Skip to main content
| The CodeRabbit Reverse Tunnel is a private-network connectivity option for Enterprise customers who cannot expose their Git platform to the public internet. A CodeRabbit-provided Connector runs inside your network, dials out to CodeRabbit over WebSocket Secure (WSS), and carries CodeRabbit-initiated API and HTTPS Git traffic through that existing outbound session.

Intended use

The CodeRabbit Reverse Tunnel is intended for Enterprise customers with the constraints defined below:
  • Your GitHub Enterprise Server or self-managed GitLab instance runs in a private subnet, private cloud account, or on-premises network.
  • Your Git platform cannot receive inbound connections from CodeRabbit or the public internet.
  • Your security policy does not allow inbound firewall exceptions, vendor IP allowlisting on the Git platform side, or external PrivateLink peering.
Use this option when CodeRabbit must review pull requests on a Git instance that has no public endpoint, no inbound firewall exceptions, no vendor IP allowlisting, and no PrivateLink or peering path.
For instances that CodeRabbit can already reach directly, use the standard GitHub Enterprise Server guide or self-managed GitLab guide. At the moment there is no self-service interface, reverse tunnel setup is handled by CodeRabbit Sales or Support.

Components

The CodeRabbit Reverse Tunnel has four components:
  1. Reverse Tunnel Gateway โ€” A CodeRabbit-managed edge service that accepts Connector sessions and exposes tenant-scoped HTTPS routes for CodeRabbit services to call into.
  2. Reverse Tunnel Connector โ€” A lightweight, CodeRabbit-provided container that runs inside your network and establishes a long-lived outbound connection (WSS over HTTPS) to the Reverse Tunnel Gateway. CodeRabbit then sends runtime requests โ€” clone, read pull requests, post review comments โ€” over this pre-established tunnel. The Connector dials out from your network; no inbound ports are opened.
  3. Route key โ€” A unique, opaque routing identifier issued by CodeRabbit for your tenant. CodeRabbit uses the route key to direct runtime traffic to the correct Connector session, so your private Git platform address is never exposed in the URL path.
  4. Connector token โ€” A bearer token issued by CodeRabbit for your tenant. Multiple Connector replicas can share the same token.

Architecture

CodeRabbit Reverse Tunnel architecture showing the inbound path from CodeRabbit into a private Git platform through the Reverse Tunnel Gateway and Connector, and the outbound webhook path from the Git platform through the customer NAT gateway to the CodeRabbit webhook receiver

CodeRabbit Reverse Tunnel architecture

The CodeRabbit Reverse Tunnel uses two connectivity paths between the customer network and the CodeRabbit cloud. Direction is described from the customerโ€™s perspective: The tunnel carries only CodeRabbit-initiated inbound traffic. Outbound webhooks continue to flow through your existing customer NAT and use the webhook secret or token configured for that platform.

PR review flow through the Tunnel

End-to-end view of how a single pull request moves through the CodeRabbit Reverse Tunnel. None of the network mechanics are visible to the developer โ€” from their point of view, CodeRabbit simply reviews their change.
Sequence diagram showing a developer opening a pull request on a private Git platform, the Git platform sending a webhook outbound through the customer NAT to the CodeRabbit webhook receiver, CodeRabbit reading the change back through the Reverse Tunnel Gateway and Connector, and review comments being posted back the same way

Pull request review flow over the CodeRabbit Reverse Tunnel

  • Developer opens a pull request inside your private Git platform.
  • Your Git platform sends a webhook to CodeRabbit outbound through your customer NAT.
  • CodeRabbit reads the pull request through the tunnel. The Reverse Tunnel Gateway routes the request over the existing WSS session; the Reverse Tunnel Connector forwards it to your Git platform and streams the response back.
  • CodeRabbit runs the review and writes the feedback.
  • CodeRabbit posts the comments back through the same tunnel, and the review appears on the pull request.

High availability

Run at least two connector replicas for production. All replicas for the same tenant normally share the same gateway URL, connector token, route key, target base URL, and origin TLS policy. By default, the gateway tracks the live connector sessions for the route and uses an active session for each new request. Round-robin routing is also supported with REVERSE_TUNNEL_DIRECT_CONNECTOR_ROUTING=true. Important behavior:
  • New requests can use another live connector after a connector disconnects.
  • In-flight requests are not transparently moved to another connector.
  • The connector reconnects automatically with exponential backoff after a lost WSS session.

Capacity and limitations

The tunnel streams request and response bodies with backpressure, so it supports large HTTPS clone/fetch traffic. Capacity is still bounded by your connector replicas, network egress, and Git platform origin capacity.

FAQ

No. The connector opens an outbound WSS session to CodeRabbit. CodeRabbit-initiated Git platform traffic rides over that existing session.
Yes. Multiple connector replicas can serve the same route key. Default routing uses an active live session for each new request, and round-robin routing is also supported with REVERSE_TUNNEL_DIRECT_CONNECTOR_ROUTING=true. Give each live replica a unique REVERSE_TUNNEL_CONNECTOR_ID.
Yes. The connector needs outbound HTTPS to the CodeRabbit gateway and HTTPS reachability to your Git platform origin. Your Git platform needs outbound HTTPS to the CodeRabbit webhook receiver.
The connector reconnects automatically. In-flight requests fail and are retried only when CodeRabbit can safely retry the operation.
No. The tunnel is scoped to CodeRabbit HTTP(S) and HTTPS Git traffic for the configured Git platform. It is not a general-purpose private-network proxy.

Whatโ€™s next

GitHub Enterprise Server setup

Create the OAuth App, GitHub App, webhook secret, and permissions used by the GHES integration.

Self-managed GitLab setup

Review the standard self-managed GitLab requirements used with reverse-tunnel onboarding.

Platform overview

Review all supported Git platforms and choose the right integration path for your environment.