monitoringprivate-workerssecurity

How to Monitor Internal Services Without Exposing Them to the Internet

PM

Panos Michalopoulos

Founder & CEO

||8 min read
Share:

Every monitoring tool on the market assumes your infrastructure is publicly accessible. Enter a URL, check the status code, done. But modern architectures are not that simple. Your most critical services — internal APIs, microservice meshes, staging environments, database admin panels, CI/CD dashboards — live behind firewalls, inside private VPCs, or on air-gapped networks. They are invisible to cloud-based monitors. And if you cannot monitor them, you cannot know when they break.

The Problem With Monitoring Internal Services

The traditional approach to monitoring private services forces you into uncomfortable compromises. You either expose endpoints to the public internet through reverse proxies or VPN tunnels — creating a security risk — or you run a self-hosted monitoring stack like Nagios or Zabbix inside your network, which demands significant operational overhead. Neither option is good.

Exposing internal services is particularly dangerous. Every publicly accessible endpoint is an attack surface. Even with authentication, you are trusting that your monitoring endpoint has no vulnerabilities, that credentials will not leak, and that the network path between the monitoring service and your internal target is secure. For services that handle sensitive data — employee databases, payment processing backends, healthcare APIs — this risk is unacceptable.

How Monitorion Private Workers Solve This

Monitorion takes a fundamentally different approach with private workers. Instead of reaching into your network from outside, we give you a lightweight, open-source agent that runs inside your network and reaches out to Monitorion over HTTPS. No inbound ports, no VPN tunnels, no public exposure.

The architecture is simple and secure:

  • Poll-based communication — the worker calls GET /api/v1/workers/jobs every 15 seconds to fetch pending checks. All communication is outbound HTTPS from your network.
  • Check execution — the worker runs the assigned checks against your internal targets, exactly like a cloud worker would against public targets.
  • Result submission — results are posted back to POST /api/v1/workers/results with SHA-256 hashed API key authentication.
  • No inbound ports — your firewall rules do not need to change. If your network can make HTTPS requests to the internet, the worker can operate.

Security by Design

Private workers are built with a security-first mindset. The Docker image runs as a non-root user (UID 1001) with a read-only filesystem. The only capability added is NET_RAW for ICMP ping checks. API keys use the wkr_ prefix followed by 48 random hex bytes, and only the SHA-256 hash is stored on our servers. The plaintext key is shown exactly once at creation and never stored.

Every result submission is validated server-side. Monitorion verifies that the monitor_id in each result actually belongs to the authenticated worker. A compromised worker cannot submit results for monitors it does not own, and it cannot access data from other customers.

What You Can Monitor

Private workers support all 25 of Monitorion's monitor types against internal targets. Common use cases include:

  • Internal APIs — verify that your microservices respond correctly, with JSON assertion checks on response bodies
  • Database admin panels — confirm that tools like pgAdmin, Redis Commander, or Kibana are accessible and functional
  • Staging environments — monitor staging with the same rigor as production, catching deployment issues before they reach users
  • CI/CD infrastructure — check that Jenkins, GitLab runners, or ArgoCD dashboards are healthy
  • Internal SMTP and mail servers — verify that corporate email infrastructure is delivering messages
  • Private DNS resolvers — ensure your internal DNS is resolving correctly and returning expected records

Because SSRF restrictions are intentionally removed for private workers — monitoring internal IPs is the entire point — you can target RFC-1918 addresses, loopback interfaces, and any host reachable from the worker's network.

Deployment in Five Minutes

Getting a private worker running takes less time than reading this article. The recommended approach is Docker:

  • Step 1: In the Monitorion dashboard, go to Settings and then Private Workers. Click Add Worker, give it a name, and copy the API key.
  • Step 2: Run the Docker container with your API key as an environment variable. The image is multi-stage built, minimal, and weighs under 100 MB.
  • Step 3: The worker registers itself with Monitorion and appears in your dashboard within seconds. Its status, last heartbeat, and version are visible at a glance.
  • Step 4: Create monitors as you normally would, but select your private worker as the check source instead of cloud regions.

The worker sends heartbeats every 60 seconds so you always know it is alive. If a heartbeat is missed, Monitorion alerts you that the worker itself is offline — monitoring your monitoring, so to speak.

Multi-Network Monitoring

You are not limited to a single private worker. Deploy workers in multiple network segments — one in your production VPC, one in staging, one in the office network — and assign monitors to each. This gives you visibility across your entire infrastructure from a single dashboard, without any of those networks needing to trust each other.

For organizations with strict compliance requirements, this separation is critical. Your production worker monitors production services, your staging worker monitors staging, and neither has access to the other. Data isolation is maintained both at the network level and at the application level through Monitorion's project-based access control.

Available on All Paid Plans

Private workers are available on Pro, Business, and Agency plans. There is no per-worker surcharge — deploy as many as you need. The worker source code is open-source under the MIT license, so you can audit every line before deploying it in your network. Your internal services deserve the same monitoring rigor as your public endpoints. With Monitorion private workers, they finally get it — without compromising your security posture.

Share:

Enjoyed this post?

Get monitoring tips and product updates delivered to your inbox.


Related Posts