Private Connectors

Private Connectors provide secure access to on-premise systems without opening inbound firewall ports. They create outbound-only tunnels from your network to DataGrout.

How It Works

Deploy a lightweight connector appliance in your network or cloud. The connector establishes an outbound VPN tunnel to DataGrout’s VPC. Once connected, your internal tools appear in your server just like cloud integrations.

Architecture

The connector runs a VPN client and a relay service. When an agent calls a tool that routes through the connector, DataGrout sends the request through the VPN tunnel. The relay service forwards it to your internal system and returns the response.

Total latency overhead is typically 10-30ms.

Setup

Step 1: Deploy Connector

Deploy the connector template on AWS, Azure, GCP, or your own infrastructure. The connector is a small Linux instance that requires minimal resources (1 vCPU, 512 MB RAM).

Step 2: Configure VPN

Choose a VPN provider:

  • NetBird: WireGuard-based, zero-config, recommended for new deployments
  • WireGuard: Industry standard, minimal overhead
  • OpenVPN: Enterprise standard, maximum compatibility
  • Custom: Bring your own VPN solution

Configure the connector with VPN credentials (activation token, certificates, or config files).

Step 3: Configure in DataGrout

  1. Go to Integration → Private Connector tab
  2. Enter connector details:
    • Name and description
    • VPN provider and credentials
    • Target host and port (your internal system)
  3. Save

Step 4: Verify Connection

Check the connector status in the UI. Once active, test by calling a tool that routes through the connector.

Security

Connectors use mTLS authentication. Each connector is isolated and single-tenant. Only outbound connections are required—no inbound firewall ports.

VPN tunnels are encrypted end-to-end. Credentials are encrypted at rest and never logged. Connectors can only reach the configured target host and port.

Use Cases

SAP ERP Access

Connect to SAP instances in your data center. Deploy a connector, configure it to target your SAP endpoint, and all SAP tools become available to agents.

Oracle Database

Access Oracle databases on private subnets. The connector forwards database queries through the secure tunnel.

Legacy Systems

Connect to AS/400, Dynamics on-premise, or other legacy systems. Build a thin HTTP wrapper if needed, then route through the connector.

Multi-Site Access

Deploy multiple connectors for different locations. One connector for US datacenter, another for EU datacenter. Both appear in your unified server endpoint.

Management

Health Monitoring

Connectors report health status every 60 seconds. Status indicators show Active, Degraded, or Down. View status, uptime, and latency in the UI.

Maintenance

Connectors auto-update with zero-downtime deployments. VPN tunnels reconnect automatically. Deploy multiple connectors for high availability with automatic failover.

Performance

Typical overhead is 10-30ms. Throughput depends on instance size—nano instances handle ~10 requests/second, micro instances ~50 requests/second.

Connection pooling reduces latency by reusing TCP connections to internal systems.

Troubleshooting

If the connector won’t connect, check VPN credentials, verify outbound ports are open (51820 for WireGuard, 1194 for OpenVPN), and ensure the connector has internet access.

If the integration can’t reach the target, verify the target host and port are correct, check internal firewall rules, and test connectivity from the connector.

If performance is slow, deploy the connector closer to your datacenter, upgrade the instance size, or enable connection pooling.

Pricing

Private Connectors are included in Enterprise plans (3 connectors). Additional connectors are available as add-ons. You pay for the cloud instance separately (typically $5-10/month for a nano instance).