Bridge (Private Networks)
Connect Connic connectors to services running inside private networks, VPCs, or on-premises infrastructure without opening inbound firewall rules.
What is the Connic Bridge?
The Connic Bridge is a lightweight agent that runs inside your private network and creates a secure outbound tunnel to Connic Cloud. This allows Connic connectors (Kafka, PostgreSQL, SQS, Email, S3, HTTP) to reach services that are not publicly accessible.
Because the bridge only makes outbound connections, you do not need to open any inbound firewall rules or expose your services to the internet.
When do you need it?
You need the bridge if your target service is:
- Inside a private AWS VPC, GCP VPC, or Azure VNet
- Running on-premises behind a corporate firewall
- Accessible only via private DNS or internal IPs
- Behind an IP allowlist that cannot include Connic's IPs
If your services are publicly reachable (e.g. managed Kafka on Confluent Cloud, AWS SQS via public endpoint), you do not need the bridge.
Architecture
Your Network
Private Services
Kafka, PostgreSQL, SQS, ...
Connic Bridge
Runs in your VPC
TLS encrypted
Connic Cloud
Bridge Relay
relay.connic.co
Connector Worker
Kafka, SQS, PG, HTTP, ...
1. You deploy the Connic Bridge as a Docker container inside your network.
2. The bridge makes an outbound WebSocket connection to the Connic relay (no inbound ports needed).
3. When a connector needs to reach a private service, Connic routes the connection through the relay and bridge.
4. The bridge validates the target against its configured allowed hosts (ALLOWED_HOSTS env var), opens a local TCP connection, and proxies the traffic.
5. All traffic between the bridge and relay is encrypted via TLS (WSS).
Generate a Bridge Token
Go to Project Settings > Bridge and click Set Up Bridge. Copy the token that is displayed. It will only be shown once.
Run the Connic Bridge
Deploy the Connic Bridge inside your private network. It needs to be able to reach both your private services and the internet (for the outbound WSS connection).
Docker (recommended):
docker run -d --name connic-bridge \
-e BRIDGE_TOKEN=cbr_your_token_here \
-e ALLOWED_HOSTS=kafka:9092,postgres:5432 \
connicorg/bridge:latestpip:
pip install connic-bridge
connic-bridge \
--token cbr_your_token_here \
--allow kafka:9092 \
--allow postgres:5432Docker Compose:
services:
connic-bridge:
image: connicorg/bridge:latest
restart: always
environment:
BRIDGE_TOKEN: cbr_your_token_here
ALLOWED_HOSTS: kafka:9092,postgres:5432,my-db:5432
LOG_LEVEL: INFOEnable Bridge on Connectors
When creating or editing a connector that needs to reach a private service, enable the Connect via Bridge toggle in the Network Access section.
The following connector types support bridge access:
- Apache Kafka (inbound and outbound)
- AWS SQS (inbound and outbound)
- PostgreSQL (inbound via LISTEN/NOTIFY)
- Email / IMAP / SMTP (inbound and outbound)
- AWS S3 (file downloads)
- HTTP Webhook (outbound callbacks)
Configuration Reference
| Variable | Required | Description |
|---|---|---|
BRIDGE_TOKEN | Yes | Bridge authentication token from the Connic dashboard |
ALLOWED_HOSTS | Yes | Comma-separated host:port pairs the bridge may connect to |
RELAY_URL | No | Relay URL (default: wss://relay.connic.co) |
LOG_LEVEL | No | DEBUG, INFO, WARNING, or ERROR (default: INFO) |
Security
- Outbound-only - the bridge never accepts inbound connections. No ports need to be opened.
- Allowed hosts - you control exactly which services the bridge can reach. Connections to unlisted hosts are rejected.
- Token authentication - each bridge is tied to a single Connic project. Tokens can be rotated at any time.
- TLS encryption - all communication between the bridge and relay uses WSS (WebSocket over TLS).
Troubleshooting
Bridge shows "Disconnected" in dashboard
Check that the bridge container is running (docker ps) and has outbound internet access. Verify the token is correct and has not been regenerated.
Connector fails with "Bridge not connected"
The connector has Connect via Bridge enabled but no bridge is connected for this project. Start the Connic Bridge or disable the bridge toggle on the connector.
"Host not in allowed hosts list"
The bridge rejected the connection because the target host:port is not in the allowed hosts list. Add it to the ALLOWED_HOSTS environment variable (or --allow flag) of the bridge container and restart it.
Connection timeout to target
The bridge can reach the relay but cannot connect to the target service. Verify that the bridge container can reach the target host:port from within its network (e.g. via docker exec connic-bridge nc -zv kafka 9092).