From 390c4fe2fb0452550d511d11d7b50116e3a42e8f Mon Sep 17 00:00:00 2001 From: braginini Date: Sat, 27 Jun 2026 22:58:38 +0200 Subject: [PATCH] Add agent-network readme --- README.md | 5 +++++ agent-network/README.md | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 agent-network/README.md diff --git a/README.md b/README.md index cc27e2d28..63271926d 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,11 @@ **Secure.** NetBird enables secure remote access by applying granular access policies while allowing you to manage them intuitively from a single place. Works universally on any infrastructure. +> ### 🤖 NetBird Agent Network (Beta) +> Identity-aware access control for AI agents — keyless access to LLM APIs and private +> resources over the encrypted NetBird tunnel. See [`agent-network/`](agent-network/) or +> read the docs at **[docs.netbird.io/agent-network](https://docs.netbird.io/agent-network)**. + https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2 ### Self-host NetBird (video) diff --git a/agent-network/README.md b/agent-network/README.md new file mode 100644 index 000000000..a09d3979e --- /dev/null +++ b/agent-network/README.md @@ -0,0 +1,39 @@ +# NetBird Agent Network + +Agent Network is NetBird's access control layer for AI agents and the people who run +them. It gives every agent a real identity, tied to your identity provider (IdP), and +governs what it can reach — the LLM APIs and AI gateways it can call, and the internal +resources it can access. Traffic flows only over the encrypted NetBird tunnel, scoped by +policy, with no API keys to leak. + +> **Beta.** Agent Network is open source and can be self-hosted on your own +> infrastructure. + +## How it works + +Agent Network is built on two existing NetBird capabilities: + +- **Overlay network** — the encrypted WireGuard mesh between peers. +- **Reverse proxy** — a NetBird peer that terminates LLM requests, establishes the + caller's identity, evaluates policies/limits/guardrails, injects the upstream provider + key server-side, forwards to the API or gateway, and records usage. + +LLM traffic is routed through the proxy's identity-aware pipeline, while internal +resources (databases, internal APIs, self-hosted models) are reached directly over +peer-to-peer WireGuard tunnels, governed by the same identities and access policies. + +## Where the code lives + +There is no separate "agent-network" service — it reuses the reverse-proxy and management +components: + +- [`proxy/`](../proxy) — the NetBird reverse proxy that serves the agent network endpoint + and runs the per-request middleware pipeline. +- [`management/internals/modules/reverseproxy/`](../management/internals/modules/reverseproxy) + — the management-side control plane: providers, policies, guardrails, limits, routing, + and usage/access logs. + +## Documentation + +Full documentation, architecture, and quickstart: +**https://docs.netbird.io/agent-network**