Access a Private Network


In this guide, we'll be using Firezone to secure access to a private subnet behind a firewall.

This is useful when you have hosts or services behind a firewall that you want to keep secure, but still need to access it from external networks like the internet.

In general, we recommend using a more granular approach to secure access using either DNS or IP-based Resources instead of the blanket approach used in this guide. Only use this guide if using DNS or IP-based Resources is not feasible, or if you need a stepping stone towards a more granular approach.


  • A Site that will contain the subnet you want to secure access to. Create a Site if you haven't already.
  • One or more Gateways deployed within the Site. Deploy a Gateway if you don't have any in the Site where this subnet is located.

Opening ports on your network firewall is not necessary or recommended. Firezone Gateways perform secure NAT traversal for you.

Step 1: Create a Resource

  1. In your admin portal, go to Sites -> <site> and click the Add Resource button.
  2. Select CIDR as the Resource type.
  3. Enter the CIDR range of the subnet you want to secure access to. This should be a range of IPv4 or IPv6 addresses that's directly reachable from the Gateway(s) in your Site.
  4. Name the Resource something descriptive, like SJC demo net. You'll refer to this name when creating a Policy in the next step.
  5. Click Save.
Create a Resource

Step 2: Create a Policy

  1. In the Policies tab, click the Add Policy button.
  2. Select an appropriate Group and the the Resource you created in Step (1).
  3. Click Save.

Step 3: Done!

You should now be able to access hosts and services in the subnet you specified in Step (1).

Need additional help?

Try asking on one of our community-powered support channels:

Or try searching the docs:
Last updated: April 19, 2024