Techniques are disclosed for configuring a virtual machine instance accessed over a publically routable network address to host intranet applications. A virtual (or “dummy”) interface on the virtual machine instance is assigned an IP address that is inaccessible from the public interface. An application executed on the virtual machine instance is bound to a port on the network address assigned to this dummy interface. A virtual private network server assigns client's IP addresses that can be routed to the dummy interface. When a client computing system connects to the VPN server over the virtual machine instance's public interface, the client forwards traffic destined for the dummy interface's inaccessible network over the VPN connection.