In my organization we’re researching usage of n8n for integration.
We have a special case with one of the projects -
Some clients cannot allow firewall rules for communication from outside their network into it. But we need to update systems in their network.
To solve this problem,
Our current ESB is using an agent service, which is a windows service installed on a server in the clients network, that poles the ESB server (in our network) periodically - requesting work.
That way we can still update systems in the clients’ network, without them allowing our network inbound access into their network.
Is there similar solution in n8n?
We really enjoyed researching the tool and hope to transfer to it completely!
Hi @Oren_S, welcome to the community, and thank you so much for your kind works!
Some clients cannot allow firewall rules for communication from outside their network into it. But we need to update systems in their network.
Technically, n8n would not need to be able to communicate with the outside world to run (see Isolating n8n | n8n Docs for details), so having a restrictive firewall in place is fine in principle.
That way we can still update systems in the clients’ network, without them allowing our network inbound access into their network.
Based on this I suspect you are looking for a way to receive incoming webhooks in n8n without allowing inbound communication? n8n would provide a tunnel service allowing this for debugging purposes (instructions Docker | n8n Docs), though this doesn’t come with any uptime guarantees and you wouldn’t be able to pick your domain.
For a production-ready setup you could consider using a Cloudflare tunnel instead (or a similar product from a competitor of course). This would mean you have to install a small daemon on your n8n server which would then open an outbound connection to Cloudflare’s tunnel service instead.
Based on this I suspect you are looking for a way to receive incoming webhooks in n8n without allowing inbound communication?
The other way around: We’re looking for a way to, during a workflow, perform a task on a different network, given no outbound possibility from n8n to the other network.
I’m not sure I clearly presented the issue,
Say we have a network named ‘x’. N8N is installed on it.
A client has a network named ‘y’. No N8N on it.
We need to update a DB located in the ‘y’ network, using a node in a workflow on ‘x’ N8N.
But ‘x’ (N8N) cannot access ‘y’ network directly. (as the ‘y’ network won’t allow inbound communication)
Is there a solution to this problem within n8n features?
The solution with the current ESB, is to have an agent software installed on the ‘y’ network, poll the ESB (located in network ‘x’) every 200ms, and return with the task provided it’s available. That way there’s only communication requests from ‘y’ to ‘x’, but the ESB is still available to perform tasks within the ‘y’ network services
Unfortunately I do not have a great solution for this problem. n8n does not ship with the kind of agent you have in mind. While n8n does allow a shared setup in principle (with one main instances and multiple additional workers) in queue mode, this allows scaling n8n rather than isolating it in the way you have described, so this isn’t what you’re looking for
For now, I’m turning this question into a feature request so that you and other users can vote on the idea and help our product team understand the interest.
