38 regions. One anycast IP.
Every tunnel surfaces on the same global anycast IP — your users get to the closest PoP via BGP, and you get sub-50ms latency for 95% of internet users without writing a single line of GeoDNS.
One IP your customers can allowlist forever.
Every PoP advertises the same /24 over BGP. Internet routing finds the closest one for each user, automatically. When a region degrades, traffic shifts within four seconds — without DNS TTL games or dropped sessions.
- ✓Single CIDRCustomers' firewalls allowlist one block, never an evolving GeoDNS list.
- ✓Sub-second failoverBGP convergence in <2s; clients reconnect to a live PoP automatically.
- ✓No GeoDNSRouting happens in the network layer, not in resolvers — no stale DNS caches.
Direct interconnects with the carriers your users use.
We peer privately with Tier-1 transit and major eyeball networks at every PoP. That cuts hops, slashes jitter, and means you don't pay for transit for traffic that should never have left the local exchange.
- ✓1,400+ peersIncluding AS13335, AS15169, AS32934, AS8075, AS16509.
- ✓Public IX presenceDE-CIX, AMS-IX, LINX, JPNAP, MEGA-IX.
- ✓Submarine-cable diversityEvery region has ≥2 disjoint upstreams.
From git push to every PoP — measured in seconds.
No regional config drift. No race conditions. No 'in-progress' state.
# Round-robin push to each region
for r in fra1 iad1 sin1 nrt1 ...; do
scp config.yaml gw-$r:/etc/proxy/
ssh gw-$r "systemctl reload proxy"
sleep 30 # wait for health
curl https://$r.api/healthz \
|| abort "drift in $r"
done
# Hope nobody pushed in the meantime.$ tgate policy apply policy.tg ✓ Compiled · 47 routes · 0 warnings ✓ Validated against staging traffic ✓ Rolled out to 38/38 PoPs in 2.4s ✓ Verified by synthetic checks Rollback available: tgate policy rollback
The whole stack lives at the PoP.
TLS, auth, policy, cache, traces, DDoS — terminated and decided where the user is, not where your origin is.
DDoS absorption
12 Tbps L3/4 budget, L7 throttling per route, automatic.
Always-onTLS termination
TLS 1.3, ECH, post-quantum (Kyber) preview.
TLS 1.3 · ECHEdge cache
Per-PoP NVMe cache with stale-while-revalidate.
edge-max-ageAnycast IP
One IPv4 + one IPv6 prefix announced everywhere.
/24 + /48Geo intelligence
MaxMind data refreshed weekly at every PoP.
by country / asnSynthetic monitoring
Continuous probes from every PoP, baked in.
tgate synthLive status, public + customer-private.
Every region publishes per-second health signals. Subscribe via webhook, scrape via Prometheus, or watch the public status page that your customers can subscribe to.
- ✓Per-region SLOsTrack p50/p99 latency, error budget, and saturation per PoP.
- ✓Public status pageRSS, email, Slack, webhook — your users opt in.
- ✓Audit-ready incident logEvery regional incident, root cause, and remediation in one timeline.
We expanded into APAC overnight. No new contracts. No new IPs. No customer firewall changes. Just tgate policy apply and our latency in Tokyo dropped from 280ms to 22ms.
Go global. Same IP. Same config. New continent.
Ship from Berlin, serve São Paulo. Without rebuilding your infra.