Tutorial: Learn About the Levels of Security Afforded by the Use of Various Internet Access Options
Learn the differences between Split Tunnel On, Split Tunnel Off, and Restricted Internet in CloudConnexa, including traffic routing, security trade-offs, Cyber Shield protections, and Tunnel Bypass behavior.
Overview
CloudConnexa provides multiple Internet Access modes that determine how internet-bound traffic is routed and secured.
This tutorial helps you:
Understand the differences between Split Tunnel On, Split Tunnel Off, and Restricted Internet.
Evaluate the security trade-offs of each mode.
Learn how trusted traffic and internet gateways work.
Determine which configuration best fits your organization's security requirements.
Understanding these modes helps you choose the right balance between:
Security.
Performance.
Internet access flexibility.
Traffic inspection and monitoring.
By the end of this tutorial, you should understand which Internet Access mode is most appropriate for your users, networks, and security posture.
Before you begin
Before selecting an Internet Access mode, ensure you understand:
How your users access the internet.
Whether all traffic should be inspected.
Whether users require unrestricted internet access.
Whether specific trusted destinations should remain accessible.
Whether users need access to local resources outside the CloudConnexa tunnel.
You should also understand:
Split tunnel behavior
Step 1: Identify your internet security requirements
Determine how your organization wants internet traffic handled. Consider questions such as:
Should all internet traffic be inspected?
Should users access the public internet freely?
Should access be limited to approved destinations only?
Are there compliance or monitoring requirements?
Do users need access to local resources outside the tunnel?
CloudConnexa treats configured Applications, IP Services, and private network destinations as trusted traffic. Trusted destinations can include:
Private networks.
Public domains.
Public IP ranges.
SaaS applications.
Internal applications.
Traffic destined for trusted resources can be securely routed through CloudConnexa regardless of the selected Internet Access mode.
Step 2: Compare Internet Access modes
CloudConnexa supports three primary Internet Access modes. Evaluate each mode to determine which best fits your organization's requirements.
Split Tunnel On (Security Level 1)
With Split Tunnel On:
Traffic to trusted destinations is tunneled through CloudConnexa.
All other internet traffic exits directly through the user's local internet connections.
This mode is useful when you want to:
Protect access to specific SaaS applications.
Secure traffic to selected public resources.
Minimize bandwidth usage through CloudConnexa.
Advantages
Lower bandwidth consumption through CloudConnexa.
Better performance for general internet traffic.
Secure routing for trusted destinations.
Considerations
General internet traffic bypasses CloudConnexa.
Third-party security inspection applies only to trusted tunneled traffic.
Cyber Shield effectiveness
Cyber Shield Domain Filtering: Effective because DNS filtering works regardless of whether traffic traverses the tunnel.
Cyber Shield Traffic Filtering (IDS/IPS): Less effective because only trusted tunneled traffic passes through CloudConnxa for inspection.
Split Tunnel Off (Security Level 2)
With Split Tunnel Off:
All internet traffic is tunneled through CloudConnexa.
Traffic exits through one or more Networks configured as internet gateways.
This mode allows organizations to:
Inspect all internet traffic.
Apply centralized security controls.
Enforce corporate internet policies.
Route traffic through third-party security stacks such as:
Secure Web Gateways
UTM appliances
CASB platforms
IDS/IPS systems
Advantages
All traffic is tunneled and inspectable.
Centralized internet security enforcement.
Full traffic visibility.
Considerations
Increased bandwidth usage through CloudConnexa.
Internet performance depends on gateway infrastructure and routing.
Tip
Tunnel Bypass can be used with Split Tunnel Off to allow traffic to specific subnets to bypass CloudConnexa and route locally.
This reduces the scope of traffic CloudConnexa inspects for those subnets — a deliberate trade-off the administrator accepts when configuring exceptions. Refer to About Tunnel Bypass.
Cyber Shield effectiveness
Cyber Shield Domain Filtering: Effective because DNS filtering applies to all traffic.
Cyber Shield Traffic Filtering (IDS/IPS): Highly effective because all internet traffic traverses CloudConnexa.
Restricted Internet (Security Level 3)
With Restricted Internet:
All general internet access is blocked.
Only trusted destinations are allowed.
Trusted traffic is tunneled through CloudConnexa.
This mode provides the strictest internet access control.
Restricted Internet is commonly used for:
Highly regulated organizations.
Managed corporate devices.
Educational environments.
IoT deployments.
Locked-down application servers.
Advantages
Prevents access to unauthorized internet destinations.
Reduces exposure to malware, phishing, and malicious content.
Limits communication to approved destinations only.
Reduces reliance on additional perimeter security devices.
Considerations
Users can access only explicitly approved destinations.
Requires careful planning and maintenance of trusted destinations.
Tip
Tunnel Bypass can also be used with Restricted Internet to allow traffic to specific subnets to route locally, while all other internet traffic remains blocked or tunneled as configured. Refer to About Tunnel Bypass.
Cyber Shield effectiveness
Cyber Shield Domain Filtering: Less relevant because all allowed destinations are already explicitly trusted.
Cyber Shield Traffic Filtering (IDS/IPS): Still useful because it can detect malicious traffic originating from compromised endpoints.
Step 3: Evaluate security trade-offs
Review the operational and security implications of each Internet Access mode. The following table summarizes the relative security posture of each configuration.
Internet Access mode | Security level | Internet routing behavior | Traffic inspection |
|---|---|---|---|
Split Tunnel On | Level 1 | Only trusted traffic traverses CloudConnexa | Partial |
Split Tunnel Off | Level 2 | All traffic traverses CloudConnexa | Full |
Restricted Internet | Level 3 | Only approved destinations are reachable | Full + restrictive |
In general:
Split Tunnel On prioritizes flexibility and performance.
Split Tunnel Off prioritizes inspection and centralized control.
Restricted Internet prioritizes strict access limitation and security hardening
When evaluating modes, consider:
Security requirements.
Bandwidth usage.
User experience.
Regulatory requirements.
Internet inspection needs.
Access restrictions.
Local routing requirements.
Step 4: Configure and test your chosen Internet Access mode
After selecting the appropriate Internet Access mode, configure CloudConnexa accordingly.
Configure Internet Access for the required user groups, networks, or hosts.
Configure internet gateways if using Split Tunnel Off.
Configure Applications or IP Services for trusted destinations.
Optionally configure Tunnel Bypass exceptions for supported modes.
Connect test users and devices.
Verify routing behavior and internet access policies.
Validate DNS resolution and traffic inspection behavior.
Tutorial: Block All Internet Traffic Except To Trusted Internet Destinations
Tutorial: Learn About the Levels of Security Afforded by the Use of Various Internet Access Options
Tutorial: Protect Your Users From Malware and Other Cyber Threats
Tutorial: Secure All Internet Traffic by Configuring a Private Network as an Internet Gateway
Tutorial: Use Multiple Geographically Distributed Internet Gateways to Improve Internet Performance
Tutorial: Steer Traffic To Specific Internet Destinations Through CloudConnexa