Guides
Secure Access Help Center

Private Resource Configuration Examples

Private Resource located in multiple locations

Use these examples for configuring private resources when using Resource Connector Groups to connect traffic.

Suppose you have a private resource Application1 deployed in Location1 and Location2:

  • If users will access using browser-based connections, create a separate private resource for each location.
  • If users access the resource using different IP addresses in Location1 and Location2:
    Configure a separate private resource for each resource location, and associate each private resource with a resource connector group in the appropriate region.
  • If the private resource is defined using an FQDN that is common to Location1 and Location2:
    Configure a single private resource and associate the resource with different connector groups in different regions if applicable.
  • If the private resource is accessed in both locations using the same IP address:
    Configure a single private resource and associate the resource with different connector groups in different regions if applicable.
  • If the private resource is defined with multiple IP addresses, and it is accessible in any location using any of the addresses:
    Configure a single private resource with multiple entries for "Internally reachable address." Associate the resource with different connector groups in different regions if applicable.

Catch-all private resource to prevent exposing internal networks

Connection requests by remote devices, including requests for private resources, are typically resolved using public DNS, exposing information about those requests to the public internet. Connection requests for private destinations that are enabled for client-based Zero Trust Access do not go through public DNS and thus do not expose this information.

To avoid exposing information about your network to the public internet via DNS requests:

Add a private resource for your namespace, following the model *.example.com, for Any TCP, Any UDP, for all ports, and enable client-based Zero Trust Access for this resource. This creates a traffic steering rule that routes all client-based traffic to any destination in your namespace through Zero Trust Access. You do not need to create an access rule specifically for this resource, because the default private access rule will block access unless another access rule applies.

Add a Private Resource Group < Private Resource Configuration Examples > Manage Connections to Private Destinations

Updated 4 days ago