Zuplo
Multi-Cloud Gateway

One gateway. Any cloud. Any backend.

Run Zuplo on managed edge, single-tenant dedicated (Akamai, AWS, Azure, GCP), or self-hosted on your own Kubernetes — all behind one control plane. Reach private backends with WireGuard tunnels, PrivateLink, or cloud-native IAM. No vendor lock-in, no proxy stitching.

Start for Free Read the Docs
Deployment topology
one control plane · any cloud
Active

Managed Edge

Default for self-serve

Managed Dedicated

Single-tenant on your cloud

Self-Hosted

Helm on your Kubernetes

Zuplo Gateway

Managed Edge

300+ edge POPs · global anycast

AuthRate limitCacheObservability
Same policies, anywhere

Backends

any cloud · any auth
Order serviceAWS
AWS IAM
Identity APIAzure
Azure AD
Inventory APIGCP
GCP IAM
Mainframe APIOn-prem
mTLS
3 modes · edge, dedicated, self-hosted
Any backend · private or public
One plane · policies travel
Why this matters

Your APIs landed on three different clouds. Your gateway only speaks one.

Most teams didn't choose a multi-cloud strategy — they accumulated one. The gateway shouldn't be the reason consolidation drags on for five years.

×

One gateway per cloud

Each cloud got a different gateway when it landed. Now your security team owns three different policy languages, three different observability backends, and three different on-call runbooks.

×

Public-internet backends

Your private services aren't actually private — there's a load balancer on the internet because that was the only way the legacy gateway could reach them. WAF, IP allowlists, and prayer keep it locked down.

×

Vendor lock-in tax

Migrating off the gateway means rewriting every policy, re-issuing every API key, re-instrumenting every dashboard. So you stay, even when the renewal quote arrives.

×

On-prem stuck on a VPN box

The mainframe still runs payroll. Reaching it from a cloud gateway means a site-to-site VPN, a NAT instance, and a quarterly conversation with the network team about "the firewall rule that broke last week."

What you get

One control plane. Three deployment surfaces.

One gateway, every cloud

Run Zuplo on managed edge, dedicated single-tenant on the cloud of your choice (Akamai, AWS, Azure, GCP, Equinix), or self-hosted on any Kubernetes. Every deployment surface speaks the same policies and shares one control plane.

Reach private backends without exposing them

Cloud-native private networking — PrivateLink (AWS), Private Link (Azure), Private Service Connect (GCP) — for backends that speak it, plus a WireGuard tunnel agent for everything else. Outbound-only. No inbound firewall rules. No public IP needed.

Migrate without rewriting

Routes, policies, env vars, API keys, dashboards — they all follow the project. Promote a managed-edge project to dedicated when traffic justifies it. Move dedicated to self-hosted when sovereignty does. Same code, new substrate.

WireGuard tunnels · cloud-native private networking

Reach private backends without opening a single inbound port

Drop the tunnel agent into your private network. It dials out to Zuplo over WireGuard. The gateway routes to your private services using a `service://` URL — no public IP, no VPN concentrator, no quarterly firewall ticket.

TerminalTunnel agent · Docker
# Run anywhere your private backend can be reached:
docker run -d --name zuplo-tunnel \
  -e TUNNEL_TOKEN=$TUNNEL_TOKEN \
  zuplo/tunnel:latest

# In Zuplo, route to the private service:
#   url: service://orders.internal:8080
# - No inbound firewall rules
# - No public IP on the backend
# - Outbound WireGuard only
# - Multiple replicas → HA + horizontal scale
YAMLCloud-native private connectivity
# AWS PrivateLink — gateway → VPC endpoint
backendUrl: https://vpce-0a1b2c3d.execute-api.us-east-1.vpce.amazonaws.com

# Azure Private Link — gateway → private endpoint
backendUrl: https://orders-api.privatelink.azurewebsites.net

# GCP Private Service Connect — gateway → PSC endpoint
backendUrl: https://orders.psc.acme.internal

# All require zero inbound firewall rules.
# All inherit the same policies (auth, rate limit, logging).
AWS IAM
Azure AD
GCP IAM / IAP
mTLS certificates
Bearer / shared secret
Outbound-only WireGuard
What makes Zuplo different

Same policies, anywhere they need to run

One control plane across every deployment surface

Other gateways treat "edge," "self-hosted," and "dedicated" as different products with different runtimes and different policy syntaxes. Zuplo treats them as deployment options for one project — your policies travel.

WireGuard tunnel agent

Drop the `zuplo/tunnel` container into any private network. It establishes an outbound, authenticated WireGuard connection to Zuplo. No inbound firewall rules, no public IP, no VPN concentrator to maintain. Each tunnel handles millions of requests per minute.

First-class cloud auth integrations

Forward to AWS Lambda with AWS IAM. Forward to Azure App Service with Azure AD client credentials. Forward to a GKE workload with GCP IAM / Identity-Aware Proxy. Forward to anything with mTLS. All as policies, not custom code.

AccuWeather scale, on Akamai Connected Cloud

AccuWeather migrated from Apigee to Zuplo on Akamai Connected Cloud — modern developer portal, programmable edge caching, complete API governance, serving over one billion users. Akamai CDN, Global Traffic Manager, and Origin IP ACL enforce edge-only origin access.

Real questions, real answers

What teams use this for

“We acquired a company. Their APIs are on a different cloud.”

Add their backends to your existing Zuplo project — one route per service, each with its own backend URL. AWS Lambda over PrivateLink, GCP Cloud Run over PSC, on-prem over a WireGuard tunnel. One developer portal. One set of API keys. One control plane.

“Compliance says data has to stay on our infrastructure.”

Run Zuplo Self-Hosted on your Kubernetes cluster via the Helm chart. Two flavors: Hybrid (gateway on your infra, shared services from Zuplo) or Full Self-Hosted (every component on your infra, no external dependencies). Same policies, your data plane.

“We're migrating from on-prem to cloud — but we're 18 months out.”

Run the gateway on edge or dedicated today. Point routes at on-prem services through a WireGuard tunnel. As each service migrates to the cloud, swap its backend URL — clients never notice. Traffic-split incrementally for cautious cutovers.

“We need single-tenant for compliance, but not on-prem.”

Managed Dedicated — Zuplo provisions and operates a single-tenant instance on Akamai Connected Cloud, AWS, Azure, GCP, Equinix, or TerraSwitch. Hardware isolation, your cloud's network, our operations team.

Frequently Asked Questions

Common questions about Zuplo's deployment options.

Stop letting the gateway dictate your cloud strategy

Free Zuplo project, route to any cloud's backend in minutes — and move it to a different deployment surface later without rewriting a thing.

Talk to a Solutions Engineer Start for Free