AIARCOASC Docs

Access & Tunnel

Identity-aware proxy in front of any HTTP service, plus an outbound tunnel that needs no inbound ports.

What it is

Access publishes any internal HTTP app behind an identity-aware proxy that enforces SSO (OIDC/SAML), device-posture and per-app policy — no VPN required. Tunnel is the lightweight agent your origin runs that establishes an outbound connection to AIARCO; you don't need to open any inbound firewall ports.

When to use it

  • Replace a VPN for internal tools.
  • Publish a service that lives on a private network with no public IP.
  • Enforce device posture (disk encryption, OS version) before granting access.

Quickstart

asc edge access app create admin-portal --domain admin.example.com --policy 'group:admins and device.posture.encrypted'
asc tunnel install --token <tunnel-token>
client.edge.access.apps.create(name='admin-portal', domain='admin.example.com', policy='group:admins and device.posture.encrypted')
await client.edge.access.apps.create({ name: 'admin-portal', domain: 'admin.example.com', policy: 'group:admins' });

Limits & quotas

LimitDefaultBurstNotes
Identity-aware app$3 / app-mo (incl. seat)
Outbound tunnel bandwidth$0.045 / GB
Identity providersOIDC / SAML 2.0
Device-posture checksOS / encryption / OS version / EDR

Pricing

See pricing. Pay-as-you-go, billed monthly via Stripe.

API surface

  • POST /v1/edge/access/apps
  • POST /v1/edge/tunnels

Required scope(s): edge:write. See Scopes.

Security

All access is authenticated and scoped. See Auth & scopes and Network controls.