Secure tunneling with mabl Link

📘

Allowlisting mabl IP addresses

Mabl Link is the most secure way mabl can access your private environments. Allowlisting mabl's IP addresses is another way to give mabl access to these environments.

At mabl we invest significant engineering effort into making it simple and secure to benefit from running tests in the cloud against app environments on private networks such as:

  • Internal QA and staging environments (e.g. https://uat.example.com)
  • Local development environments (e.g. http://localhost:3000)
  • Ephemeral cloud environments accessed via virtual private cloud (VPC) or AWS Direct Connect

All you need to do is setup mabl Link to establish a secure tunnel between the mabl cloud and your private network. The mabl Link agent is designed to meet the requirements of even the most security-demanding enterprises such as financial services, banks and cyber security firms.

👍

Mabl Link Highlights

  • Highly secure tunneling solution
  • Quick and easy setup with automatic updates for the agent
  • Support for https traffic and http forward proxies
  • Elegant architecture that doesn’t require firewall changes in many cases
  • No need to allowlist a broad range of IPs, just a single domain name
  • High availability by design - just setup multiple agents with the same name
  • No need for VPN client or server

Mabl Link overview

Mabl Link consists of two main components — Link Agent and Link Service — that are responsible for establishing a secure outgoing (egress) connection from your network to the mabl cloud. There is typically no need to change your firewall rules since many firewalls are already configured to allow for most outgoing connections. Once the tunnel has been established, mabl can securely access and run tests against hosts on your private network.

The below diagram illustrates how it all works. The green arrow represents the connections and their direction between the mabl Link components while the blue arrows show the connections and their direction while running tests in the mabl cloud against a private environment.

679

Mabl Link Agent

The Link Agent is a small Java-based application that is responsible for creating the secure tunnel to the mabl cloud. It can be installed using Docker or a Java-based distribution package.

Testing setup overview

On a high level, you need to take the following steps to run tests against your private environments and localhost using mabl:

  • Retrieve your mabl API key
  • Download and install the Link Agent
  • Run the Link Agent on a host machine with access to the app under test
  • Validate the Link connection is live in the mabl app
  • Configure your mabl environment to use Link
  • Run a test plan associated with the Link-enabled environment

Please, refer to using mabl Link for more detailed setup instructions.

📘

If you need help with the Link setup, please contact us via the in-app chat and make sure to share this page with your engineering and IT teams so we can quickly troubleshoot any issues as a team.

Security overview

We recognize the importance of security and privacy when allowing mabl to access your non-public environments, and for this reason we have designed security features into every aspect of mabl Link.

In general, there are several important considerations when it comes to setting up a security tunneling solution for your network:

  • How is the traffic encrypted, isolated and verified as it goes through the tunnel?
  • How does DNS resolution happen?
  • How do the actual test runs happen in a multi-tenant environment?
  • How much access (isolation) does the agent have within your network?
  • How can you terminate the tunnel?

Secure tunnel

  • The mabl Link tunnel is a secure websocket connection that uses 4096-bit RSA keys that are specific to your workspace and agent.
  • Each agent is allocated its own dedicated container within the mabl cloud. Tunnels and containers are never shared between agents (even for different agents within the same workspace), so there is never any multi-tenant access to your private mabl links.
  • The communication between Link agents and the Link Service is secured with access tokens that are specific to each agent to allow for greater security around each agent.

DNS resolution

The DNS resolution occurs on the Link Agent, which means that DNS names are resolved within your environment, not the mabl cloud. This design gives you the following advantages:

  • Tests can run against internal QA and development environments with non-public DNS names, including localhost which just needs an alias in the hosts file (read more).
  • Tests can be both trained and executed against the same non-public fully qualified domain names (FQDNs), all from within your private network..
  • Non-publicly-routable IP addresses may be used such as 10.0.0.0/8, 192.168.0.0/16, etc.

And in case you were wondering, mabl Link does not depend on or use any virtual private network (VPN) technologies. There is no need to install or configure a VPN client or server in order to use mabl Link.

Test runs via Link

When running tests over mabl Link, authentication is enforced by the Link Agent to ensure that only tests with the same workspace and agent name are allowed to route their traffic through that agent. This authentication prevents any accidental cross-talk that might otherwise occur.

Link Agent isolation

The design of the Link Agent allows you to limit what the mabl service can access within your network. You can do so by running the agent within a DMZ or on a dedicated host (or VM or container) with strict firewall rules that will only allow it to access the desired applications under test.

Furthermore, the mabl Link Service is also designed in a way that if the firewall blocks egress traffic, your IT admin/security team needs to allow just an individual FQDN, static IP address, or the wildcard *.link.mabl.com in addition to api.mabl.com to allow for mabl Link traffic to pass through the firewall without the risk of exposing the network to a wide range of IP addresses.

These configurations are not required, but can be used to provide an extra layer of security should your organization demand it.

Tunnel termination

The easiest way to stop routing traffic from your tests through mabl Link is to shut down the agent from the mabl app in Settings ⇒ Networking as shown below.

3032

You can also achieve the same by editing the respective mabl environments and deselecting the Use link agent checkbox.

To completely remove mabl Link from your infrastructure:

  1. Shut down all running mabl Link Agents member.
  2. Uncheck Use link agent in any mabl environments where you've enabled it. Otherwise, the tests associated with those environments will start failing.
2020

Related resources

Get started using mabl Link