---
title: "How Pangolin Works"
description: "Learn about Pangolin's architecture and how its components work together to provide secure application access"
---

Pangolin provides secure, application-specific ingress to your applications through a network of nodes. Users connect to the closest node, which authenticates them and routes their requests through secure tunnels to your backend.

<Frame>
  <img src="/images/diagram.svg" width="400" centered/>
</Frame>

## How It Works

<Steps>
<Step title="User enters through node">
  DNS automatically routes users to the closest available regional node. A node is always available because the control plane fails over between nodes.
</Step>

<Step title="Authentication and authorization">
  The node verifies the user's identity, checks access permissions, and applies context aware rules such as IP and path based filters, geoblocking, and rate limiting.
</Step>

<Step title="Secure tunnel routing">
  Authenticated requests are routed and flow through encrypted WireGuard tunnels to your applications with optional load balancing and failover for your backend servers.
</Step>

<Step title="Application delivery">
  Your applications receive the requests and respond through the same secure path.
</Step>
</Steps>

## Deployment Options

<CardGroup cols={2}>
<Card title="Pangolin Cloud" icon="cloud" href="https://pangolin.fossorial.io/auth/signup">
  Large network of nodes with automatic failover and routing to your backend services. We host the Pangolin server for you.
</Card>

<Card title="Self-host Pangolin" icon="server" href="/self-host/quick-install">
  Fully self-hosted, self-contained Pangolin server acting as a single node.
</Card>

<Card title="Remote Nodes" icon="circle-nodes" href="/manage/remote">
  Self-host your own Pangolin node with cloud coordination for high availability and automatic failover. Data always transits your servers.
</Card>

<Card title="Learn More" icon="book" href="/manage/nodes">
  Detailed information about nodes and high availability options.
</Card>
</CardGroup>

## Key Benefits

<CardGroup cols={2}>
<Card title="No Public IPs or Ports" icon="network-wired">
  Your applications can run on private networks without exposing ports.
</Card>

<Card title="Ingress Mesh" icon="globe">
  Users always connect to the closest available node.
</Card>

<Card title="Zero-Trust Security" icon="shield">
  Every request is authenticated and authorized before reaching your applications.
</Card>

<Card title="High Availability" icon="check-double">
  Multiple nodes, failover, and load balancing between tunnels ensures there is always a way for users to access your applications.
</Card>
</CardGroup>