Skip to main content

Self-Hosted Browser Testing with Azure Relay

Ines avatar
Written by Ines
Updated over 2 weeks ago

Overview

For organizations that cannot expose their QA environments to the public internet due to compliance, security, or legal requirements, Thunders.ai offers a secure solution using self-hosted Browserless Docker instances connected through Azure Relay.

This approach allows you to run automated browser tests against internal applications without opening firewall ports or creating VPN tunnels, while maintaining complete control over your infrastructure and data.

Why Self-Hosting?

Many organizations face restrictions that prevent direct internet access to testing environments:

  • Compliance Requirements Organizations subject to HIPAA, SOC2, GDPR, or similar frameworks may be prohibited from exposing testing environments to the internet.

  • Legal Obligations Companies with legal restrictions on systems containing sensitive data need to keep these systems isolated from public access.

  • Security Policies Enterprises with strict security policies require all external connections to go through approved, audited secure channels.

  • Internal Infrastructure QA environments running on internal networks or on-premises data centers that cannot be made publicly accessible.

  • Data Sovereignty Organizations that must keep all testing data within specific geographic or network boundaries.

How It Works?

The self-hosted architecture uses three key components:

1. Browserless Docker Instance (Your Infrastructure)

A containerized browser automation service that you deploy and manage within your own environment. This instance:

  • Runs inside your network or private cloud

  • Has access to your internal applications

  • Never needs to accept inbound connections from the internet

  • Connects outbound to Azure Relay only

2. Azure Relay (Secure Bridge)

A Microsoft-managed service that creates a secure tunnel between your infrastructure and Thunders.ai:

  • Uses WebSocket over HTTPS (port 443) for all communication

  • Requires no inbound firewall rules or VPN configuration

  • Authenticates all connections using time-limited tokens

  • Provides a managed, highly available connection point

3. Thunders.ai Platform (Cloud)

Our testing platform that orchestrates test execution:

  • Sends browser commands through the relay

  • Receives test results and screenshots

  • Never has direct network access to your environment

Architecture Diagram

Security Model

No Inbound Connections Required

Your Browserless Docker instance only makes outbound connections to Azure Relay on port 443 (standard HTTPS). No firewall rules need to be modified to allow inbound traffic.

Time-Limited Authentication

Every connection uses Shared Access Signature (SAS) tokens that:

  • Expire after 1 hour

  • Are cryptographically signed using HMACSHA256

  • Cannot be reused after expiration

  • Are unique to each connection

Organization Isolation

Each organization's relay configurations are completely isolated:

  • You can only access your own relay configurations

  • Other organizations cannot see or use your relay endpoints

  • All access is validated against your organization ID

Encrypted Communication

All data flows through encrypted WebSocket connections over HTTPS:

  • Browser commands are encrypted in transit

  • Screenshots and test results are encrypted

  • Azure manages the encryption infrastructure

Setup Options

We offer flexible deployment options to match your infrastructure requirements:

Option 1: We Provide Everything

Best for: Organizations new to Azure or wanting turnkey deployment

We will:

  • Create and configure the Azure Relay namespace

  • Provide you with the Browserless Docker configuration

  • Give you deployment instructions for your infrastructure

  • Configure the connection in your Thunders.ai account

You will:

  • Deploy the provided container in your environment

  • Ensure the container can reach Azure Relay (outbound HTTPS)

Option 2: You Provide Azure Relay

Best for: Organizations with existing Azure infrastructure

You will:

  • Create an Azure Relay namespace in your Azure subscription

  • Configure a Hybrid Connection

  • Create a Send access policy and provide credentials

  • Deploy the Browserless Docker in your environment

We will:

  • Configure your Thunders.ai account to use your relay

  • Provide the Browserless Docker configuration

  • Help verify connectivity

Using Self-Hosted Testing

Once configured, using self-hosted Browserless Docker is seamless:

1. Select Your Configuration

In the test runner, open the browser settings and select your relay configuration from the location dropdown. Your relay configurations appear alongside standard cloud locations, identified by a cloud icon and your chosen display name (e.g., "FR Self-Hosted").

2. Run Tests Normally

Execute your tests exactly as you would with cloud-hosted browsers. The platform automatically:

  • Generates a secure connection token

  • Establishes the relay tunnel

  • Routes all commands through your infrastructure

  • Returns results to the cloud interface

3. Multiple Configurations

You can configure multiple relay connections for different purposes:

  • Geographic distribution: Different regions or data centers

  • Environment separation: Dev, staging, and production instances

  • Team isolation: Dedicated configurations per team

  • Redundancy: Backup configurations for high availability

Simply select the appropriate configuration when running tests.

Technical Requirements

Browserless Docker

  • Docker-compatible container runtime

  • Outbound HTTPS connectivity (port 443)

  • Sufficient CPU/memory for browser instances

  • Access to internal applications being tested

Network Requirements

  • Outbound connection to .servicebus.windows.net (port 443)

  • No inbound firewall rules required

  • No VPN configuration needed

Azure Relay (if self-managed)

  • Azure subscription

  • Service Bus namespace with Hybrid Connections enabled

  • Send permission access policy

Benefits Summary

Security Without Compromise Run automated tests while maintaining complete network isolation and control over your infrastructure.

Zero Firewall Changes No inbound ports to open, no VPN to configure. Just one outbound HTTPS connection.

Compliance Ready Keep all testing data within your network boundaries while meeting regulatory requirements.

Flexible Deployment Deploy in your cloud, on-premises, or hybrid environment. Multiple configurations support complex organizational needs.

Transparent Testing Tests run identically whether using cloud or self-hosted browsers. No changes to test scripts required.

Getting Started

To set up self-hosted browser testing:

  1. Contact your account team to discuss your requirements

  2. Choose your deployment option (we provide relay, or you manage it)

  3. Deploy the Browserless docker in your infrastructure

  4. Configure the connection in your Thunders.ai account

  5. Start testing with complete security and control

For technical assistance or questions about architecture, please reach out to our support team.

Did this answer your question?