Try JFrog
Guides
Contact SupportTry JFrog
  1. Platform Administration
  2. JFrog Bridge

Manage Bridges

πŸ“˜

Subscription Information

JFrog Bridge is available to Enterprise+ subscriptions upon request. To enable this feature, contact JFrog Customer Success.

A JFrog Bridge establishes a secure data link between a JPD in the SaaS cloud (the Bridge Server) and a Self-managed JPD (the Bridge Client). You define and manage Bridges in the JFrog Platform interface of these JPDs, or with API requests to the JPDs. The Bridge Server and Bridge Client each expose a different set of management tools.

This topic describes Bridge management using the JFrog Platform user interface and Bridge REST APIs.

To view and manage Bridges:

In JFrog Platform go to Administration > Topology > Bridges. Each row of the table represents a Bridge that connects this JPD to another JPD.

Tunnels are the persistent TCP sessions that support Bridge communication.

Nodes: Typically the Bridge service is deployed on nodes/VM instances, depending on JPD environment settings. Click in a row of the table to see the status of each of these nodes.

The Bridge Client service manages nodes and tunnels based on data traffic. By default, each node maintains a minimum of 2 active tunnels. You can tune the thresholds for tunnel creation using Bridge Advanced Parameters.

  • On a SaaS JPD, the Bridge Server tab is active. The JPD is the Server for the Bridges in the table.

    In the Actions column, click ... and select one of the following:

    • Test Connection: The JPD attempts to connect to the Bridge Client.
    • Block/Unblock: The JPD terminates connections to the Bridge Client, and declines new connections. The Bridge is not removed. Unblock to accept new connections.

    To Add a JFrog Bridge click Generate Pairing Token to begin.

  • On a Self-Hosted JPD, the Bridge Client tab is active. The JPD is the Client for the Bridges in the table.

    In the Actions column, click ... and select one of the following:

    • Edit: modify basic and Advanced Bridge Parameters.
    • Delete: permanently remove the Bridge.
    • Stop: Suspend the connection without removing the Bridge. Active TCP nodes and tunnels are terminated.
    • Restart: Restart the bridge connection. Active TCP nodes and tunnels are terminated, and new sessions are established after restart.

Click on a row to view additional status and performance information for each TCP tunnel of the Bridge. For example, if a Bridge has the status Offline, click it to view troubleshooting information.

πŸ“˜

Block/Unblock and Stop/Restart are independent actions

When you Block a bridge at the Bridge Server, the Bridge Client is not aware of the action. Similarly, when you Stop a bridge at the Bridge Client, the Bridge Server is not aware of the action. When you click on a Bridge that is offline, the troubleshooting information reflects the status observed by the Server or Client JPD you are in.

Bridge Service Logs

The Bridge service maintains the following standard JFrog service logs.

  • bridge-server-service.log: overall Bridge service status and availability of tunnel handler.
  • bridge-server-request.log: new requests trying to enter a TCP tunnel.
  • bridge-client-service.log: TCP connectivity, handshakes, and tunnel stability.
  • bridge-client-request.log: traffic payloads exiting the tunnel. Does not log Specific content of SaaS requests.

Communication enters the Bridge through the Bridge server's internal router port 8046 and appears in logs as http://localhost:8046/.

APIs for Bridge Management

The API includes several endpoints that report the Bridge's operational status and return diagnostic data. Most of these endpoints must be authenticated with an Admin token. The Bridge Client service you install on the Self-managed site https://{Self_Managed_BaseURL}/bridge-client/api/ exposes different diagnostic API endpoints than the Bridge Server on the SaaS site https://{ServerName}.jfrog.io/bridge-server/api/ which is managed by JFrog.

The following diagnostic endpoints are available:

/bridges/debug returns an operational snapshot of bridge processes on the JPD site, and confirms Bridge availability. You can include it in regular CI health checks to assert tunnel health before your release pipeline runs.

/bridge-client/api/v1/metrics returns metrics in Prometheus format

/bridge-client/api/v1/system/support/bundle returns a support bundle with diagnostic information from all microservices in the topology.

Troubleshooting the Bridge

To determine whether a communications issue is related to the Bridge, remember: the Bridge is only used for communication from the SaaS site to the Self-managed site. The Bridge can be eliminated when troubleshooting communication failures that originate with the Self-managed site.

Use the following basic checks to assess Bridge communication:

  1. On the Self-managed site:

    • Whitelist outbound traffic via port 443 to the SaaS site URL if this was not done before installation. No inbound permissions are required.
    • Check for changes that impact firewall permissions, such as CA certificate rotation/update.
    • Verify that internal network proxies are not intercepting the HTTP Upgrade request that the Bridge uses to establish the TCP tunnel. On the SaaS site, check for changes to firewall permissions, or changes to Bridge site DNS definitions.

  2. Log in to Bridge Client and Bridge Server JPDs, and check the user interfaces. The status reported in the JFrog Platform UI is typically refreshed every 10-15 seconds. Wait this period to confirm any configuration changes you make.

  3. Query the /debug API to confirm the client-server handshake.

  4. Tail Bridge service logs:

    • bridge-client-service.log indicates that TCP tunnel(s) are up.
    • bridge-client-request.log indicates that requests are arriving. In addition, check the service log of the target service (typically <Service>-request.log) to verify final delivery of data.