Private Connectivity
Connect legacy systems without opening inbound firewall rules.
Carlquist connects to your legacy systems without requiring inbound firewall rules. Our connectivity model is designed for enterprise networks where security teams require outbound-only communication patterns.
Carlquist Agent
The Carlquist Agent is a lightweight process that runs inside your network. It initiates outbound-only connections to the Carlquist control plane over TLS 1.3. No inbound ports, no VPN tunnels, no firewall exceptions required.
The Agent is designed to satisfy the most restrictive network security policies. It requires only a single outbound HTTPS connection and can operate behind NAT, corporate proxies, and stateful firewalls without modification.
How It Works
- The Carlquist Agent is installed inside the customer network (as a system service, Docker container, or standalone binary).
- The Agent initiates an outbound connection to the Carlquist control plane on port 443.
- The control plane sends adapter instructions to the Agent over the established connection.
- The Agent queries local data sources (SQL Server, PostgreSQL, MySQL, Oracle, or other configured systems) using read-only credentials provided by the customer.
- Query results are encrypted and transmitted outbound to the Carlquist control plane.
- Carlquist applies schema mappings and delivers transformed data to the customer's configured destination endpoints.
Network Requirements
- Outbound HTTPS (port 443) to
agent.carlquist.app.
- No inbound rules required. The Agent never listens on any port.
- HTTP proxy compatible. The Agent supports the CONNECT method for environments that route traffic through an HTTP proxy.
- NAT and firewall friendly. Works behind NAT gateways, corporate firewalls, and network address translation without special configuration.
Deployment Options
| Option |
Plan |
Description |
Availability |
| Shared SaaS |
Default |
Multi-tenant, managed by Carlquist |
Available now |
| Agent (Private Network) |
Enterprise |
Outbound-only agent in customer network |
Available now |
| Dedicated Instance |
Enterprise |
Single-tenant Carlquist deployment |
By arrangement |
Security
- Mutual TLS (mTLS): The Agent authenticates with the Carlquist control plane using a client certificate. The control plane verifies the Agent's identity on every connection.
- End-to-end encryption: All communication between the Agent and the control plane is encrypted with TLS 1.3. No data is transmitted in plaintext at any stage.
- Minimal privileges: The Agent runs with the least privileges necessary. It accesses configured data sources using read-only credentials provided by the customer. It does not require root or administrator access.
- Signed binaries: The Agent binary is cryptographically signed. On each update, the signature is verified before the new version is loaded. Tampered binaries are rejected.
Contact
For connectivity architecture discussions, deployment planning, or to request a technical design review with your network security team, contact enterprise@carlquist.app.