For Self-hosted Private Edge deployments, Private CIDRs and Private Domains are specified when defining your private network by installing an Access Tier. Most organizations have multiple private networks, and so will install multiple Access Tiers. Traffic to Public CIDRs and Public Domains flows through a selected Access Tier(s).

Setup:

As in the diagram above, a user needs to access a resource nginx.bnn.local in the private network. The user also needs to be on the tunnel to access an IP-whitelisted internet website at sub.example.com

The Access Tier spec has 10.0.0.0/16 set as its Private CIDRs and bnn.local set as a Private Domain. sub.example.com is set as a Public Domain Include in the the Service Tunnel spec. The user uses the app to connect to the Service Tunnel.

Steps (a1-a4) to access a private resource:

1. The user on the device make a request for the private resource (at nginx.bnn.local). The app running on the device is has configured local DNS on the device to intercept requests for the bnn.local domain.

2. The DNS request flows through the Access Tier to the private DNS server for resolution. The private DNS server returns the private IP address (10.0.1.2).

3. Since a route for the entire private network (10.0.0.0/16) that this private resource belong to already exists on the device, traffic to the private resource flows over the tunnel to the Access Tier.

4. The Access Tier forwards the requests to the private resource (nginx.bnn.local).

Steps (b1-b4) to access an internet resource:

1. The user on the device make a request for the internet resource (at sub.example.com). The app running on the device is has configured local DNS on the device to intercept requests for the example.com domain.

2. The DNS request flows through the Access Tier to the private DNS server for resolution. The private DNS server returns the public IP address of the internet resource (25.25.2.3).

3. The app dynamically adds a route for the public IP address, and traffic to the internet resource flows over the tunnel to the Access Tier.

4. The Access Tier forwards the requests to the internet resource (sub.example.com). The source IP address seen by the internet resource is that of the Access Tier and not of the user's.

An example of a split tunnel configuration is depicted in the image below. The tunnel configuration covers private domains such as ec2.internal and medsoft.local and well as public domains such as salesforce.com and fast.com. DNS for both private and public domains specified in the tunnel will be resolved at the Access Tier Datacenter-USEast.