---
title: "How Pangolin Works"
description: "Learn about Pangolin's architecture and how its components work together to provide secure application access"
---

Pangolin provides secure, application-specific ingress to your applications through a network of points of presence. Users connect to the closest point of presence, which authenticates them and routes their requests through secure tunnels to your applications.

<Frame>
  <img src="/images/diagram.svg" width="400" centered/>
</Frame>

## How It Works

<Steps>
<Step title="User enters through point of presence">
  DNS automatically routes users to the closest available regional point of presence (PoP). A PoP is always available because the control plane fails over between PoPs.
</Step>

<Step title="Authentication and authorization">
  The point of presence verifies the user's identity, checks access permissions, and applies context aware rules such as IP and path based filters, geoblocking, and rate limiting.
</Step>

<Step title="Secure tunnel routing">
  Authenticated requests are routed and flow through encrypted WireGuard tunnels to your applications with optional load balancing and failover for your backend servers.
</Step>

<Step title="Application delivery">
  Your applications receive the requests and respond through the same secure path.
</Step>
</Steps>

<Info>
Points of presence provide a mesh of high availability - if one location goes down, traffic automatically routes to the next closest location.
</Info>

## Deployment Options

<CardGroup cols={2}>
<Card title="Pangolin Cloud" icon="cloud" href="https://pangolin.fossorial.io/auth/signup">
  Large network of points of presence with automatic failover and routing to your backend services.
</Card>

<Card title="Hybrid" icon="circle-nodes" href="/manage/high-availability#hybrid-deployment">
  Host your own multiple points of presence with cloud coordination and automatic failover. Data always transits yours servers.
</Card>

<Card title="Self-Hosted" icon="server" href="/self-host/quick-install">
  Fully self-hosted, self-contained Pangolin server acting as a single point of presence.
</Card>

<Card title="Learn More" icon="book" href="/manage/points-of-presence">
  Detailed information about points of presence and high availability options.
</Card>
</CardGroup>

## Key Benefits

<CardGroup cols={2}>
<Card title="No Public IPs or Ports" icon="network-wired">
  Your applications can run on private networks without exposing ports.
</Card>

<Card title="Ingress Mesh" icon="globe">
  Users always connect to the closest available point of presence.
</Card>

<Card title="Zero-Trust Security" icon="shield">
  Every request is authenticated and authorized before reaching your applications.
</Card>

<Card title="High Availability" icon="check-double">
  Multiple points of presence, failover, and load balancing between tunnels ensures there is always a way for users to access your applications.
</Card>
</CardGroup>