How are app tunnels different from opening the firewall?

Opening your firewall would require allowlisting a range of IP addresses that are used by Atlassian Cloud products. That’s still supported and was the only way to integrate your self-managed and Cloud products before we created the app tunnels.

When you use app tunnels, you don’t have to open your network for any incoming connections, because the tunnel client (the Marketplace app installed in your self-managed instance) establishes a permanent secure websocket connection with the Atlassian Cloud infrastructure.

Additionally, every tunnel has a security key with UUID. They can only be accessed by Atlassian’s internal systems that know this UUID. Tunneling is a common topology used by many organizations to provide controlled access to internal systems, and we’re also using our implementation of it.