Skip to content

Publish a Service

Publishing a service is the act of exposing an application to the internet, making it accessible from external networks. Usually, this process requires a good understanding of network security, firewall, port forwarding, and more.

Traefik Hub allows you to expose your service using tunneling technology.


A tunnel is a multiplexed connection opened between the Traefik Hub platform and the Traefik Hub Agent. Agents open multiple tunnels to ensure higher availability of your workloads.

Tunneling brings many benefits such as:

  • No networking configuration on your part
  • NAT/Firewall traversal
  • No need for a static IP address
  • No need for a dynamic DNS


The process makes the overall communication more secure as you don't need to expose any ports from your router that are facing the internet, reducing the number of potential issues.

Data Encryption

Traefik Hub becomes the main entry point for your service.

The requests received by the Traefik Hub platform are end-to-end encrypted with TLS, and the HostSNI is used to route the request on the right cluster. The TLS termination is done by the Traefik Hub agent on your cluster, making the whole chain secure and protected against man-in-the-middle attacks.

The certificates are generated per workspace. It means that 2 services from the same workspace will be using the same certificate to encrypt the data. An exception is made when you use custom domains where one certificate is generated per published service.

Web Interface

To publish a service in the Traefik Hub UI, find the services page on the navigation menu. Then, search for the service you would like to publish and click on it.

Cannot find the service?

You can use the search bar in the top right corner of this page. The search bar filters by service name.

service search filter

On the service details page, click on the Publish the service button and fill in the parameters.

Service Port

The port is the EntryPoint to which the tunnel forwards the requests. Most of the time, the Traefik Hub Agent detects the service ports. As a service can have multiple ports defined, you will have to select which one to use.

Service Network

The service network may be required for the Hub Agent Traefik. The application and the Traefik Hub Agent must share the same network in order to communicate. The Traefik Hub Agent detects the available networks, and you need to select one.

Access Control Policy

Access Control Policies (ACP) grant access to users based on the authorization header and authentication method configured. Please have a look at the Access Control Policy documentation for more details.

Finish the process by clicking on the Save and Publish button. Wait a few seconds before accessing the service. Once ready, you are redirected to the service details page, and a new section now exposes the details of the published service. You can now see the domain name allocated for your service.

Custom Resource Definition

Custom Resource Definition is only available on Kubernetes.

Service publications can be configured from Kubernetes manifest files containing a Traefik Hub custom resource. Custom Resource Definition contains resources that the Traefik Hub Agent can understand in order to manage the publication of services.

The resource is called EdgeIngress from the group.

Here is the minimal working configuration to publish a service.

kind: EdgeIngress
  name: my-whoami
    name: whoami
    port: 80

To create the ACP, apply the manifest on the cluster using the Kubernetes CLI tool:

kubectl apply -f basic-edge-ingress.yml

You are now able to see the edge ingress in the Traefik Hub UI, and in your Kubernetes cluster:

kubectl get edgeingress my-whoami



This is the name of the resource.

The name should have less than 63 characters. It should contain only letters, numbers, and hyphens.


  name: my-edge-ingress

Service Name

This is the name of the Kubernetes service.


    name: my-service

Service Port


The port is the entry point on which the tunnel forwards the requests.


    port: 80

Access Control Policy

Name of the Access Control Policy to use. If not present, the service is not protected with credentials.

ACPs grant access to users based on the authorization header and authentication method configured. Please have a look at the Access Control Policy documentation for more details.


    name: my-acp