Create Resources


Resources define subnets, IP addresses, or DNS names you wish to manage access for.

To create a Resource, go to Sites -> <site name> -> Add a Resource.

Remember, Resources must be reachable by all Gateways in the same Site.

From there, you can select the type of Resource you want to create:

  • DNS: A domain name pattern to match.
    • By default, the pattern will only match exactly the name you enter.
    • To recursively match all subdomains, use a wildcard, such as * This will match,, and
    • To non-recursively match all subdomains, use a question mark, such as ? This will match,, and but not
  • IP: A single IPv4 or IPv6 address
  • CIDR: A range of IPv4 or IPv6 addresses in CIDR notation, such as or 2001:db8::/48

Note: To preserve audit trails, once a Resource is created, its address cannot be changed. Double-check to ensure the address entered is correct before creating the Resource.

Address description

When creating a Resource, you'll be given the option to add an address_description. If given, this will be displayed in the Client's Resource list to help identify the Resource. If a URL is entered, it will be displayed as a clickable link.

Address description field

This is commonly used to show a different address to end users than the one used for routing, where field validations are more restrictive. This can be useful to provide a bookmark to a service like, or give hints for accessing the service, like

Traffic restrictions


You can specify optional port range(s) and protocols on the Resource for finer access control, useful for restricting certain services while allowing others. Supported protocols currently include ICMP, TCP, and UDP.

One popular use case for traffic restrictions is segmenting access to individual services on a host. To do this, simply create a Resource for each service on the host you want to allow access to, and add the appropriate traffic restrictions to each one.

For example, create an Resource with the TCP/22 restriction to allow SSH access for your DevOps team, then add another Resource with the TCP/443 restriction to allow access to an HTTPS service for the rest of your organization.

Need additional help?

See all support options or try asking on one of our community-powered support channels:

Or try searching the docs:
Last updated: June 12, 2024