Manage Access to a SaaS Application

STARTERTEAMENTERPRISE

In this guide, we'll use Firezone to manage access to a public SaaS application such as HubSpot or GitHub.

This is useful when you want to restrict access to a public web app based on an IP allowlist configured in the app, effectively turning the Firezone Gateway into an app connector for SaaS applications that support IP allowlists.

Prerequisites

  • A Site with a descriptive name to use for deploying Gateways for this use case, for example SaaS connectors. Create a Site if you haven't already.
  • One or more Gateways deployed within the Site in a NAT Gateway configuration. See Route traffic through a public IP for how to deploy a single NAT Gateway, or see our Terraform examples for examples on how to automate deploying multiple Gateways to various cloud providers.
  • Any SaaS app that supports IP allowlists, configured to allow the public IP address(es) of the Gateway(s) you want to use.

For reliable access to your SaaS apps, we always recommend deploying multiple Gateways for high availability.

Step 1: Create a Resource

  1. In your admin portal, open Sites in the left sidebar, select your Site, open the Resources tab, and click Add a resource.
  2. Select DNS as the Resource type.
  3. Enter the address of the SaaS app you want to secure access to. In some cases, it's helpful to use wildcard matching to ensure all subdomains for the SaaS app are routed appropriately as well. For example: *.github.com. This address must be resolvable by all of the Gateway(s) in your Site.
  4. Optionally, add a traffic restriction for TCP/80 and/or TCP/443 to further limit access to this Resource to HTTP and/or HTTPS traffic only (Team and Enterprise plans).
  5. Enter a descriptive name for the Resource, e.g. Public GitHub access. This will be used to identify the Resource in the Firezone admin portal.

Step 2: Create a Policy

  1. Back in the left sidebar, open Policies, then click New Policy.
  2. Create a Policy for the Resource you created in Step (1). Be sure to select the appropriate Group and Resource for the Policy.

Step 3: Done!

You've now secured access to your private web app with Firezone. You can now test access from any signed-in Client by visiting the SaaS app in a web browser.

Need help? See all support options.

Found a problem with this page? Open an issue
Last updated: June 16, 2026