All posts
September 9, 20251 min read

Discoverability in Identity-Aware Proxy Done Right

It can’t see who’s knocking until it’s too late. Identity-Aware Proxy (IAP) changes that. It puts a checkpoint in front of every request, verifying identity before a single packet touches your service. But discoverability—making private services reachable without making them vulnerable—is the hard part. Most teams think "expose or hide"is the choice. It’s not. With the right design, you can make internal endpoints discoverable only to those who should see them, and invisible to everyone else. T

Free White Paper

Database Proxy (ProxySQL, PgBouncer) + Just-in-Time Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

It can’t see who’s knocking until it’s too late. Identity-Aware Proxy (IAP) changes that. It puts a checkpoint in front of every request, verifying identity before a single packet touches your service. But discoverability—making private services reachable without making them vulnerable—is the hard part.

Most teams think "expose or hide"is the choice. It’s not. With the right design, you can make internal endpoints discoverable only to those who should see them, and invisible to everyone else. This is discoverability in Identity-Aware Proxy done right: a private universe with a map only for the right people.

An Identity-Aware Proxy with discoverability built in does three key things:

  1. Identity-first access control – Every connection starts with identity, not IP, not VPN, not guesswork. The proxy challenges the user or service immediately.
  2. Selective exposure – Services register with the proxy but remain hidden to anyone who does not have the right credentials. They don’t exist from the perspective of unauthorized scans or crawlers.
  3. Granular policy at the edge – The logic isn’t buried deep inside your stack; it lives at the perimeter where it is hardest to bypass.

Without discoverability, IAP becomes frustrating—users can’t find internal tools or APIs unless they already know the URLs. Without IAP, discoverability becomes dangerous—every endpoint is a point of attack. Together, discoverability and identity-aware access make access seamless for the right people and impossible for the wrong ones.

Continue reading? Get the full guide.

Database Proxy (ProxySQL, PgBouncer) + Just-in-Time Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

The architecture is straightforward. Your proxy stands as the single ingress point. Services register with it. Users authenticate through it. Policies decide visibility before connections are made. From there, scaling is trivial because every new service inherits the same zero-trust perimeter and discoverability rules.

Security teams gain audit trails without complex integrations. Engineering gains self-service onboarding for apps. Compliance gets enforced at the boundary. And your attack surface shrinks to one hardened gate instead of hundreds of scattered doors.

The shift is not just about reducing risk—it’s about building a pattern where private services are easy to find if and only if you are allowed to find them. That’s the win state for modern internal access.

You can see discoverability and Identity-Aware Proxy working together in minutes. Hoop.dev makes it live fast—so you can stop hiding what should be reachable and stop exposing what shouldn’t.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts