Skip to main content

Tutorial: Steer Traffic To Specific Internet Destinations Through CloudConnexa

Abstract

Learn how to use CloudConnexa to securely route traffic to specific SaaS applications and internet destinations while keeping Split Tunnel On enabled for general internet access.

Overview

This tutorial demonstrates how to securely route traffic to specific internet destinations through CloudConnexa while allowing all other internet traffic to continue using the local internet connection.

This approach is useful when organizations want to:

  • Secure access to specific SaaS applications.

  • Restrict SaaS access to trusted corporate IP addresses.

  • Avoid tunneling all internet traffic through CloudConnexa.

  • Maintain Split Tunnel On behavior for general internet access.

With this configuration:

  • Traffic to approved SaaS applications and private resources is routed through CloudConnexa.

  • All other internet traffic continues using the user's local internet connection.

  • SaaS applications can restrict access to trusted corporate IP addresses for additional security.

This tutorial uses a private network with a deployed Connector to securely route traffic for selected SaaS domains through CloudConnexa.

Note

This tutorial covers Split Tunnel On (Level-1 Security), in which specific destinations are steered into the CloudConnexa tunnel, while other traffic routes locally.

If your requirement is the reverse — routing all traffic through CloudConnexa by default, with specific subnets excluded — refer to About Tunnel Bypass, which is available when Internet Access is set to Split Tunnel Off or Restricted Internet.

Before you begin

Before starting this tutorial, ensure you have:

  • A CloudConnexa account and Cloud ID.

  • A private network with internet connectivity.

  • A Linux system available for Connector deployment within the private network.

  • Permission to install and configure a Connector on the server.

  • OpenVPN Connect available for testing connectivity.

  • The domain names of the SaaS applications you want to secure.

This tutorial includes:

  1. Creating a Network.

  2. Configuring SaaS application routes.

  3. Deploying a Connector.

  4. Connecting users to CloudConnexa.

  5. Verifying routed SaaS traffic behavior.

Step 1: Create a Network for SaaS traffic routing

Create a Network that will securely route traffic to approved SaaS applications and internal resources.

To start the process using the network configuration wizard, follow these steps:

  2. Navigate to Networks → Networks.

  3. Click Add Network.

  4. Select Remote Access, then click Continue.

  5. Configure the Network settings:

    • Name — Enter a name (for example, saas_network).

    • Description (optional) — Enter a description.

  6. Configure the Connector settings:

    • Connector Tunneling Protocol — Leave the default value of OpenVPN selected unless you specifically require IPsec.

    • Connector Name — Enter a name for the Connector.

    • Connector Description (optional) — Enter a description for the Connector.

    • Region — Select the Region closest to you.

  7. Click Next.

Step 2: Deploy the Connector

Deploy a Connector on the network that will provide internet access.

  1. The Connector Details page displays. Click the Provider Type, then select where you'll deploy your Connector.

  2. Use the guided deployment steps provided in the network configuration wizard.

  3. Complete the Connector installation.

  4. Click Next to verify that the Connector is online.

For more information, refer to:

Step 3: Configure SaaS applications

Configure the SaaS application domains that should route through CloudConnexa.

  1. On the Add Application step, click Add Application.

  2. Configure the Application settings:

    • Name — Enter an application name, for example, Salesforce.

    • Description (optional) — Provide a description.

    • Domain — Add the domain, such as salesforce.com.

    • Application Type — Select specific protocols or leave with the default value.

  3. Save the configuration and add other approved domains as required.

    Tip

    Subdomains don't need to be configured separately unless diferent routing behavior is required.

  4. Click through to finish the network wizard. Alternatively, you can configure IP Services and Access Groups if desired.

After configuration:

  • Traffic destined for those SaaS domains is routed through CloudConnexa.

  • Other internet traffic continues routing locally.

For more information, refer to:

Step 4: Add users

Add users who should securely access the SaaS applications.

  1. Navigate to Users → Users.

  2. Add users manually or configure SAML or LDAP authentication.

  3. If you include an invitation email to users:

    • Users automatically receive onboarding instructions.

    • Users can download OpenVPN Connect and import connection profiles.

  4. If you don't include an invitation email to users, provide your users with:

    • The User portal URL.

    • Their username.

    • A temporary password.

Step 5: Connect and test traffic routing

Connect a user device to CloudConnexa and verify that only approved SaaS traffic traverses the tunnel.

  1. Install OpenVPN Connect on the test device.

  2. Import the profile using your Cloud ID and user credentials.

  3. Connect to CloudConnexa.

  4. Verify the device's general internet traffic still uses the local internet connection:

    • Search for "what is my IP" in a browser.

    • Confirm the displayed public IP address matches the local internet connection.

  5. Access one of the configured SaaS applications.

  6. Review the SaaS application's audit or login logs.

  7. Confirm th elogged public IP address matches the company network's public IP addreses. This verifies that:

    • SaaS application traffic traverses CloudConnexa.

    • General internet traffic continues routing locally.

    • Split Tunnel On behavior remains active.

Step 6: Restrict SaaS application access by source IP (optional)

Further secure SaaS access by allowing logins only from the WPC public IP address. To restrict SaaS access, follow these steps:

  1. From your CloudConnexa administration portal, navigate to Networks → Connectors.

  2. Take note of the Tunnel IP Address for your configured connector.

  3. Sign in to the SaaS application's administration site.

  4. Open the administrative security settings.

  5. Configure an allowlist or trusted IP policy.

  6. Allow access only from the company network's public IP address for your connector as noted earlier.

  7. Save the configuration.

    • SaaS logins are now permitted only from the trusted corporate IP address.

    • Compromised credentials alone are insufficient for access.

For example, Salesforce supports trusted IP restrictions using login IP ranges.

List of All Internet Security Tutorials

List of All Internet Security Videos

In this section:
See also: