We have a SaaS product that we offer our clients and have always had a way to let them add their IP Address to a list so they can get access to it. While this has worked great in the past, we would love to make it easier for our customers to use something like Twingate directly to our app network.
Is there an option or recommendations for making this a part of our product? Would each of our customers need their own Twingate account or could we do something via the API and our own management to allow them to do this?
Or is it easiest for them to get Twingate and we just white list their Twingate ip? One of the issues we are running into is our app runs on azure and we have started using azure front door so some user’s ip addresses show up as IpV6 which are never static, so it started the idea of how we could make our app even zero trust where only users could access to it via a vpn.
This then brings up capacity questions and cost questions as we scale, we have thousands of users but many aren’t always active and how this would look.
Maybe you could expand a bit on how you’re doing things now, when you have a client come on board and they need to whitelist their IP address, is that a single address for all of their users or each user on their end has to do this themselves (or an admin has to collect and manage this)? Do they have to deal with constantly changing dynamic IP addresses? What’s the biggest complaint you get from clients related to this part of the process?
Our application has customers that need to meet HIPAA requirements, but not all. Many are starting to tighten up their security but also most are non-profits who don’t always have the best resources to implement something like Twingate. So we are thinking through if we could help them in that area or offer it as a service.
Currently we whitelist IPs based on the customer and the user. So some users can only login at the main office of a customer for example. Their admins can manage this. But what has started this conversation is we put a WAF in front of the application recently and Azure Front Door that does some unique routing that for some users forces them over IPv6 which doesn’t seem to adhere to the same static IP addresses provided by their internet provider.
From the App side we are just checking the headers but now that Front Door is in front of it, it gets different results. So I was thinking about how great Twingate has been for us to implement and was thinking through if we could help customers implement this for our SaaS product or even make it a requirement for some of our users beyond just the IP Address check, or make the IP address check use the Twingate IP for those users (which I know can be done since that is what is suggested in the docs)
I am thinking through how to help our customers also be more secure with their data beyond our basic infrastructure but either doing an offering to help them setup twin gate and even us host the connector in our infrastructure for their access to the app or something along those lines.
Thank you for the extra information, super helpful
For the two ideas you had I think there’s potential in both from a technical perspective, although having each client setup their own Twingate account would be a bit more difficult if you have some that require HIPAA and probably other compliance needs, they’d have to go through an IT evaluation and onboarding process.
Setting up Twingate yourself and then bringing in the individual end-users who need access to the service may be the easiest method, and it would allow you to fully manage and monitor who has access, as well as removing access when/if necessary. You can absolutely do so through the API as well, we support the ability to trigger invite emails, delete users, update their information, or query all users.
As I assume you’re using Twingate already for your own access, you could create some groups to isolate all of these specific users, or perhaps create a second tenant to manage everything and keep it completely separate from your corporate users/resources.
I can’t say that I know of anybody currently using us to gate their own service for customers but it’s a really unique idea, I hope you go through some testing and let us know how it works!
I think the question becomes a cost and scaling concern at that point, I think it is a unique approach for us to have a “premium” or level for our service that offers that level of access.
My concern then becomes the limits of <100 users for teams and up to 500 users on business accounts on Twingate.
