--- title: 'Private Location Monitoring' description: 'Monitor internal services behind your firewall. Docker container, outbound HTTPS only, at half the hosted run rate. Available on every paid plan.' canonical_url: 'https://yorkermonitoring.com/features/private-locations' --- # Monitor what's behind your firewall ## At half the price of hosted runs Deploy the Yorker runner as a Docker container on your infrastructure. Monitor internal services, staging environments, and VPN-only APIs. You provide the compute; we provide the platform, so private runs cost half the hosted rate. ```bash # 1. Deploy the runner container $ docker run -d \ --name yorker-runner \ -e YORKER_RUNNER_KEY=rk_live_... \ -e LOCATION_NAME=us-internal \ registry.yorkermonitoring.com/yorker-runner-heavy:latest # 2. Reference in your config monitors: - name: Internal API type: http url: https://api.internal.example.com/health locations: [us-internal] frequency: 1m ``` [Start Free](/sign-up) or [Read Docs](/docs). ## How it works ### 01. Deploy Docker container Pull the Yorker runner image and deploy it on your infrastructure: bare metal, VM, or Kubernetes. Pass your runner key and location name. ### 02. Container polls for checks Outbound HTTPS only. The container polls the Yorker control plane for assigned checks: nothing inbound, no firewall holes required. ### 03. Checks execute locally HTTP and browser checks run inside your network, with access to internal endpoints, VPN-only APIs, and staging environments. ### 04. Results flow to Yorker + your OTel backend Results, OTel insight packs, and screenshots flow through the Yorker platform for storage, alerting, SLO tracking, and OTLP forwarding to your backend. ## No firewall holes required Outbound HTTPS only. The runner container polls the Yorker control plane for assigned checks; nothing inbound reaches your infrastructure. Deploy behind the strictest firewall policies without opening any ports. - Outbound HTTPS only, no inbound connections - Works behind corporate firewalls and VPNs - Monitor internal services and staging environments - Monitor VPN-only APIs and private databases - Up to 2 private locations on the paid plan, unlimited on Enterprise ### Network architecture **Your infrastructure** Yorker runner container; internal services. (outbound HTTPS only) **Yorker control plane** Check assignments; result storage; OTLP forwarding. (OTLP forwarding) **Your OTel backend** ClickStack; Grafana; Datadog; any OTLP endpoint. ## Same intelligence layer Private location checks emit the same OTel insight packs as hosted runs: anomaly scores, third-party attribution, screenshot URLs, and W3C traceparent. Not a stripped-down runner. The same runner image runs both hosted and private checks. There's no "private runner lite": you get the full intelligence layer behind your firewall. | Capability | What you get | | --- | --- | | Anomaly detection | Same baselines | | Dependency attribution | Full third-party analysis | | Filmstrip screenshots | Stored via Yorker | | W3C traceparent | Full propagation | | TLS inspection | Certificate intelligence | | Cross-monitor correlation | Across all locations | ## Honest pricing, honest reason You provide the execution compute. We provide result storage, alerting, SLO tracking, anomaly detection, and OTLP forwarding. Private runs cost half the hosted rate: the honest cost split, not a promotional rate or a temporary discount. Up to 2 private locations on the paid plan, unlimited on Enterprise. Add one per environment, one per region, or one per internal network segment. Private locations themselves are available on every paid plan, not gated to a higher tier. **Half the hosted run rate.** You provide compute. We provide platform. The split is fair. ### What you provide vs what we provide **You provide** - Execution compute (Docker/VM/K8s) - Network access to internal services **We provide** - Result storage and retention - Alerting and notification routing - SLO tracking and burn rate alerts - Anomaly detection and baselines - OTLP forwarding to your backend - Full web UI and API access - Screenshot storage and retention ## Unlike enterprise-gated private runners - Checkly and Datadog gate private locations behind enterprise plans. Yorker includes them on every paid plan, because there's no reason to charge extra for you bringing your own compute. - The same runner image runs both hosted and private checks. There's no reduced-capability private runner: you get the full intelligence layer, including anomaly detection and third-party attribution as OTel span attributes, behind your firewall. - Private runs cost half the hosted rate: not a promotion, but the honest cost split. You provide the compute; we provide the platform. The split is permanent. ## Related features - **[Monitoring as Code](/features/monitoring-as-code):** Deploy private location runners from YAML config alongside your monitors. - **[OpenTelemetry](/features/opentelemetry):** The same OTel intelligence layer running behind your firewall. - **[API Monitoring](/features/api-monitoring):** Unlimited HTTP checks on private locations at half the hosted rate. ## Frequently asked questions ### How do I deploy a private location? Pull the Yorker runner image and deploy it as a Docker container on your infrastructure: bare metal, VM, or Kubernetes. Pass your runner key and a location name, then reference that location name in your monitor config. The container starts polling the Yorker control plane for assigned checks. ### Do I need to open any inbound ports or firewall holes? No. The connection is outbound HTTPS only. The runner container polls the Yorker control plane for its assigned checks; nothing inbound reaches your infrastructure. You can deploy behind the strictest firewall policies without opening any ports, which is why private locations work behind corporate firewalls and VPNs. ### What can I monitor with a private location? HTTP and browser checks run inside your network, so you can monitor internal services, staging environments, VPN-only APIs, and private databases. Anything reachable from where the container runs. ### Where do results go? Checks execute locally inside your network, then results, OTel insight packs, and screenshots flow through the Yorker platform for storage, alerting, SLO tracking, and OTLP forwarding to your backend (ClickStack, Grafana, Datadog, or any OTLP endpoint). Private location checks emit raw OTLP signals from inside your network to your configured backend, and the full check result also posts to Yorker so that enrichment, storage, and alerting can run. ### Is the private runner a reduced-capability version? No. The same runner image runs both hosted and private checks. There's no "private runner lite." Private location checks emit the same OTel insight packs as hosted runs: anomaly scores, third-party attribution, screenshot URLs, and W3C traceparent. You get the full intelligence layer behind your firewall. ### How much do private locations cost? Private runs cost half the hosted run rate. You provide the execution compute; Yorker provides result storage, alerting, SLO tracking, anomaly detection, and OTLP forwarding. That half rate is the honest cost split, not a promotional rate or a temporary discount, and it is permanent. ### How many private locations can I have, and which plan are they on? Up to 2 private locations on the paid plan, and unlimited on Enterprise. Add one per environment, one per region, or one per internal network segment. Private locations are available on every paid plan, not gated to a higher tier. ## Put your first check live in one command Free tier includes 10,000 HTTP + MCP checks and 1,500 browser checks per month. No credit card required. ``` npx @yorker/cli init ``` [Start Free](/sign-up) or [Read Docs](/docs).