How it works
You install a lightweight agent on a host inside your network. The agent makes a single outbound connection to Subnomic — there are no inbound ports to open. All access (SSH, database queries, internal dashboards, kubectl) is multiplexed over that one tunnel.
Because the agent dials the target from inside your network, the database password, the cluster ServiceAccount and the internal dashboards never have to be exposed to the internet. Subnomic brokers the connection, enforces who is allowed, and records what happened.
The building blocks
- Servers — the hub for a host: its agents, an interactive terminal, recorded sessions, metrics and the access gate.
- Agents — the outbound connector you install (host / tunnel / kubernetes / docker). It's what makes a server real.
- Databases — a browser SQL/command console to Postgres, MySQL, Redis and Mongo.
- Internal apps — open internal HTTP dashboards through the tunnel.
- Kubernetes — full kubectl (via a generated kubeconfig) and a browser API console.
- Guardrails — allow / deny / require-approval rules on what can run.
- Live sessions — watch an active terminal in real time, join it, or terminate it.
- Access requests (JIT) — time-boxed, approved access to any target (database, server, app or cluster).
- Break-glass — a logged emergency path for incidents.
Where things live
Terminal and Agents are not separate pages — they're tabs inside a server, next to Sessions, Metrics and Access. Databases, Internal apps and Kubernetes have their own sections because a target can be reached by an agent on any server.