Secure webhook delivery for private networks
Run webhooks entirely inside your own infrastructure with static IPs, SSRF protection, and signed, encrypted delivery. No public exposure. No data leaving your perimeter.
Deploy inside your own network
Run the gateway where your data already lives, whether that is your VPC, a private subnet, or on-premise, with a single PostgreSQL dependency.
Self-host in your own network:Run the entire gateway inside your VPC, private subnet, or on-premise cluster so events never leave your environment.
Learn more
No third-party data egress:Convoy has no dependency on external SaaS to operate, so your payloads and metadata stay within your perimeter.
One dependency, Postgres:A single PostgreSQL dependency keeps deployment simple in air-gapped, regulated, and restricted environments.
Learn more
Lock down ingress & egress
Deliver from predictable IPs, allowlist trusted destinations, and block internal ranges so traffic never leaves approved boundaries.
Static egress IPs:Deliver from designated, predictable IP addresses that downstream teams can allowlist in their firewalls.
IP allowlisting:Constrain delivery to trusted destinations so webhook traffic stays inside approved network boundaries.
SSRF prevention:Blacklist internal and reserved IP ranges to eliminate server-side request forgery on user-supplied endpoints.
Zero-trust delivery between services
Move events between internal services with the same guarantees you would demand on the public internet: encryption, authenticity, and replay protection.
Enforce TLS on every hop:Require encrypted connections between services so payloads stay protected even as they move across your internal network.
Signed, verifiable payloads:HMAC signatures let one internal service prove to another that an event is authentic and has not been tampered with.
Learn more
Replay protection:Time-bound, single-use deliveries stop a captured request from being replayed later inside your perimeter.
Bridge the brokers already in your network
Fan out events from the message brokers and pipelines running inside your infrastructure, without ever exposing them publicly.
Fan out from internal brokers:Consume from a Kafka, SQS, Pub/Sub, or RabbitMQ cluster that never has to be exposed to the public internet.
Learn more
Tap your CDC stream:Read change data capture events straight from your database and reshape them with JavaScript before delivery.
Deliver only what a service may see:Fine-grained subscriptions route each event to the internal consumers cleared to receive that payload shape.
Learn more
Resilient across unreliable internal links
Keep delivery flowing when VPNs flap, internal services restart, or legacy systems fall behind.
Survive VPN and link blips:Automatic retries with backoff recover deliveries when a site-to-site VPN or an internal hop drops the connection.
Learn more
Isolate a failing service:Circuit breaking pauses traffic to an unhealthy internal endpoint before the failure spreads across network zones.
Learn more
Protect legacy systems:Per-endpoint rate limits keep bursty event volume from overwhelming constrained on-prem or legacy services.
Learn more
Span network zones:Split the control and data plane across segments so delivery keeps running through a partial outage.
Learn more
Built for regulated and disconnected environments
Meet residency and compliance needs and run in fully air-gapped networks, with all telemetry staying inside your perimeter.
Data residency by default:Every event, delivery, and attempt is stored in your own database and region, so residency requirements are met without extra work.
Metrics in your cluster:Scrape Prometheus metrics for latency and queue depth from inside your own monitoring stack.
Learn more
Traces to your backends:Export OpenTelemetry traces to the observability tools you already operate.
Air-gap friendly:Run with no outbound internet access, with nothing ever shipped to a third party.
Frequently asked questions
Can I deliver webhooks without exposing a public endpoint?
Yes. Convoy is self-hostable, so you can run the gateway entirely inside your own VPC, private subnet, or on-premise network. Events are ingested and delivered within your perimeter, and nothing has to traverse the public internet or leave your environment.
Does Convoy support static egress IPs for firewall allowlisting?
Convoy delivers webhooks from designated, predictable IP addresses, so downstream teams can allowlist a fixed set of IPs in their firewalls. This makes delivery into locked-down and private networks straightforward and auditable.
How does Convoy prevent SSRF and requests to internal services?
Convoy supports IP blacklisting to block delivery to internal or reserved address ranges, eliminating server-side request forgery (SSRF) risks when endpoints are user-supplied. Combined with static IPs and SSL enforcement, delivery stays constrained to trusted destinations.
Can Convoy run in an air-gapped or restricted environment?
Yes. Convoy has a single external dependency, PostgreSQL, and no reliance on third-party SaaS to operate. That makes it well-suited to air-gapped, regulated, and restricted networks where outbound connectivity is limited.
How is webhook data kept secure in transit?
Convoy can enforce SSL/TLS in production so payloads are always encrypted in transit. Every request is signed with HMAC so consumers can verify authenticity, and replay-attack prevention ensures each delivery is unique and time-bound.
Does my event data stay within my own infrastructure?
With a self-hosted deployment, your events, deliveries, and delivery attempts are stored in your own PostgreSQL database inside your environment. For managed deployments, Convoy Cloud offers EU and US regions to support data residency requirements.
What sources can Convoy ingest events from inside my network?
Convoy ingests from Amazon SQS, Apache Kafka, Google Pub/Sub, RabbitMQ, and HTTP, and can connect directly to a change data capture (CDC) pipeline. You can reshape payloads with JavaScript transformations before fan-out.
Bring webhooks inside your perimeter
Self-host Convoy in minutes, or talk to us about your security, compliance, and deployment requirements.