Block all but Twingate relay

ajloughr · February 21, 2023, 5:02pm

We are trying to plan out a deployment of Twingate on a site which has very strict network security policies. I have ready that Twingate Relays can forward data to their destination when a direct NAT connection is not possible, but is there a way to force this to occur by adding strict outbound firewall rules, essentially only allowing outbound connections to relays? In theory, we would block all outbound (and inbound but this is already how Twingate works from my understanding) EXCEPT the relay addresses. Would this work? And if so, is there a list somewhere of the addresses of all Twingate relays?

Thanks for any help

Jason · February 23, 2023, 12:54am

Sure! That would do what you want I think.

The one problem is that our relays are hosted in GCP and they change IPs. We aren’t able to provide a list of IPs for that reason anyway. So as long as that is restrictive enough then sure this would work!

Here is more detail as written up by one of the managers on the team:

Please focus on #4 from this link:

Topic		Replies	Views
Source country traffic Installation	1	212	May 1, 2023
Forward All Traffic Through Twingate Support / Troubleshooting	4	194	December 6, 2023
How to route all traffic through my infra Support / Troubleshooting	8	1111	February 26, 2024
Granular protocol restrictions Feature Requests	2	220	June 14, 2023
Direct Connection and Relay Data Privacy Clarification	1	180	October 19, 2023

Block all but Twingate relay

Related Topics