About Tunnel Bypass
Learn how Tunnel Bypass in CloudConnexa allows administrators to define destinations that bypass the secure tunnel and route traffic locally for specific User Groups.
Tunnel Bypass allows administrators to maintain a secure-by-default approach for a user group by routing all internet traffic through CloudConnexa, while selectively routing traffic to specific destinations directly to the local network gateway.
This is useful for destinations that don't require secure tunneling, such as locally accessible intranet resources, on-premises systems, or performance-sensitive services that benefit from direct routing.
The tunnel bypass feature is configured at a user group level. Different user groups can have different tunnel bypass configurations based on their roles, risk profiles, and access needs.
Note
Tunnel Bypass is only available when a User Group's Internet Access is set to Split Tunnel Off or Restricted Internet. It's not available for User Groups with Split Tunnel On.
Supported internet access modes
Internet access setting | Tunnel Bypass available? |
|---|---|
Split Tunnel On (Level-1) | No |
Split Tunnel Off (Level-2) | Yes |
Restricted Internet (Level-3) | Yes |
Constraints
Destinations within a user group need to be unique and non-overlapping with each other.
Destinations can't conflict with existing routing ranges configured in your WPC, including WPC subnets, domain routing subnets, IP service subnets, and network routes.
Application routing takes precedence over Tunnel Bypass. Traffic to domains configured as Applications is always routed through the CloudConnexa tunnel, even if the resolved destination matches a Tunnel Bypass destination.
Configure tunnel bypass subnets for a user group
To add, edit, or remove tunnel bypass subnets for a user group:
Navigate to Access → Internet.
Locate the target user group.
In the Internet Access column, click Manage Exclusions.
If Tunnel Bypass Unavailable displays for the User Group, edit the group to use an Internet Access setting that supports the feature: Split Tunnel Off, or Restricted Internet. Refer to Change Internet Access.
Note
Tunnel Bypass isn't available with Split Tunnel On because only explicitly configured destinations are routed through CloudConnexa in that mode. All other traffic already routes via the local gateway by default.
In the Tunnel Bypass configuration panel, enter destinations in CIDR format, one per line, in the IPv4 Subnets field.
Optionally, paste a comma-separated or space-separated list. The entries are automatically parsed and sorted.
Click Update Tunnel Bypass to save your changes.