Manage access
Access in Firezone is default-deny: a Resource is unreachable until a Policy grants access to it. Granting someone access always follows the same shape:
- Put the users in a Group. Groups are synced from your identity provider or managed manually in the admin portal.
- Define the Resource you want to expose — a DNS name, IP, or CIDR range, optionally restricted to specific ports and protocols.
- Create a Policy linking the Group to the Resource. Go to Policies → New Policy, then select the Group and Resource it applies to.
- (Optional) Add conditions to restrict when and from where access is allowed, such as by client location, IP range, or time of day. Conditions are available on Team and Enterprise plans.
To revoke access, remove or disable the Policy that granted it.
Common workflows
The recipes below apply this workflow to common secure-access scenarios. Each assumes you have a Firezone account and at least one Site created. If you haven't done that, go here to sign up for an account and create a Site.
These are just a few ways Firezone can help your organization achieve zero trust access. If you have a use case you'd like to see covered here, please let us know!
- Block malicious DNS: Use Firezone to improve your team's Internet security by blocking DNS queries to known malicious domains.
- Scale access to a VPC: Scale access into your VPC using multiple Gateways with optional Terraform example.
- Route through a public IP: Route some of your team's traffic through a single, static IP address to use services that require source traffic to come from specified IP allowlists.
- Access a Postgres database: Secure access to your Postgres database.
- Manage access to a SaaS app: Manage access to a public SaaS app like Hubspot or GitHub.
- Access a remote host: Access a host by its private IP address.
- Access a private network: Access a homelab, VPC, or other private network from anywhere without opening ports on your firewall.
- Access a private web app: Secure access to a privately hosted web application like GitLab or Metabase.
Need help? See all support options.