Access & Tunnel
Identity-aware proxy in front of any HTTP service, plus an outbound tunnel that needs no inbound ports.
What it is
Access publishes any internal HTTP app behind an identity-aware proxy that enforces SSO (OIDC/SAML), device-posture and per-app policy — no VPN required. Tunnel is the lightweight agent your origin runs that establishes an outbound connection to AIARCO; you don't need to open any inbound firewall ports.
When to use it
- Replace a VPN for internal tools.
- Publish a service that lives on a private network with no public IP.
- Enforce device posture (disk encryption, OS version) before granting access.
Quickstart
asc edge access app create admin-portal --domain admin.example.com --policy 'group:admins and device.posture.encrypted'
asc tunnel install --token <tunnel-token>client.edge.access.apps.create(name='admin-portal', domain='admin.example.com', policy='group:admins and device.posture.encrypted')await client.edge.access.apps.create({ name: 'admin-portal', domain: 'admin.example.com', policy: 'group:admins' });Limits & quotas
| Limit | Default | Burst | Notes |
|---|---|---|---|
| Identity-aware app | $3 / app-mo (incl. seat) | — | |
| Outbound tunnel bandwidth | $0.045 / GB | — | |
| Identity providers | OIDC / SAML 2.0 | — | |
| Device-posture checks | OS / encryption / OS version / EDR | — |
Pricing
See pricing. Pay-as-you-go, billed monthly via Stripe.
API surface
POST /v1/edge/access/appsPOST /v1/edge/tunnels
Required scope(s): edge:write. See Scopes.
Security
All access is authenticated and scoped. See Auth & scopes and Network controls.