App Endpoints (also referred to as Endpoints) let you expose your Apps on Aptible to clients over the public internet or your Stack’s internal network.

An App Endpoint is always associated with a given Service: traffic received by the App Endpoint will be load-balanced across all the Containers for the service, which allows for highly available and horizontally scalable architectures.

📘 When provisioning a new App Endpoint, make sure the Service is scaled to at least one container. Attempts to create an endpoint on a Service scaled to zero will fail.

Types of App Endpoints

The Endpoint type determines the type of traffic the Endpoint accepts (and on which ports it does so) and how that traffic is passed on to your App Containers. Aptible supports three types of App Endpoints:

  • HTTP(S) Endpoints accept HTTP and HTTPS traffic and forward plain HTTP traffic to your containers. They handle HTTPS termination for you.
  • TLS Endpoints accept TLS traffic and forward it as TCP to your containers. Here again, TLS termination is handled by the Endpoint.
  • TCP Endpoints accept TCP traffic and forward TCP traffic to your containers.

Endpoint Placement

App Endpoints can be exposed to the public internet, called External Placement, or exposed only to other Apps deployed in the same Stack, called Internal Placement.

Regardless of placement, IP Filtering allows users to limit which clients are allowed to connect to Endpoints.

❗️ Do not use internal endpoints as an exclusive security measure. Always authenticate requests to Apps, even Apps that are only exposed over internal Endpoints.

📘 Review Using Nginx with Aptible Endpoints for details on using Nginx as a reverse proxy to route traffic to Internal Endpoints.

Domain Name

App Endpoints let you bring your own Custom Domain.

If you don’t have or don’t want to use a Custom Domain, you can use an Aptible-provided Default Domain.

SSL / TLS Certificates

HTTP(S) Endpoints and TLS Endpoints perform TLS termination for you, so if you are using either of those, Aptible will need a certificate valid for the hostname you plan to access the Endpoint from.

There are two cases here:

  • If you are using a Default Domain, Aptible controls the hostname and will provide an SSL/TLS Certificate as well.
  • However, if you are using a Custom Domain, you will need to provide Aptible with a Custom Certificate, or enable Managed TLS and let Aptible provision the certificate for you.


App Endpoints enforce idle timeouts on traffic, so clients will be disconnected after a configurable inactivity timeout.

By default, the inactivity timeout is 60 seconds. You can set the IDLE_TIMEOUT Configuration variable on Apps to a value in seconds in order to use a different timeout. The timeout can be set to any value from 30 to 2400 seconds.

For example:

aptible config: set--app "$APP_HANDLE" IDLE_TIMEOUT = 1200

Inbound IP Addresses

App Endpoints use dynamic IP addresses, so no static IP addresses are available.

🧠 Each Endpoint uses an AWS Elastic Load Balancer, which uses dynamic IP addresses to seamlessly scale based on request growth and provides seamless maintenance (of the ALB itself by AWS). As such, AWS may change the set of IP addresses at any time.