In this guide, we'll use Firezone to manage access to a public SaaS application such as HubSpot or GitHub.

This is useful when you want to restrict access to a public web app based on an IP allowlist configured in the app, effectively turning the Firezone Gateway into an app connector for SaaS applications that support IP allowlists.


  • A Site with a descriptive name to use for deploying Gateways for this use case, for example SaaS connectors. Create a Site if you haven't already.
  • One or more Gateways deployed within the Site in a NAT Gateway configuration. See Route traffic through a public IP for how to deploy a single NAT Gateway, or see our Terraform examples for examples on how to automate deploying multiple Gateways to various cloud providers.
  • Any SaaS app that supports IP allowlists, configured to allow the public IP address(es) of the Gateway(s) you want to use.

For reliable access to your SaaS apps, we always recommend deploying multiple Gateways for high availability.

Step 1: Create a Resource

  1. In your admin portal, go to Sites -> <site> and click the Add Resource button.
  2. Select DNS as the Resource type.
  3. Enter the address of the SaaS app you want to secure access to. In some cases, it's helpful to use wildcard matching to ensure all subdomains for the SaaS app are routed appropriately as well. For example: * This address must be resolvable by all of the Gateway(s) in your Site.
  4. Optionally, add a traffic restriction for TCP/80 and/or TCP/443 to further limit access to this Resource to HTTP and/or HTTPS traffic only (Team and Enterprise plans).
  5. Enter a descriptive name for the Resource, e.g. Public GitHub access. This will be used to identify the Resource in the Firezone admin portal.
Create a Resource

Step 2: Create a Policy

  1. In the Policies tab, click the Add Policy button.
  2. Create a Policy for the Resource you created in Step (1). Be sure to select the appropriate Group and Resource for the Policy.

Step 3: Done!

You've now secured access to your private web app with Firezone. You can now test access from any signed-in Client by visiting the SaaS app in a web browser.

Need additional help?

Try asking on one of our community-powered support channels:

Or try searching the docs:
Last updated: May 09, 2024