Need Guidance about Forge App

Forge
1

I’m working on a Jira Forge app and have hit a Forge platform limitation related to security and networking.
Product / Category selections
Product: Atlassian Cloud
Area: Apps → App development
App type: Forge
Issue type: Platform limitation / Technical question
Ticket Title: Forge app cannot access private internal microservice without public exposure
Ticket Description-
We are developing a Forge Custom UI app for Jira Cloud that needs to integrate with an internal enterprise microservice.

The microservice:

  • Runs inside a private corporate network
  • Uses internal DNS
  • Is HTTPS
  • Must not be exposed publicly due to security and compliance requirements

--------------------------------------------------

What we observed:

- Forge Custom UI (browser) requests are blocked by CSP (connect-src)

  • Adding CORS headers does not help (the request never reaches the service)
  • The browser origin resolves to an Atlassian CDN domain (*.cdn.prod.atlassian-dev.net)
  • Forge backend resolvers can only fetch public HTTPS endpoints on port 443
  • Private/internal DNS hostnames are not reachable from Forge backend resolvers

This effectively requires public exposure of internal services, which is not acceptable for our environment.

--------------------------------------------------

Question for the Forge platform team:

Is there any supported way for a Forge app (UI or backend) to securely access:

- Internal/private services

  • Non-public DNS hostnames
  • Corporate network endpoints

without exposing those services to the public internet?

If not currently supported:

  • Is this a known limitation or on the Forge roadmap?
  • Are there enterprise options (private networking, VPC peering, outbound allow-listing)?
  • Is there a recommended Atlassian platform alternative for this use case?

--------------------------------------------------

Environment:

- Platform: Forge

  • App type: Custom UI with backend resolver
  • Product: Jira Cloud
  • Deployment: Production
  • Backend service: Spring Boot microservice (private network)

--------------------------------------------------

Expected outcome:

We are looking for official guidance or confirmation from Atlassian on whether Forge supports private/internal service integration without public exposure.

1 Like
2

Hi @BajjuriSushmitha – I understand you’re seeking an official response from Atlassian. With that in mind, I suggest you submit a ticket to Atlassian’s Developer Support Desk: https://developer.atlassian.com/support.

This forum is not monitored by Atlassian Support and is only loosely monitored by other Atlassians, and so there is no guarantee that you will receive an official response to your query here. (Though it is possible you might.)

Good luck!

3

Hi @BajjuriSushmitha

One practical workaround is to rely on the user’s browser context instead of trying to reach private services from the Forge backend.

Using Custom UI, you can navigate the user’s browser to an internal endpoint:

import { router } from "@forge/bridge";

await router.navigate(internalUrl);

Because this is browser navigation, DNS resolution happens inside the user’s corporate network. This works with private DNS, internal hostnames, and even localhost, without hitting Forge CSP or backend egress restrictions.

This doesn’t change the fact that Forge cannot directly access private networks. However, if you think in terms of inbound communication, this is likely the only supported way today to integrate Forge with corporate network endpoints without exposing them publicly.

Reference: