---
title: "Pangolin vs. Reverse Proxy"
description: "Learn how Pangolin's distributed architecture eliminates single points of failure and provides global, authenticated access to your applications"
---


Pangolin builds upon traditional reverse proxy principles but adds distributed architecture, tunneling, and identity-aware access control. While traditional reverse proxies are typically single-server solutions, Pangolin operates as a distributed network of points of presence that provide global, highly-available access to your applications.

## Traditional Reverse Proxy Limitations

Traditional reverse proxies operate as single-server solutions with inherent limitations:

- **Single Point of Failure**: If the reverse proxy server goes down, all applications become inaccessible
- **Geographic Limitations**: Users far from the server location experience higher latency
- **Network Dependencies**: Requires public IP addresses and open ports on your network
- **Basic Authentication**: Typically relies on network-based trust rather than user identity

## Pangolin's Dual-Layer High Availability

Pangolin provides high availability at two critical layers: ingress points and backend routing.

### Global Points of Presence (Ingress Layer)

Pangolin operates a distributed network of points of presence worldwide that serve as entry points for user traffic:

- **Automatic Failover**: If one point of presence becomes unavailable, traffic automatically routes to the next closest location
- **Geographic Optimization**: Users always connect to the nearest available point of presence for minimal latency
- **Load Distribution**: Traffic is automatically balanced across multiple locations to prevent overload

### Intelligent Backend Routing (Tunnel Layer)

Once traffic reaches a point of presence, Pangolin provides additional high availability for routing to your backend services:

- **Multiple Tunnel Connections**: Each edge network can maintain connections to multiple points of presence simultaneously
- **Automatic Tunnel Failover**: If a tunnel connection fails, traffic automatically switches to an alternative route
- **Load Balanced Tunnels**: Multiple tunnel connections can be used simultaneously to distribute load and improve performance
- **Health Monitoring**: Pangolin continuously monitors tunnel health and automatically routes around failed connections

<Info>
This dual-layer approach ensures your applications remain accessible even if individual points of presence or tunnel connections fail.
</Info>

### How Dual-Layer High Availability Works

When a user requests access to your application:

1. **Ingress Routing**: Request is routed to the closest available point of presence
2. **Authentication**: User identity is verified at the point of presence
3. **Tunnel Selection**: Pangolin selects the optimal tunnel route to your backend service
4. **Failover Handling**: If the primary tunnel fails, traffic automatically switches to an alternative route
5. **Response Delivery**: Response follows the same resilient path back to the user

<Check>
Both ingress points and tunnel connections are automatically managed, providing seamless failover without any manual intervention.
</Check>

## Key Differences

### Tunneling vs. Direct Network Access

Traditional reverse proxies require direct network connectivity:

- **Public IP Required**: Your network needs a public IP address
- **Open Ports**: Must expose ports (80, 443) to the internet
- **Network Configuration**: Complex firewall and routing setup required

Pangolin uses secure tunneling:

- **No Public IP Needed**: Your applications can run on private networks
- **No Open Ports**: Edge networks don't need to expose any ports
- **Automatic Discovery**: Newt clients automatically find and connect to the optimal point of presence
- **Encrypted Traffic**: All communication is encrypted using WireGuard

<Tip>
This tunneling capability makes Pangolin ideal for environments behind restrictive firewalls, CGNAT, or corporate networks.
</Tip>

### Identity-Aware Proxy (IAP)

Traditional reverse proxies typically rely on network-based trust, while Pangolin implements zero-trust access control:

#### How Pangolin's IAP Works

1. **Request Interception**: Every request is intercepted by the nearest point of presence
2. **Identity Verification**: User identity is verified using OAuth2/OpenID Connect
3. **Context Evaluation**: Additional factors like location, device, and time are assessed
4. **Access Decision**: Access is granted or denied based on identity and context
5. **Secure Delivery**: Authenticated requests are tunneled to your application

#### Advanced Access Control Features

Pangolin provides comprehensive access control:

- **Multi-Factor Authentication**: Support for 2FA, passkeys, and OTP
- **Single Sign-On**: Integration with Google, Azure AD, Okta, and other identity providers
- **Granular Permissions**: User and role-based access control (RBAC)
- **Resource-Specific Security**: PIN codes, passwords, and expiring share links
- **Contextual Rules**: IP-based, geographic, and time-based access policies

<Warning>
Unlike traditional reverse proxies, Pangolin authenticates every single request, ensuring that only authorized users can access your applications.
</Warning>

## Benefits Summary

| Feature | Traditional Reverse Proxy | Pangolin |
|---------|--------------------------|----------|
| **Availability** | Single point of failure | Distributed, fault-tolerant |
| **Performance** | Limited by server location | Global, optimized routing |
| **Security** | Network-based trust | Zero-trust, identity-aware |
| **Network Requirements** | Public IP, open ports | No public IP needed |
| **Authentication** | Basic or none | Advanced, multi-factor |
| **Scalability** | Manual scaling | Automatic global distribution |

<Card title="Try Pangolin Cloud" icon="rocket" href="https://pangolin.fossorial.io/auth/signup">
  Experience distributed, authenticated access to your applications with Pangolin's global network of points of presence.
</Card>