Appearance

Egress routes

Egress routes allow you to route all or a subset of traffic from you Enclave network through a gateway, effectively allowing you to use the gateway as a bridge to external networks. This can be helpful for exposing specific subnets to your agents or creating security policies that restrict access to external resources.

INFO

Currently, egress routes only support IPv4 subnets and hostnames. If you are using IPv6 DNS resolution, traffic may not flow through the egress route as expected when accessing resources via hostname. We recommend only using IPv4 DNS resolution if you plan to use hostnames in your egress routes.

Use cases

  • Accessing internal networks: You can use egress routes to expose specific subnets to your agents, allowing them to access resources within an internal network without having to allocate gateway nodes.
  • Full traffic tunneling: You can use egress routes to act as a proxy for all traffic from your agents, effectively routing all traffic through a gateway. This can be useful for enforcing security policies or monitoring traffic.
  • Conditional access: Egress routes can be used to only route traffic to specific hostnames or subnets, allow you to proxy traffic destined for your identity provider to pass through a gateway. This can be useful for creating secure access points for your agents to external resources while maintaining control over which agents can access those resources.

Benefits

  • Agentless access: Egress routes allow you to provide access to resources without having to install agents on those resources, making it easier to manage and secure your network.
  • Fully encrypted: All traffic routed from an agent to the gateway that is hosting the egress route flows through encrypted tunnels, ensuring that your data remains secure.
  • Easy to deploy: Egress routes can be easily configured and managed through the Enclave management console, allowing you to quickly set up and modify your network architecture as needed.

How it works

Egress routes are configured in the Enclave management console (EMC) under Networking > Egress Routes. Egress routes can be associated with a singular gateway. Labels on the egress route determine which agents they apply to. Currently an agent can only have one egress route associated with it, but multiple agents can share the same egress route. This allows you to create a single egress route that applies to multiple agents, simplifying management and configuration.

Let's use an example of giving you engineering team access to an internal subnet of 192.168.22.0/24. First, you would deploy an enclave gateway agent inside your internal network. Then you would create an egress route in the EMC with the following configuration:

  • Name: Internal Subnet Access
  • Gateway: Select the gateway agent you deployed in your internal network.
  • Tags: Assign a tag, e.g., engineering-internal-access, to the egress route.
  • Subnet: Specify the subnet you want to expose, e.g., 192.168.22.0/24.

Once deployed, any agents with the engineering-internal-access label will have routes installed on their machines that point the subnet of 192.168.22.0/24 to the gateway's Enclave IP address. A client agent would then be able to access a resource (e.g. 192.168.22.54) directly. The traffic routes through the gateway agent, allowing access to the internal subnet.

Configuring conditional access

Egress routes also support hostnames which can be useful for creating dynamic routing based on a hostname. A good use case for this is allowing you to egress traffic to specific authorization platforms, such as Okta or Microsoft Entra ID. Policies in the IAM can then be configured to utilize the gateways public IP address to restrict access to applications based on the source IP address of the request. This allows you to create a secure access point for your agents to external resources while maintaining control over which agents can access those resources.

Let's use the example of allowing access to QuickBooks Online for you finance team using Microsoft Entra ID. You would create an egress route in the EMC with the following configuration:

  • Name: QuickBooks Online Access
  • Gateway: Select the gateway agent that has access to the internet.
  • Tags: Assign a tag, e.g., finance-access, to the egress route.
  • Subnets or Hostname: Specify the subnets or hostname of the OIDC provider that manages your access to QuickBooks Online

You would then create a conditional access policy in Microsoft Entra ID that restricts access to the QuickBooks Online application to only allow requests from the IP address of the gateway agent. This way, only agents with the finance-access tag can access QuickBooks Online, and all traffic is routed through the gateway agent, ensuring secure access to the application. This marries authorization and network security, allowing you to control access to external resources based on both network and identity policies.

Usage with Microsoft Entra ID

Microsoft makes their IPv4 subnet ranges available here. You will most likely be utilizing the login.microsoftonline.com endpoint for authentication. Since this hostname is DNS load balanced, you will need to add in the subnets that are given for the endpoint you are using instead of relying on the hostname. At the time of writing, for login.microsoftonline.com, these are: 20.20.32.0/19, 20.190.128.0/18, 20.231.128.0/19, 40.126.0.0/18. You'll want to use your gateway public IP address as a Named Location in your conditional access policy to restrict access to only requests coming from your gateway.

© 2022-2025 SideChannel. All Rights Reserved.