Database Gateway
A database gateway provides secure access to databases exposed to external clients. It enforces authentication, rate limiting, and logging before requests reach your database, while optionally transforming queries to prevent costly operations or data exposure.
With this setup, you can:
- Enforce strict mTLS certificate authentication before any database access
- Rate limit requests per client to prevent abuse and runaway costs
- Block dangerous queries to protect sensitive data
- Support secure database replication across clouds without exposing credentials
1. Create an endpoint for your database service
Start an internal Agent Endpoint for your database proxy or HTTP database interface, replacing $PORT based on where it listens.
You can also use one of our SDKs or the Kubernetes Operator.
Loading…
2. Reserve a domain
Navigate to the Domains section of the ngrok dashboard and click New + to reserve a free static domain like https://your-service.ngrok.app or a custom domain you already own.
We'll refer to this domain as $NGROK_DOMAIN from here on out.
3. Create a Cloud Endpoint
Navigate to the Endpoints section of the ngrok dashboard, then click New + and Cloud Endpoint.
In the URL field, enter the domain you just reserved to finish creating your Cloud Endpoint.
4. (Optional) Create a vault and secrets
For production environments, store your CA certificate securely using Traffic Policy Secrets. This step is optional—you can also include the certificate directly in your policy.
Create a vault to store your CA certificate:
Loading…
Add your CA certificate to the vault using the vault ID from the response:
Loading…
5. Apply Traffic Policy to your Cloud Endpoint
While still viewing your new cloud endpoint in the dashboard, copy and paste the policy below into the editor.
Loading…
What's happening here? This policy enforces mTLS certificate authentication where clients must present valid certificates signed by your trusted CA. Clients are rate limited based on their certificate identity, dangerous SQL operations are blocked, and authenticated requests are forwarded to your database service.
If you don't have certificates, you can generate them using the steps in the mTLS example documentation:
Loading…
Add the contents of ca.crt to your vault as client-ca-certificate.
6. Try out your endpoint
Visit the domain you reserved either in the browser or in the terminal using a tool like curl.
You should see the app or service at the port connected to your internal Agent Endpoint.
Test the mTLS authentication and rate limiting:
Loading…
What's next?
- Read about other gateway shapes you can build with ngrok
- Learn more about mTLS certificate authentication for high-security environments
- For token-based authentication, explore JWT validation as a scalable alternative to basic authentication
- Set up comprehensive logging to send database access events to your SIEM or monitoring platform
- Use URL rewriting to transform database queries or add security constraints
- View database access patterns in Traffic Inspector to identify potential security issues