eliminates downtime from IP misconfigurations and reduces security risks from public exposure. Saves hours of manual work per week. Teams can expose internal tools confidently, knowing access is both network-restricted and user-authenticated. Security teams get audit logs and real-time alerts for suspicious activity.