How We Monitor Internal Services Without Opening Firewall Ports
Most uptime monitors only watch what's publicly accessible. But your database, internal APIs, and microservices? Those stay invisible until something breaks and a user complains.
We built private agents to solve this. Here's how they work and why they're different.
The Problem with Monitoring Internal Services
Your internal infrastructure is behind a firewall for good reason. But that creates a monitoring blind spot:
- Databases - Is your PostgreSQL replica in sync?
- Internal APIs - Is your auth service responding?
- Microservices - Is that background worker healthy?
- Private networks - Are your VPC endpoints working?
Traditional solutions either require:
- Exposing services to the internet (security nightmare)
- Expensive enterprise monitoring ($95+/month per agent)
- Self-hosting complex monitoring stacks
We wanted something simpler.
How Private Agents Work
A private agent is a lightweight Docker container that runs inside your network. It monitors your internal services and reports back to Boop.
┌─────────────────────────────────────────────────────┐
│ Your Network │
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │Database │ │ API │ │ Service │ │
│ │ :5432 │ │ :8080 │ │ :3000 │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ │
│ │ │ │ │
│ └──────────────┼──────────────┘ │
│ │ │
│ ┌──────┴──────┐ │
│ │ Boop │ │
│ │ Agent │ │
│ └──────┬──────┘ │
│ │ │
└───────────────────────┼─────────────────────────────┘
│ HTTPS only (outbound)
▼
┌─────────────┐
│ boop.one │
└─────────────┘
The key insight: outbound only. The agent connects to Boop - Boop never connects to you. No inbound firewall rules. No VPN tunnels. No exposed ports.
Setup in 60 Seconds
- Create an agent in your Boop dashboard
- Copy the setup token (valid for 24 hours)
- Run the container:
docker run -d \
--name boop-agent \
-e BOOP_SETUP_TOKEN=your_token_here \
-v boop-data:/data \
boopone/agent:latest
That's it. The agent automatically:
- Exchanges the setup token for a secure active token
- Pulls monitor configurations from Boop
- Starts checking your internal services
- Reports results back to your dashboard
The Buffer: Never Lose Data
Here's where it gets interesting. What happens when your network has an outage? Or the agent temporarily loses connectivity to Boop?
Most monitoring tools just... lose that data. You get gaps in your graphs and no idea what happened.
We built a buffer into the agent.
How the Buffer Works
When the agent can't reach Boop:
- It keeps running checks using cached configuration
- Results are stored locally in a persistent buffer
- Each result gets a timestamp and unique ID
When connectivity returns:
- The agent submits all buffered results
- Boop processes them with their original timestamps
- Your monitoring history stays complete
Timeline:
────────────────────────────────────────────────────►
[Normal] [Disconnected] [Reconnected]
│ │ │
│ Agent │ Agent buffers │ Buffer syncs
│ reports │ results locally │ to Boop
│ live │ │
▼ ▼ ▼
📊 💾 📊
Live data Stored locally Historical data
(up to 10,000 restored
results)
Smart Alert Handling
Here's the clever part: buffered results don't trigger alerts.
Think about it - if your agent was offline for 30 minutes and buffered 50 check results, you don't want 50 alert notifications flooding your Slack when it reconnects. Those results are historical. The situation has either resolved itself or you've already noticed.
So Boop:
- Records all buffered results for your historical data
- Updates your uptime graphs accurately
- Does NOT fire alerts for old data
- Marks them as "buffered" so you know what happened
What Makes This Different
1. Price
Most competitors charge $95/month or more for a single private agent. We start at $7/month.
| Provider | Cost per Agent |
|---|---|
| Competitors | $95+/month |
| Boop | $7/month |
That's 93% cheaper. Not a typo.
2. Security Model
- Setup tokens expire in 24 hours (one-time use)
- Active tokens auto-rotate every 7 days
- All communication is outbound HTTPS only
- No credentials stored on the agent
3. Full Feature Parity
Private agents support everything public monitoring does:
- HTTP/HTTPS checks with status code and keyword validation
- DNS lookups
- TCP port checks
- SSL certificate monitoring
- Custom headers and authentication
4. Resilience
The buffer means your agent survives:
- Network blips
- DNS issues
- Temporary firewall problems
- Boop maintenance windows
You never lose monitoring data.
Real-World Use Cases
Startup with hybrid infrastructure:
Monitor your AWS RDS database, internal auth API, and Redis cache - all from one agent, one dashboard, one alerting pipeline.
Agency managing client servers:
Drop an agent on each client's network. Monitor their internal services without requiring them to expose anything to the internet.
Enterprise with compliance requirements:
Keep sensitive infrastructure completely internal while still getting modern monitoring and alerting.
Try It
Private agents are available on all paid plans:
- Starter ($7): 1 agent
- Hobbyist ($15): 2 agents
- Professional ($79): 10 agents
- Enterprise plans: 25+ agents
Set one up at boop.one. The agent is open source if you want to see exactly what it does before deploying.
Have questions about monitoring internal infrastructure? I'm happy to help - drop a comment below.
Top comments (0)