Secure SaaS Applications with IP Allowlisting

Protect SaaS Applications by enabling Device Trust and Continuous Authorization via IP Allowlisting

  • Updated on May 17, 2024
  • 5 minutes to read
  • Contributors

Overview

Service Tunnels use WireGuard to create fast, secure tunnels utilizing state-of-the-art cryptography. A service tunnel provides network-level connectivity into private networks as well as the public internet. When you specify the Public CIDRs and/or Public Domains that comprise a SaaS application in your service tunnel configuration, traffic to that SaaS application automatically flows over the tunnel and egresses with the IP address of your Edge.

For Self-hosted Private Edge deployments, traffic to Public CIDRs and Public Domains flows through a selected Access Tier(s).

For Global Edge deployments, traffic to Public CIDRs and Public Domains flows through the Global Edge Network.

Specifying IP Allowlists

Most SaaS Applications provide security configuration allow you restrict connectivity to your tenant to specified IP address ranges. SaaS vendors use different terminology to refer to IP Allowlisting.

Example 1: Salesforce

In Salesforce, you can restrict access to specific IP ranges by updating the Login IP Ranges setting.

Example 2: Mongo Cloud

In Mongo Cloud, you can restrict access to specific IP ranges by updating the IP Access List setting.

In both the examples above, access has been restricted to a fictitious IP range 1.2.3.4/32.

Edge Network IP Address

The IP addresses with which service tunnel traffic egresses your Banyan Edge Network depends on your deployment model.

For Self-hosted Private Edge deployments, traffic to Public CIDRs and Public Domains flows through a selected Access Tier(s). Your Egress IPs which match those of your Access Tier(s).

For Global Edge deployments, traffic to Public CIDRs and Public Domains flows through the Global Edge Network. Your Egress IPs will be those used by the Global Edge Network and are documented here.

What’s next

Once you’ve enabled IP Allowlisting for a given SaaS Application by configuring the network access setting in the SaaS application, review our article on tunneling the SaaS application traffic over a Service Tunnel.