At mabl we invest significant engineering effort into making it simple and secure to run tests in the cloud. If you need to run tests against app environments that are not accessible from the public Internet, you can run your tests over mabl Link.
mabl Link is a highly secure tunneling solution designed to meet the requirements of even the most security-demanding enterprises, such as financial services, banks, and cyber security firms. It works by establishing a secure tunnel between the mabl cloud and your private network through the mabl Link Agent, so that you can test apps on private environments, including:
- Internal QA and staging environments with non-public DNS names
- Local development environments, such as localhost
- Non-publicly routable IP addresses, such as 10.0.0.0/8 or 192.168.0.0/16.
- Ephemeral cloud environments accessed via virtual private cloud (VPC) or AWS Direct Connect
Read on to learn more about how mabl Link works.
- Highly secure tunneling solution
- Able to resolve non-public DNS names
- Quick and easy setup with automatic updates for the mabl Link Agent
- Support for https traffic and http forward proxies
- Elegant architecture that doesn’t require firewall changes in many cases
- No need to allowlist a broad range of IPs, just a single domain name
- High availability by design - just setup multiple Link Agents with the same name
- No need for VPN client or server
How it works
At a high level, mabl Link works by establishing a secure outgoing (egress) connection from your network to the mabl cloud. When you run Link-enabled tests in the cloud, mabl can securely access and run tests against hosts on your private network.
The following diagram illustrates how it all works. The green arrow represents the connections and their direction between the mabl Link components, while the blue arrows show the connections and their direction while running tests in the mabl cloud against a private environment.
mabl Link is not currently supported for performance tests or mobile tests. To access private environments for these test types, you can allowlist mabl IP addresses instead.
Establishing the connection
The process starts with running the Link Agent on a machine, server, or VM in your network that has access to the application(s) under test. The Link Agent is a small, Java-based application that you can install using Docker or a Java-based distribution package.
When the Link Agent starts up, it establishes an outgoing TLS-encrypted websocket connection over port 443 to a container in the mabl cloud that is dedicated to receiving traffic from your specific Link Agent.
We recognize the importance of security and privacy when allowing mabl to access your non-public environments. For this reason we have designed security features into every aspect of mabl Link:
- The secure tunnel uses 4096-bit RSA keys that are specific to your workspace and agent.
- Communication between Link Agents and the Link Service is secured with access tokens that are specific to each Link Agent.
- No multi-tenant access to your private mabl Links: Link Tunnels and Services are never shared between customers.
There is typically no need to change your firewall rules since many firewalls are already configured to allow for most outgoing connections. However, if your company firewall blocks outgoing traffic, your IT admin/security team will need to add the following addresses to an allowlist:
*.link.mabl.com
api.mabl.com
To limit what mabl can access within your network even further, you could run the Link Agent within a DMZ or on a dedicated host, VM, or container with strict firewall rules that will only allow it to access the desired applications under test.
mabl Link does not depend on or use any virtual private network (VPN) technologies. There is no need to install or configure a VPN client or server in order to use mabl Link.
Connecting to the system under test
After the connection is established, mabl can securely access and run tests against applications in your private network. DNS resolution occurs on the Link Agent host, which means that DNS names are resolved within your environment, not the mabl cloud.
The Link Agent enforces authentication to ensure that only tests with the same workspace and Link Agent name are allowed to route traffic through that Link Agent. This authentication prevents any accidental cross-talk that might otherwise occur.