Resource Exclusion

Set addresses to bypass Twingate.

Bypass Twingate

Route specific addresses within a Resource directly to their destination, skipping Twingate Connectors and Relay infrastructure entirely.

Every Resource has a Routing Mode setting. By default, Resources route Through Twingate: traffic is proxied through Twingate Connectors, Security Policies apply, and network events are generated. Setting a Resource’s Routing Mode to Bypass Twingate sends its traffic directly to the local OS routing table instead: no Connector or Relay is involved, no Security Policy is evaluated, and no network events are generated. DNS filtering and OS-level internet security still apply.

Resource exclusions are designed for carving exceptions out of a broader Resource without restructuring your topology. For example, if *.corp.example.com is configured as a Resource, but status.corp.example.com is a public status page that shouldn’t be proxied, you can set that one address to bypass while the rest of the wildcard stays tunneled through Twingate. Excluded Resources are also not Connector-dependent, so they remain reachable even if every Connector in a Remote Network is offline.

Configuration

Admin Console

  • Open the Resource creation modal, or edit an existing Resource.
  • Under Routing Mode, select Bypass Twingate.
  • Enter a specific FQDN or IP address. Wildcards and CIDR ranges aren’t accepted for excluded Resources.
  • Save. The address becomes active on any Client at or above the minimum supported version.

Port restrictions aren’t available for excluded Resources. The port section is hidden once Bypass Twingate is selected.

API

Add routingMode: BYPASS_TWINGATE to a createResource or updateResource mutation. The field defaults to THROUGH_TWINGATE if omitted. Server-side validation rejects wildcard addresses and Identity Firewall (ID-FW) Resource types.

REST

Include "routing_mode": "bypass_twingate" in the Resource payload. Defaults to "through_twingate" if omitted.

Identifying Excluded Resources

  • Add the Routing Mode column to the Resources data grid via the “add column” menu. This column is not shown by default.
  • A bypass icon appears inline in the Resource name cell regardless of column visibility.
  • Filter by Routing Mode (Through Twingate / Bypass Twingate) to manage each set separately.

What Bypass doesn’t change

  • Remote Network association. Excluded Resources still belong to a Remote Network for organizational purposes.
  • Aliases. An alias on an excluded Resource also bypasses Twingate.
  • DNS filtering and OS-level internet security. Both continue to be enforced on excluded Resources.
  • Audit logging. Every change to a Resource’s Routing Mode (including who made it and the before/after values) is captured in the audit log, even though the resulting traffic generates no network events.

Limitations

Address types

Excluded Resources must be a specific FQDN or IP address. Wildcards and CIDR ranges are blocked at both the UI and API level to prevent routing loops.

Ports

Port-level restrictions can’t be applied to an excluded Resource.

Visibility and observability

No network events are generated for excluded Resources, since their traffic never reaches Twingate infrastructure. Security Policies and JIT / usage-based access options are hidden in the UI for excluded Resources. Ephemeral Access can still be configured for excluded Resources.

Identity Firewall

Identity Firewall Resources can’t be set to Bypass. Identity Firewall requires per-user identity evaluation, which is incompatible with bypassing Twingate. This is blocked at both the API and UI level.

Client visibility

Excluded Resources are applied silently and don’t appear in the Client’s Resource list or trigger an authentication prompt.

Client version support

Excluded Resources are only supported by Clients at or above the minimum supported versions:

  • macOS 2026.182
  • iOS 2026.182
  • Android 2026.181
  • Linux 2026.188 (currently in latest)

Windows support will be rolling out soon.

Last updated 14 minutes ago