Hi all,
I work at a SaaS company that needs to securely connect our cloud control plane to customer on-premise infrastructure in order to run orchestration and automation tasks. We’re trying to avoid requiring customers to open inbound firewall rules or stand up full VPNs.
We’ve narrowed it down to two models: Agent-based HTTPS/mTLS connector
* Customer deploys a small VM/Pod (our agent) inside their environment.
* The agent makes an outbound TLS connection (443) to our SaaS, authenticates with mTLS, polls for jobs, and executes them locally.
* Simple setup (firewall-friendly, “just outbound HTTPS”), similar to how Datadog agents, GitHub Actions runners, or Terraform Cloud Agents work.
WireGuard-based connector
* Customer deploys the same kind of connector, but instead of plain HTTPS, it establishes a WireGuard tunnel back to our cloud.
* Provides a stable overlay /32 per connector, potentially lower latency, and allows us to send jobs and receive results over a secure tunnel.
* Requires outbound UDP (or TCP fallback with something like Tailscale/Netbird).
* More networking moving parts, but possibly a more robust transport.
We want to balance security posture, customer comfort during security review, and ease of deployment. From your perspective (especially those who review SaaS vendors for security), which approach would give you more confidence, and why?
Thanks!
Comments URL: https://news.ycombinator.com/item?id=45418139
Points: 1
# Comments: 0
Source: news.ycombinator.com
