Route Traffic Through a Public IP

In this guide, we'll walk through the configuration required to use Firezone to route traffic through a public IP address, sometimes known as a NAT Gateway configuration.

Use this when you need your team's traffic to appear to come from a single, static IP address to use services that require source traffic to come from specified IP allowlists.

After completing this guide, your team's traffic will be routed to a Firezone Gateway and then out to the internet using its public IP address.

Prerequisites

• A Site reserved for this use case. Create a Site if you haven't already.
• One or more Gateways deployed within the Site. Deploy a Gateway if you haven't done so yet.

Step 1: Create Resource(s) matching the traffic you want to route

1. In your admin portal, go to Sites -> <site> and click the Add Resource button.
2. Add Resource(s) for each service that requires an IP allowlist. For example, if you need traffic to *.gitlab.company.com to appear to come from your Gateway's public IP address, you would enter *.gitlab.company.com as the Resource address.
3. Optionally, add a Resource with address ifconfig.net to the Site as well. This will be used later to verify that your traffic is being routed through the Gateway's public IP.

Step 2: Create Policies

1. In the Policies tab, click the Add Policy button.
2. Create a Policy for each of the Resources you created in Step (1). Be sure to select the appropriate Group and Resource for each Policy.

Step 3: Done!

That's it!

If you added the ifconfig.net Resource above, you can verify that your traffic is being routed through the Gateway by visiting https://ifconfig.net in your browser and ensuring the IP displayed matches the public IP address of your Gateway.