HA Cloud vs Port forwarding
Secure tunneling vs exposing HA directly to the internet.
Both approaches make HA reachable from the internet, but via different paths. Port forwarding opens a port on your router and exposes HA directly on your public IP. HA Cloud keeps your router closed; HA UI is reached through our edge URL behind a reverse proxy — you don't manage certificates, open ports, or HTTPS-layer updates.
HA Cloud vs Port forwarding + DDNS: feature-by-feature
| Feature | HA Cloud | Port forwarding + DDNS |
|---|---|---|
| Open port on your router | No (outbound only) | Yes (typically 8123 or 443) |
| HA UI reached via | Our edge (e.g. you.ha-cloud.cz) behind a reverse proxy |
Your public IP directly |
| Layer between internet and HA | Managed reverse proxy + edge (rate-limit, ACME) | None — HA directly on the port |
| Setup time | ~5 minutes (HA add-on) | Hours (router, DDNS, HTTPS, optionally reverse proxy) |
| Custom domain | Yes (paid plans) | Yes (DIY + DDNS / static IP) |
| Automatic HTTPS / cert renewal | Yes (we handle it) | DIY (e.g. Caddy, nginx + certbot cron) |
| Works behind CGNAT / no public IP | Yes | No — needs a public IP |
| Cost | From €0.79/mo | Free (your time + optional VPS) |
| ISP changes your public IP? | Tunnel just reconnects | DDNS has to catch up |
| Responsibility for edge security | Shared (we operate the edge) | 100 % on you (router, certs, patches) |
When to pick HA Cloud
- You don't want to open ports on your router (CGNAT, mobile ISPs, some cable providers).
- You don't want to babysit certificate renewals (Let's Encrypt cron, Caddy updates, etc.).
- You want a managed edge layer (rate-limit, ACME, monitoring) between the internet and HA.
- ISP-side IP changes shouldn't break access — the tunnel just reconnects.
- A few euros a month is fair for offloading the maintenance.
When to pick Port forwarding + DDNS
- You have Linux/networking experience and want full control.
- You already run a reverse proxy / WAF (Nginx, Caddy, Crowdsec, etc.).
- You have a stable public IP and DIY DDNS suits you.
- You're fine handling logs, patches, and monitoring yourself.
FAQ
In money, yes. In time, risk, and maintenance — 'free' is an illusion. The average user spends more hours than €0.79/month worth.
That reduces risk but the port is still open. Bots scan IPv4 nonstop. You still own nginx/HA patching.
HA auth protects login, but HA itself has CVEs occasionally. A tunnel adds a second layer (you must be inside to even see HA's UI).