A complete data-flow diagram of how the QuickConnect desktop agent (and the ACS agent) connects a customer host to the Functionize platform, annotated with every protocol, port, and TLS version. It's built to hand to a customer's networking/security team for sign-off.
The diagram traces ten numbered flows, [0]–[9], all agent-initiated and outbound, across four trust zones: the customer environment, Tailscale infrastructure (third-party SaaS), the Functionize GCP platform, and the Functionize-managed relay VMs. The tunnel's data path follows a fixed preference order — direct WireGuard [5] → peer-relay [7] → DERP [8] → WSS-Relay [9] — with the WSS-Relay engaged only on TLS-inspecting networks. It also marks the firewalls, the optional internal/corporate proxies, and the egress allowlist (TCP/443 to *.tailscale.com/*.functionize.com, plus UDP/3478, 41641, 50000), with review notes confirming that no inbound access is ever required and that every relay is blind to the end-to-end-encrypted payload.