Skip to main content

Architecture

The Edge Relay operates on a pull-based, outbound-only connection model. Rather than the Traversal platform connecting inbound to your environment, the Edge Relay initiates a persistent, bidirectional, encrypted tunnel to the Relay Controller in Traversal’s SaaS control plane or in your Traversal BYOC deployment. The Traversal platform sends requests over this tunnel, and the Edge Relay executes them against your internal services and returns the responses over the same tunnel. This design means:
  • No inbound firewall rules are required — the Edge Relay only makes outbound connections
  • Your network perimeter is preserved — no services are exposed or listening for external traffic
  • You retain full control — the Edge Relay runs in your environment, under your operational purview
ComponentRuns inRole
Your internal servicesYour environment
  • Data sources and APIs queried by the Edge Relay over your private network
Edge RelayYour environment
  • Initiates the outbound tunnel
  • Executes HTTP requests against your internal services
Relay ControllerTraversal’s SaaS control plane or your BYOC deployment
  • Receives the tunnel connection
  • Dispatches requests on behalf of the Traversal platform
The data flow is: 
Traversal Platform → Relay Controller → (mTLS tunnel) → Edge Relay → (HTTPS) → Your Internal Services
Responses return along the same path. The tunnel is always initiated outbound by the Edge Relay.

Security

Encryption

The Edge Relay establishes a dedicated, private tunnel to the Relay Controller, encrypted end-to-end with mTLS. This tunnel can optionally be established through a PrivateLink service endpoint, ensuring traffic never traverses the public internet. The Edge Relay authenticates itself to the controller using a client certificate, and verifies the controller’s identity using a trusted CA certificate.

No inbound network access

The Edge Relay initiates all connections outbound. It does not listen on any ports for external traffic, and does not require any inbound firewall rules or publicly reachable endpoints. The only listening port is an internal health-check endpoint used by your container orchestrator to monitor the service’s readiness.

No data persistence

The Edge Relay does not store, cache, or log any request or response data. It is a stateless, transient forwarding service — data flows through it and is not retained.

Forward proxy support

For environments that require all outbound traffic to route through a corporate proxy, the Edge Relay supports connecting to the Relay Controller through an HTTP CONNECT proxy.

Telemetry

The only external connection the Edge Relay makes — beyond the tunnel to the Relay Controller — is to telemetry.<deployment_name>.traversal.com to report its own operational telemetry (metrics, traces, and logs) using OpenTelemetry (OTLP). No customer data is included in the telemetry. Only operational metrics such as tunnel connectivity status, request latency, and error rates are reported.