Enterprise
Cursor Enterprise: Private Connectivity
Cursor Enterprise supports private network connectivity so Cursor can work with systems that are not reachable from the public internet, including self-hosted GitHub Enterprise Server, GitLab Enterprise and private source control APIs. Two paths are supported: AWS PrivateLink and Cloudflare Tunnel. To set it up, contact hi@cursor.com or your Cursor sales representative.
On this page
What private connectivity options does Cursor Enterprise support?
Cursor supports private connectivity for Enterprise teams whose Git provider is not reachable from the public internet. The same setup is reused across Cursor services that need source control access, including Cloud Agents, BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. and Cursor backend services. Two options are supported today.
- Option
- AWS PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet.
- Best for
- Private connectivity between Cursor and your Git provider, including webhook traffic back to Cursor
- Cloud provider
- AWS
- Option
- Cloudflare Tunnel
- Best for
- Cursor accessing a private origin when AWS PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. is not practical
- Cloud provider
- Any environment that can run cloudflared
| Option | Best for | Cloud provider |
|---|---|---|
| AWS PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. | Private connectivity between Cursor and your Git provider, including webhook traffic back to Cursor | AWS |
| Cloudflare Tunnel | Cursor accessing a private origin when AWS PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. is not practical | Any environment that can run cloudflared |
Both options are listed as Supported in the Cursor docs.
Use AWS PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. when your private Git provider is in AWS or can sit behind an AWS Network Load Balancer; this is the preferred path for self-hosted GitHub Enterprise Server and GitLab Enterprise. Use Cloudflare Tunnel when you cannot publish an AWS endpoint service or you need a model that only requires an outbound tunnel from your network.
What do we need before setting up private connectivity?
- A Cursor Enterprise workspace.
- A self-hosted GitHub Enterprise Server or GitLab Enterprise instance reachable over HTTPS on port 443.
- A publicly trusted TLS certificate for the Git hostname, plus DNS ownership for that hostname.
- AWS permissions to create endpoint services or interface VPC endpoints, if using AWS PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet..
- Permission to run
cloudflared, if using Cloudflare Tunnel.
Cursor does not support self-signed certificates, unencrypted connections, SSH, custom ports or IPv6-only endpoint services for these paths. If a proxy sits in front of GitHub Enterprise Server, it must allow Cursor's GitHub App integration to use authenticated GitHub REST and GraphQL APIs.
How does AWS PrivateLink connect Cursor to a private Git provider?
AWS PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. supports private traffic in either direction between Cursor and your Git provider. You may need one direction or both, depending on your network policy.
- Cursor to Git provider
- Cursor clones repositories and calls Git APIs on your private GitHub Enterprise Server or GitLab Enterprise host.
- Git provider to api2.cursor.sh
- Your host sends webhooks or callbacks to Cursor over a PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. endpoint without public internet egress.
- 1Create a Network Load Balancer in front of your Git provider's HTTPS endpoint and publish it as an AWS VPC endpoint service.
- 2Send Cursor the endpoint service name, AWS region, Git hostname, whether AWS-managed private DNS is enabled and whether the load balancer preserves client IPs or your backend filters source IPs.
- 3Add the exact AWS principal Cursor provides to your endpoint service allowed principals; if it is missing or does not match, AWS returns
InvalidServiceName. - 4Accept the endpoint connection in your AWS account if your endpoint service requires manual acceptance.
- 5Configure DNS so the Git hostname matches the TLS certificate and resolves to the endpoint.
If your endpoint service is outside us-east-1, enable cross-region access. If your load balancer preserves client IPs or your backend filters source IPs, allow Cursor's PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. subnet CIDRs 10.2.8.0/21, 10.2.24.0/21 and 10.2.40.0/21.
For the return direction, Cursor publishes an AWS PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. endpoint service for api2.cursor.sh. You create an interface VPC endpoint in your AWS account and enable private DNS so api2.cursor.sh resolves to private endpoint IPs from your Git provider network. AWS-managed private DNS (private_dns_enabled = true) is the recommended mode; a customer-managed private hosted zone is available if you want to own the DNS record.
- Field
- Service name
- Value
- com.amazonaws.vpce.us-east-1.vpce-svc-054b15427d4bea2b7
- Field
- Home region
- Value
- us-east-1
- Field
- Supported consumer regions
- Value
- us-east-1, us-east-2, us-west-2, eu-central-1, eu-west-1, ap-southeast-2
- Field
- IP address types
- Value
- IPv4 only
- Field
- Private DNS name
- Value
- api2.cursor.sh
| Field | Value |
|---|---|
| Service name | com.amazonaws.vpce.us-east-1.vpce-svc-054b15427d4bea2b7 |
| Home region | us-east-1 |
| Supported consumer regions | us-east-1, us-east-2, us-west-2, eu-central-1, eu-west-1, ap-southeast-2 |
| IP address types | IPv4 only |
| Private DNS name | api2.cursor.sh |
Endpoint service details for the api2.cursor.sh webhook path, per Cursor docs.
When should we use Cloudflare Tunnel instead?
Use Cloudflare Tunnel when AWS PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. is not a fit. Cursor creates the tunnel and shares a public hostname under Cursor-controlled DNS, a tunnel token through a secure 1Password share and a sample cloudflared configuration. Your network runs cloudflared and opens outbound connections to Cloudflare, so no inbound firewall rule is required.
ingress:
- hostname: <cursor-provided-hostname>
service: https://<your-internal-service>:443
- service: http_status:404Do not send the tunnel token through email or chat. Cursor shares it through a secure 1Password share for this reason.
How do we confirm the private webhook path works?
After private networking is configured, complete the source control setup in Cursor using the GitHub or GitLab integration steps, and use the same hostname covered by your TLS certificate and private DNS. If your Git provider sends webhooks to Cursor through the api2.cursor.sh PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet. path, verify resolution and reachability from the same network path the Git provider uses.
getent hosts api2.cursor.sh # or, if dig is available dig +short api2.cursor.sh curl -sS https://api2.cursor.sh/
- Every resolved IP should be inside your consumer VPC CIDR. Public IPs such as
3.x.x.xor44.x.x.xmean private DNS is not in effect. - The
curlrequest should return HTTP200with a body that starts withWelcome to Cursor., which means the request reached a live Cursorapi2backend. - If
api2.cursor.shresolves to public IPs, enable AWS-managed private DNS or forward DNS to the endpoint VPC resolver.
Frequently asked questions
Does Cursor support Google Private Service Connect?
Not as a customer-facing service today. If you need private connectivity from a GCP VPC to Cursor services, or from Cursor to a private service in your GCP project, contact Cursor to scope the requirement. For now, use AWS PrivateLink or Cloudflare Tunnel where those models fit.
Which Cursor services use this private connectivity setup?
The same setup is reused across Cursor services that need source control access, including Cloud Agents, Bugbot and Cursor backend services. Cursor uses the connected source control integration for those services once private networking is in place.
Why does AWS return InvalidServiceName when Cursor tries to connect?
Cursor cannot create its interface endpoint until the AWS principal it provides is in your endpoint service allowed principals. If that principal is missing or does not match exactly, AWS returns InvalidServiceName. Add the exact principal Cursor provides.
Sources & last verified
- Cursor - Private Connectivity
- Cursor - Cloud Agents
- Cursor - Bugbot
- Cursor - GitHub integration
- Cursor - GitLab integration
Cursor ships frequently. Facts verified against primary sources on June 25, 2026.