Architecture and concepts

Border0 platform

Border0 is a globally distributed service with proxy, tunnel, and Api servers worldwide. The Platform is built and delivered on an anycast network. This global anycast network consists of 102 Points of Presence in 86 cities across 48 countries. This assures both high availability and low latency. All this is transparent to you, the user. You simply get the benefits.

Sockets (aka Services)

Sockets are the core building blocks in Border0. They represent the service you're trying to make available. For example, a particular web service, ssh, or database server.
The term socket comes from the term Network Sockets, as we use them in network programming.
Sockets on Border0 come in various flavors, we currently support:

  • HTTP(s)
  • SSH
  • Database (Mysql or Postgres)
  • TLS

HTTP(s) SSH and Database sockets are application-aware proxies on our infrastructure. TLS Sockets are for generic TCP services for which we don't have application proxy support.


By default, no-one can access a Socket unless explicitly allowed by a policy. Think of a policy as a firewall rule on steroids. Unlike a typical firewall rule, where you can only define IP addresses and port numbers, the Border0 policy language allows you to define fine-grained authorization rules.
There are two types of policies, "organization-wide" policies automatically apply to all sockets in your organization. Whereas regular policies need to be explicitly linked to one or more sockets.
Policies allow you to define "who" (identity), has access to what resources (sockets), When (between what dates or time of day, and from Where (countries and IP addresses).


Sessions are the recorded application connections that flow through our platform. These are your users connecting to your applications made available through Border0 Sockets. You can think of a session as a network flow enriched with additional data. Session data includes information about the user's identity, IP address, as well as the time and duration of the session. This allows you to answer the question: Who accessed what resource when and from Where. Most sessions can be recorded as well; this allows you to replay (SSH, Database, and HTTP) sessions through the portal. So you can review exactly what happened.


Tunnels are a secure connection between the origin service (the service you're making available through Border0). Typically you don't need to manage these tunnels yourself, and we'll take care of it for you. The Border0 connector either manages them for you, or you use tunnels you execute border0 socket <socket_id> connect


The Border0 connector will automatically discover, manage and make available resources that you'd like to make available through the Border0 Platform. Supported resources include

  • Statically defined resources
  • EC2 resources
  • K8 pods
  • Docker containers
  • Network resources (Ip addresses and port numbers)


Think of the account as the root account for your Border0 subscription. An account consists of one or more organizations.


An organization is a logical grouping for your Border0 resources. Resources such as sockets or policies belong to an organization. An organization can have multiple admin users, each with different roles.
Each organization has a unique name, which you set when you create the organization. This name will form a Fully Qualified Domain Name (FQDN), used to identify your organization and resources uniquely. For example, the FQDN for an organization called "acme" is Sockets in that organization will have the following name:


Administrators are the users managing your Border0 account. A user can belong to multiple organizations.
Think of users as your admin accounts.

Border0 CLI tool

The border0 CLI tool is a rich CLI tool that allows administrators and end-users to interact easily with the Border0 API and Platform. Administrators can use it to manage resources such as sockets, policies, and start tunnels.
End users (clients) can use the Border0 CLI tool to connect to resources made available by administrators through the Border0 Platform. For example, an SSH resource would be accessed like this: border0 client ssh [email protected]

The CLI tool can be downloaded here:
Its (open) source code is available here:

Desktop App

End users (clients) can use the Border0 Desktop App, a graphical User Interface (GUI). This desktop App will allow users to log in to an organization and see all resources they have access to. From there, the user can connect to the resource.