Block all but Twingate relay

We are trying to plan out a deployment of Twingate on a site which has very strict network security policies. I have ready that Twingate Relays can forward data to their destination when a direct NAT connection is not possible, but is there a way to force this to occur by adding strict outbound firewall rules, essentially only allowing outbound connections to relays? In theory, we would block all outbound (and inbound but this is already how Twingate works from my understanding) EXCEPT the relay addresses. Would this work? And if so, is there a list somewhere of the addresses of all Twingate relays?

Thanks for any help

Sure! That would do what you want I think.

The one problem is that our relays are hosted in GCP and they change IPs. We aren’t able to provide a list of IPs for that reason anyway. So as long as that is restrictive enough then sure this would work!

Here is more detail as written up by one of the managers on the team:

Please focus on #4 from this link: