Skip to main content

About Tunnel Bypass

Abstract

Learn how Tunnel Bypass in CloudConnexa allows administrators to define destinations that bypass the secure tunnel and route traffic locally for specific User Groups.

Tunnel Bypass allows administrators to maintain a secure-by-default approach for a user group by routing all internet traffic through CloudConnexa, while selectively routing traffic to specific destinations directly to the local network gateway.

This is useful for destinations that don't require secure tunneling, such as locally accessible intranet resources, on-premises systems, or performance-sensitive services that benefit from direct routing.

The tunnel bypass feature is configured at a user group level. Different user groups can have different tunnel bypass configurations based on their roles, risk profiles, and access needs.

Note

Tunnel Bypass is only available when a User Group's Internet Access is set to Split Tunnel Off or Restricted Internet. It's not available for User Groups with Split Tunnel On.

Supported internet access modes

Internet access setting

Tunnel Bypass available?

Split Tunnel On (Level-1)

No

Split Tunnel Off (Level-2)

Yes

Restricted Internet (Level-3)

Yes

Constraints

  • Destinations within a user group need to be unique and non-overlapping with each other.

  • Destinations can't conflict with existing routing ranges configured in your WPC, including WPC subnets, domain routing subnets, IP service subnets, and network routes.

  • Application routing takes precedence over Tunnel Bypass. Traffic to domains configured as Applications is always routed through CloudConnexa tunnel, even if the resolved destination matches a Tunnel Bypass destination.

Configure tunnel bypass subnets for a user group

To add, edit, or remove tunnel bypass subnets for a user group:

  2. Navigate to Access → Internet.

  3. Click the edit icon to edit your target user group.

  4. Ensure the target user group's Internet Access is set to Split Tunnel Off or Restricted Internet. If it isn't, click the edit icon and change the setting. Refer to Change Internet Access.

  5. Click Manage Exclusions in the Internet Access column for the target user group.

  6. In the Tunnel Bypass configuration panel, enter subnets in CIDR format, one per line, in the IPv4 Subnets field.

    • If a comma- or space-separated list is pasted, it's automatically parsed and sorted.

  7. Click Update Tunnel Bypass to save your changes.

In this section:
See also: