Hybrid with JFrog Bridge

Hybrid with JFrog Bridge

Hybrid JFrog deployments combine a JFrog Platform Deployment (JPD) in JFrog SaaS with self-managed JPDs on your premises, often behind corporate firewalls. Federated services need those sites to sync, but policies that block inbound connectivity to on-prem prevent self-managed JPDs from participating like internet-reachable sites.

JFrog Bridge closes that gap: the self-managed Bridge Client opens outbound connections to the SaaS Bridge Server, forming a secure tunnel so platform traffic flows without inbound firewall exceptions. See the same documentation for installation, configuration, and operations. Bridge is supported with an Enterprise+ subscription.

Network and security challenges Bridge addresses

  • No inbound firewall exceptions: Federated features assume JPDs can reach each other; inbound denials to self-managed JPDs break that model. Bridge reverses direction—the Client initiates outbound HTTP to SaaS—avoiding inbound holes on your network.
  • Avoiding heavy network plumbing: Site-to-site VPNs, peering, or private link add cost and operations. Bridge is an application-layer tunnel over outbound paths you typically already allow.
  • Trust and egress: Forwarded API requests authenticate with your self-managed CA; Bridge can use the platform proxy defaults and per-bridge overrides.

What Bridge enables (common scenarios)

The SaaS JPD forwards requests over the encrypted Bridge path to the self-managed JPD:

  • Access Federation — Identity and access management through the Bridge for consistent users, groups, and permissions.
  • Repository Federation — Artifact synchronization where federated repositories span SaaS and self-managed JPDs across the firewall boundary.
  • Distribution to self-managed Edge nodes — Release bundles and management traffic to Edge JPDs at protected sites.

Central site, optional Edge sites, Smart Remote repositories, and release-driven workflows are covered on the general Hybrid page.

Architecture

Examples include SaaS as the main site (self-hosted edges, Distribution and/or Smart Repositories; self-hosted CI with selective federation, including CI - CD separation), or self-managed as the main site (SaaS as CD with selective federation; SaaS as backup). Where self-managed JPDs cannot accept inbound connections, JFrog Bridge makes federation and distribution viable.

The schematic below matches the general Hybrid page (a Bridge-specific diagram may replace it later).

Hybrid Hybrid