How to SaaS App Gate with App Native IP Filtering and AWS Exit Nodes

The following steps cover how to use Twingate to provide user-based access control to any public content via AWS-hosted Connectors and IP whitelisting. For context, please see Whitelisting Traffic to Public Resources.

Deploy EC2 Instances as Exit Nodes

  • Deploy at least one Linux EC2 instance. We recommend multiple instances to provide redundancy. A t3a.micro instance is sufficient, but any general purpose instance is acceptable. (See Connector Best Practices for more information.) Our Linux recommendation is Ubuntu 18.04, but any Linux flavor that supports Docker will work.

  • Outbound internet traffic must be allowed from the EC2 instances. Inbound internet traffic is never required unless you need it for SSH access during setup. Otherwise, you should block all inbound internet traffic on all ports.

  • Verify the instance’s public IP address, which can be affected by your AWS configuration. Each EC2 instance should be assigned a (public) Elastic IP, but depending on whether internet egress traffic leaves via a NAT gateway or IGW (internet gateway), the public IP of the instance may be masked by NAT. You will whitelist the public IP address of the EC2 instance(s) with 3rd party applications.

For information on settings up Connectors on Linux, see deploying Connectors on Linux in our documentation.

Create a Resource and Authorize Users in Twingate

The last step is to authorize users to access your IP-whitelisted application in the Twingate admin console. If you need help with this step, you can follow these instructions.

  • Create a Resource in Twingate to represent your IP-whitelisted application. Twingate always looks at the FQDN or IP address in the connection request when determining whether a user is authorized for access. For example, if the domain you are protecting is acme.salesforce.com, that will be the name of the Resource in Twingate.

  • Authorize users by assigning them and the Resource to a new Group. Add the new Resource to a Group, and assign users to the Group. Any users added to the Group will now be able to access your IP-whitelisted application from any network as long as they are using Twingate.

Last updated 9 months ago