Bridges
WireGuard tunnels for secure private connectivity to on-premise resources.
Bridges provide secure, encrypted tunnels between MechaMental and your private infrastructure. They allow your AI pipelines to access on-premise databases, internal APIs, and other resources that are not exposed to the public internet.
Key Features
- WireGuard Tunnels — industry-standard encrypted tunnels with minimal overhead and strong security
- Zero Trust — each bridge connection is authenticated and encrypted with a unique keypair
- Endpoint Routing — route specific tool calls through the bridge to reach internal services
- Health Monitoring — real-time connection status, latency metrics, and automatic reconnection
Setup Flow
Install Agent
Deploy a lightweight bridge agent on a server in your private network. The agent is a single binary that runs as a background service.
Register
The agent connects outbound to MechaMental and establishes a WireGuard tunnel. Registration generates a unique keypair for authentication.
Configure Endpoints
Define which internal services are reachable through the bridge. Each endpoint specifies a host, port, and protocol for an internal service.
Use in Pipelines
Tools configured to use the bridge route their requests through the tunnel. In the tool instance configuration, select the bridge endpoint as the target for any tool that needs to reach your private infrastructure.
No Inbound Ports
The bridge agent initiates the connection outbound. You do not need to open any inbound ports or configure firewall rules in your network. This simplifies deployment in locked-down enterprise environments.
Use Cases
| Scenario | Description |
|---|---|
| Database access | Query on-premise PostgreSQL, MySQL, or MongoDB instances from pipeline steps |
| Internal APIs | Call internal REST or gRPC services that are not publicly accessible |
| File systems | Access documents and data on internal network drives |
| Legacy systems | Integrate with systems that cannot be exposed to the internet |
Security
All traffic through a bridge is encrypted with WireGuard. The bridge agent authenticates with MechaMental using a unique keypair generated during registration. Traffic is isolated per workspace — one workspace's bridge cannot access another workspace's private resources.
See the Admin: Bridges Setup guide for detailed installation and configuration instructions.