Skip to main content

Tutorial: Block All Internet Traffic Except To Trusted Internet Destinations

Abstract

Learn how to use CloudConnexa to block all internet traffic except approved private applications and trusted internet destinations using Restricted Internet access and access control policies.

Overview

This tutorial shows how to use CloudConnexa to block general internet access while still allowing access to approved private applications and trusted internet destinations.

This configuration is useful for highly secure environments where users should only access:

  • Approved private applications.

  • Specific private domains.

  • Authorized public domains.

  • Specific application protocols, such as HTTPS.

With this setup:

  • All internet traffic is tunneled through CloudConnexa.

  • General internet access is blocked.

  • Only explicitly allowed destinations remain accessible.

  • Access control policies are enforced based on user identity and group membership.

This approach is commonly used for:

  • Government agencies and defense contractors.

  • Highly regulated organizations.

  • Managed corporate devices.

  • Zero-trust remote access environments.

Before you begin

Before starting this tutorial, ensure you have:

  • A CloudConnexa account and Cloud ID.

  • A private network containing the applications or services you want to protect.

  • A Linux system available for Connector deployment within the private network.

  • Administrative access to CloudConnexa.

  • Managed user devices that will connect using OpenVPN Connect.

This tutorial includes:

  1. Creating the required network configuration.

  2. Deploying the Connector.

  3. Configuring access policies.

  4. Installing and configuring OpenVPN Connect for testing.

You should also be familiar with basic CloudConnexa concepts, such as:

Step 1: Configure the WPC topology

Configure the WPC to support granular access control policies.

  2. Navigate to Settings → WPC.

  3. Set Topology to Custom.

  4. Save the changes.

Using the Custom topology allows CloudConnexa access policies to be enforced between users, applications, and networks.

Step 2: Create the Management user group

Configure the Management user group to use Restricted Internet access.

  1. Navigate to Users → Groups.

  2. Click Add Group.

  3. Enter the new group details:

    • Enter the group name, Management.

    • Select the Region closest to the private network.

    • Set Internet Access to Restricted Internet.

    • Define the remaining fields as needed or leave them as the default.

  4. Click Add Group.

With Restricted Internet enabled:

  • All internet traffic is tunneled through CloudConnexa.

  • General internet access is blocked.

  • Only configured Applications and IP Services remain accessible.

Tip

With Restricted Internet configured, you can use Tunnel Bypass to allow specific destinations to route directly to the local network gateway, rather than being blocked or tunneled through CloudConnexa.

This allows precise local routing exceptions while maintaining a locked-down internet access policy. For example, users could still access local intranet resources within a specific subnet while all other internet traffic remains blocked.

Tunnel Bypass is configured per user group from Access → Internet. Refer to About Tunnel Bypass.

Step 3: Create a Network for protected applications

Create a Network representing the private network hosting the protected applications.

  1. Navigate to Networks → Networks.

  2. Click Add Network.

  3. Select Remote Access as the network type for providing remote access to private resources.

  4. Configure the Network settings:

    • Name — Enter a name (for example, app_network).

    • Description (optional) — Enter a description.

  5. Configure the Connector settings:

    • Connector Tunneling Protocol — Leave the default value of OpenVPN selected unless you specifically require IPsec.

    • Connector Name — Enter a name for the Connector.

    • Connector Description (optional) — Enter a description for the Connector.

    • Region — Select the Region closest to the private network.

  6. Click Next.

Step 4: Deploy the Connector

Deploy a Connector within the private network to provide secure connectivity to CloudConnexa.

  1. On the Deploy Network Connector step, select where you will deploy the Connector from the platform drop-down menu. (We select Linux for this tutorial.)

  2. Select the Linux distribution running on the Connector host.

  3. Copy the generated installation script.

  4. Run the installation script on the Linux system within the private network.

  5. Back in the Administration portal, click Generate Token.

  6. Copy the generated token.

  7. When prompted on the Connector host, paste the token to launch the openvpn-connector-setup process.

  8. Complete the Connector setup on the Linux system.

  9. Return to the Administration portal and verify that the Connector successfully connects to CloudConnexa.

Step 5: Configure trusted applications

Configure the trusted domains and application access rules that users are allowed to access through CloudConnexa.

Tip

If you don't need to configure Applications, you can continue to the next step to configure IP Services.

  1. On the Add Application step, click Add Application.

  2. In the Add Application dialog, configure the Application settings:

    • Name — Enter a name for the Application.

    • Description (optional) — Enter a description for the Application.

    • Domain — Enter the domain name users are allowed to access.

  3. Configure optional domain settings as needed:

    • Allow Embedded IP — Enable if you want to allow embedded IP-based domain resolution.

    • Exact Match — Enable if the Application should apply only to the exact domain entered and not its subdomains.

    • Add another domain — Add additional domains to the same Application if needed.

  4. Configure the Application Type (Network) protocols:

    • Select All to allow all protocols.

    • Select Custom to allow only specific protocols or ports.

  5. If using Custom, select the required protocols or services, such as HTTP, HTTPS, DNS, FTP, TCP, UDP, or ICMP.

  6. Configure specific ports or protocol types if required.

  7. Click Add Application.

  8. Repeat these steps to add additional trusted applications as needed.

Use these steps to add approved public domains such as cnn.com, .mil, .gov, and linkedin.com. These Applications allow users to access only approved, trusted internet destinations through CloudConnexa.

Step 6: Configure IP Services

Configure IP Services to allow access to specific IP addresses, subnets, or protocol-based services hosted within the protected network.

  1. On the Add IP Service step, click Add IP Service.

  2. In the Add IP Service dialog, configure the service settings:

    • Name — Enter a name for the IP Service.

    • Description (optional) — Enter a description for the IP Service.

  3. Configure the service definition:

    • Service Type — Configure the service to allow HTTPS.

  4. Configure the traffic behavior:

    • Use as Source — Enable this option if the IP Service originates traffic and you want to control its allowed destinations using Access Groups.

  5. Enter the destination details:

    • IP Address or Subnet — Enter the IPv4 subnet range associated with app_network.

  6. Click Add IP Service.

This configuration allows HTTPS access to private applications hosted within the protected network.

Together, the configured Applications and IP Services ensure:

  • HTTPS access to private applications.

  • Access to approved public domains only.

  • All other internet traffic remains blocked.

Step 7: Configure Access Groups

Configure Access Groups to control which users can access the protected applications and services.

Note

In this example, a user group named Management is used for management employees who should only access approved applications and trusted internet destinations.

  1. On the Access Groups step, select one of the following:

    • Select an existing Access Group

    • Click Add Access Groups to create a new one.

  2. If creating a new Access Group:

    • Enter a name for the Access Group.

    • Enter an optional description.

  3. Configure access to the protected Network:

    • Add the Management user group as the source.

    • Add app_network as the destination.

  4. If editing an existing Access Group:

    • Add the Management user group as the source.

    • Add app_network as the destination.

  5. Click Finish to complete the Network Configuration Wizard.

This configuration ensures:

  • Only authorized users can access protected resources.

  • Access is restricted to approved applications, services, and destinations.

  • All other traffic remains blocked by policy.

Step 8: Configure private DNS servers

Configure CloudConnexa to use the organization's private DNS servers so users can resolve private domain names while connected.

  1. Navigate to Settings → DNS.

  2. Click Edit DNS Server Details.

  3. Configure a Custom DNS configuration with the IP addresses of your private DNS servers used by the protected network.

  4. Save the changes.

This allows connected users to resolve private domains hosted within the protected network.

Step 9: Configure manual profile distribution

Disable automatic profile distribution to maintain tighter control over device enrollment.

  1. Navigate to Settings → Users.

  2. Click Edit.

  3. Set Profile Distribution to Manual.

  4. Click Update and Confirm.

With manual profile distribution enabled:

  • Users can't automatically enroll devices using credentials alone.

  • Administrators control which devices receive connection profiles.

Step 10: Add user and devices

Add users and provision approved devices.

  1. Add the management employees as users. Refer to Add a User.

  2. Assign each user to the Management user group.

  3. To add a device, click the user.

  4. Click the Devices tab.

  5. Click Add Device, and enter the details.

  6. Download the device profile for each approved device.

    • The device profile is the connection profile for the next step.

Step 11: Configure user devices

Install OpenVPN Connect and configure the approved devices.

  1. Install OpenVPN Connect on each managed device.

  2. Import the downloaded connection profile into OpenVPN Connect.

  3. Configure endpoint management policies to automatically connect to CloudConnexa whenever a network connection is active.

After setup:

  • Devices automatically connect to CloudConnexa.

  • Internet traffic is securely tunneled.

  • General internet access is blocked.

  • Only approved applications and trusted domains remain accessible.

List of All Internet Security Tutorials

List of All Internet Security Videos

In this section:
See also: