How to SaaS App Gate with App Native IP Filtering and AWS Exit Nodes

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

The following steps cover how to use Twingate to provide user-based access control to any public content via AWS-hosted Connectors and IP whitelisting. For context, please see Whitelisting Traffic to Public Resources.

Deploy EC2 Instances as Exit Nodes

Deploy at least one Linux EC2 instance. We recommend multiple instances to provide redundancy. A t3a.micro instance is sufficient, but any general purpose instance is acceptable. (See Connector Best Practices for more information.) Our Linux recommendation is Ubuntu 18.04, but any Linux flavor that supports Docker will work.
Outbound internet traffic must be allowed from the EC2 instances. Inbound internet traffic is never required unless you need it for SSH access during setup. Otherwise, you should block all inbound internet traffic on all ports.
Verify the instance’s public IP address, which can be affected by your AWS configuration. Each EC2 instance should be assigned a (public) Elastic IP, but depending on whether internet egress traffic leaves via a NAT gateway or IGW (internet gateway), the public IP of the instance may be masked by NAT. You will whitelist the public IP address of the EC2 instance(s) with 3rd party applications.

For information on settings up Connectors on Linux, see deploying Connectors on Linux in our documentation.

Create a Resource and Authorize Users in Twingate

The last step is to authorize users to access your IP-whitelisted application in the Twingate admin console. If you need help with this step, you can follow these instructions.

Create a Resource in Twingate to represent your IP-whitelisted application. Twingate always looks at the FQDN or IP address in the connection request when determining whether a user is authorized for access. For example, if the domain you are protecting is acme.salesforce.com, that will be the name of the Resource in Twingate.
Authorize users by assigning them and the Resource to a new Group. Add the new Resource to a Group, and assign users to the Group. Any users added to the Group will now be able to access your IP-whitelisted application from any network as long as they are using Twingate.

Last updated 2 months ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Understanding Encryption in Twingate

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance