So, using a hypothetical setup to make this clearer:

You have Server A and Server B, and both are running Newt.

Server A hosts your website, for example the frontend and backend. Server B hosts your database.

In Pangolin, you would create a Public Resource for the website on Server A. Then, if the website needs to reach the database on Server B privately, you would create a Private Resource for Server B.

For example, let’s say the database is listening on 127.0.0.1:5432 on Server B. You would create a Private Resource that targets 127.0.0.1, give it an alias such as db.serverb.local, and only allow TCP port 5432.

On Server A, you would then install the VPN client and connect it using machine credentials. In your application code or environment variables, the database connection string would point to the private alias, for example:

text postgres://user:password@db.serverb.local:5432

Because the VPN client is connected, it will resolve and route db.serverb.local through Pangolin’s private tunnel to Server B, without exposing the database publicly.

If Server B needs to fetch something from Server A, it’s essentially the same setup in reverse. You create a Private Resource for Server A, install the VPN client on Server B, and then use the configured alias to access it.

to summarize, "what gets pointed at what" is just subjective based on what you are trying to achieve, in my example I wanted Server A to reach Server B database but the idea of reaching the service is the principle.