Skip to main content
Nebius Tunnels lets you expose a service running on a virtual machine (VM), on your laptop or behind a firewall to the internet without opening inbound firewall ports, assigning a public IP address to the service or configuring DNS and TLS certificates.

How tunnels work

A tunnel consists of:
  • A tunnel resource in Nebius AI Cloud.
  • A tunnel agent that runs next to your application.
  • One or more services in the agent configuration. Each service maps a public tunnel URL to a local HTTP or TCP endpoint.
The agent opens an outbound TLS connection to a regional Nebius edge endpoint. When a client sends a request to the public tunnel URL, the edge forwards the request back through the existing agent connection. The VM or private network doesn’t need to accept inbound connections from the internet for this traffic.

Supported traffic

Nebius Tunnels supports:
  • HTTP services over HTTP/1.1, including WebSocket upgrade requests.
  • HTTP services over HTTP/2, including gRPC, by setting protocol: h2 in the agent configuration.
  • TCP services.
  • Multiple services in one tunnel, each with its own service name and public URL.
The agent-to-edge tunnel connection uses HTTP/2 multiplexing, so multiple client requests can share the same outbound connection from the agent to the edge. Each public URL uses this format: 
https://<service_name>-<tunnel_masked_ID>.tunnel.applications.<region>.nebius.cloud
Where:
  • service_name is the services.name value from the agent configuration.
  • tunnel_masked_ID is the mask of the tunnel ID without the applicationtunnel- prefix and regional routing code. For example, for applicationtunnel-<routing_code>abcdef1234, the tunnel ID mask is abcdef1234.
  • region is the region of the project where the tunnel was created, for example eu-north1.
In the agent configuration, services.name can contain up to 20 characters and must use only lowercase Latin letters and digits ([a-z0-9]). Don’t use dashes or dots.

Authentication and access

The tunnel agent authenticates with Identity and Access Management. To connect to a tunnel, the service account used by the agent must have the applicationtunnel.agent role on that tunnel or on one of its parent resources.
Nebius Tunnels secures the transport between the tunnel agent and Nebius edge, but it doesn’t add user authentication or authorization to your application. Configure access control in the application itself before exposing it through a tunnel.
The tunnel agent can authenticate as a service account by using:

What’s next