- Internal hostnames and private IPs are not shown to external users
- The connector resolves the upstream inside your network
- Access is workspace-scoped, with app-level allowlists and TTLs
Private App Access Beta
Open internal web apps to outside users — no device VPN
Give a contractor or partner access to one internal web app through a friendly alias. A connector inside your network resolves the real address privately, so external users never see your internal hostnames or IPs.
Private App Access is in Beta. It's offered as sales-assisted early access while we complete production hardening — talk to us about a pilot.
How it works
Alias → connector → internal upstream
An external user opens a friendly alias host in Chrome.
The request reaches a connector you run inside your own network.
The connector resolves the real internal upstream and relays the response — the real address never leaves your network.
Two paths, two levels of visibility
BusinessProxy has two access paths, and they don't see the same things. We state this plainly.
| Browser-proxy path (Layer 1) | Alias / reverse-proxy path (Layer 2) |
|---|---|
| Does not inspect HTTPS content | Is a Layer-7 reverse proxy |
| Sees domain and network metadata | Sees HTTP method, path and headers |
| Filtering by domain/category only | Processes L7 metadata for routing, policy, audit |
If you route an internal app through the alias path, you should know it operates at Layer 7. That's a deliberate disclosure, not a footnote.
What stays hidden
External users reach the app through the alias only
Hiding internal addresses is one layer — combined with session policy, short TTLs and connector-only resolution. It reduces what external users can see; it is not a standalone guarantee that attacks are impossible.
Private App Access is part of Business Plus
Contact sales to discuss a pilot.