SOLUTION / ENTERPRISE VPC

Private-network ingestion for enterprise customers

TrackLayer lets enterprise teams ingest conversion, lifecycle, and operational events from private VPCs without exposing internal origins to the public internet. Customer systems keep outbound-only connectivity, while TrackLayer receives normalized event streams over private network paths — with SOC2 audit chain integrity, EU residency Pro+, and native SFCC / Dynamics 365 / NetSuite integrations — built for security review, audit, and regulated data handling.

customer-vpcinternal event busprivate

cloudflaredoutbound tunnelencrypted

tracklayer-edgeingestion sourceverified

destinationsMeta, Google, warehouserouted

PRIVATE INGESTION PATH

§ 01

Why enterprises need private networking

Internal event sources stay behind firewalls

Internal event sources, including data warehouses and event buses, often sit behind firewalls and cannot POST to public APIs. Those systems were never designed for public ingress, internet-facing allowlists, or direct exposure to third-party collection endpoints.

Compliance frameworks prefer private backbone

Compliance frameworks such as SOC 2 CC6.6 and ISO 27001 A.13 prefer private backbone movement over the public internet. Security teams can reduce exposure, segment network access, and prove that sensitive data moves across controlled channels.

Regulated verticals require private data paths

Regulated verticals such as healthcare and finance often need HIPAA, PCI, and internal security reviews to confirm that customer event data travels through private networks. Private ingestion gives those teams a path they can document before launch.

§ 02

Three ways we connect

Option	Architecture	Customer effort	Pricing	Best for
Cloudflare Tunnel (cloudflared daemon)	cloudflared daemon creates outbound-only tunnel from customer VPC to TrackLayer ingestion	Install daemon, register tunnel, route source hostname	Included in Scale+	Most enterprise ingestion pilots and production private webhooks
WARP Connector (lightweight agent)	Lightweight connector joins selected private routes to Cloudflare Zero Trust	Deploy connector, approve routes, bind workspace policy	+$200/mo	Multiple internal services with route-level access controls
Magic WAN (enterprise BGP / dedicated)	Enterprise BGP or dedicated network connectivity into Cloudflare backbone	Network engineering, routing design, security review	Custom	Large enterprises with existing WAN modernization programs

§ 03

Cloudflare Tunnel setup (included in Scale+ tier)

Install cloudflared in the customer VPC

Run the daemon close to the event source so internal services remain reachable only from private subnets. TrackLayer provides the approved image, deployment notes, and environment variables during onboarding.

Register tunnel and add CNAME route in DNS

Your team registers the tunnel in your Cloudflare account, pins the route to a controlled hostname, and creates the DNS record that maps private ingestion traffic into the tunnel.

TrackLayer adds tunnel ID as a data source

The tunnel ID, workspace region, source type, and expected event schema are configured in the TrackLayer dashboard so each payload is attributed to the correct enterprise tenant.

Ingestion flows over the private backbone

Internal producers POST or stream events to their local service name. Cloudflare carries the encrypted tunnel traffic to TrackLayer without requiring a public origin on the customer side.

docker-compose.yml placeholder

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    environment:
      TUNNEL_TOKEN: "${TRACKLAYER_TUNNEL_TOKEN}"
    command:
      tunnel run tracklayer-ingestion

  event-relay:
    image: customer/internal-event-relay:latest
    environment:
      TRACKLAYER_SOURCE: "enterprise-vpc"
      TRACKLAYER_REGION: "eu-central-1"
    depends_on:
      - cloudflared

§ 04

What you can connect

Kafka topics carrying checkout, subscription, inventory, billing, or lifecycle events

RabbitMQ exchanges and queues used by internal commerce or fulfillment systems

Internal REST APIs that are callable only from private subnets or service meshes

Redshift/Snowflake streams delivered via PubSub relay or scheduled event bridge

Internal webhooks, including Stripe / Salesforce behind VPN access

Database change-data-capture streams for account, order, payment, or product mutations

§ 05

Data path

Enterprise VPC ingestion starts inside the customer network. An internal event source, such as Kafka, RabbitMQ, a webhook relay, or a private REST service, sends events to a local connector that has no public inbound port. The connector establishes an outbound-only path to Cloudflare, where traffic moves across the private backbone toward the TrackLayer edge. TrackLayer validates the tunnel, workspace, source identity, and schema before routing events into destination delivery or warehouse sync. The customer keeps their origin private, while security teams get a path they can review, monitor, and audit.

CUSTOMER VPC

cloudflared / WARP / WAN

TRACKLAYER EDGE

→→

Kafka / APIs / CDC

Cloudflare private backbone

Destinations + audit log

§ 06

Compliance + audit

All traffic uses TLS 1.3 from the connector edge through TrackLayer ingestion.

No data is stored at rest in an intermediate tunnel layer or relay buffer.

Every ingestion receives an audit log entry with source, tunnel, workspace, schema, and delivery status.

SOC 2 inherited controls from Cloudflare can support secure transmission and network segmentation review.

§ 07

Pricing

Cloudflare Tunnel

Included

Tunnel setup is included in Scale ($399/mo) and Enterprise for teams that need one private ingestion path into TrackLayer.

WARP Connector

+$200/mo

Use WARP Connector when multiple internal services need routed private access policies.

Magic WAN

Contact sales

Dedicated architecture and pricing for enterprise BGP, WAN modernization, or custom backbone connectivity.

§ 08

Enterprise proof

"$X00M revenue merchant uses TrackLayer via private tunnel to their internal event bus without exposing any service to the public internet."

Anonymous Fortune 500 CTO

§ 09

FAQ

Can we multi-tenant a single tunnel?

Yes, if your security team approves shared network plumbing. TrackLayer still separates data at the workspace, source, schema, and destination levels, and most enterprises use separate logical sources for each business unit or brand.

Can data residency be EU-only?

Yes. Enterprise workspaces can be provisioned in EU regions, and tunnel routes can be bound to EU ingestion endpoints so event processing, audit metadata, and destination controls stay region-aware.

What happens if the tunnel drops?

TrackLayer marks the source degraded, sends alert notifications, and keeps destination delivery paused for affected streams. Customers typically run multiple cloudflared replicas and a local queue so events can retry when connectivity returns.

What SLA applies to tunnel uptime?

Scale customers receive best-practice deployment guidance, while Enterprise customers can add a solution architecture review and SLA language that reflects the selected Cloudflare connectivity option and TrackLayer plan.

Are there data egress costs?

TrackLayer does not add an egress surcharge for included tunnel ingestion. Your cloud provider and Cloudflare contract may still define network charges, especially for high-volume cross-region paths or Magic WAN deployments.

§ 10

Built for Enterprise VPC

SOC2 audit chain

Immutable logs with inherited Cloudflare controls for compliance review.

EU residency Pro+

Workspace-bound EU ingestion endpoints with region-aware processing.

Enterprise integrations

SFCC, Dynamics 365, and NetSuite SuiteScript native sources.

READY FOR PRIVATE-NETWORK INGESTION

Connect enterprise event sources without public ingress.

Talk to our solutions team →