Location Requirements

Overview

Twingate can restrict access to protected Resources based on geographic location. Admins configure country-level allowlists or denylists on individual Resource Policies, controlling which locations can and cannot reach the Resources assigned to each policy.

Common Use Cases

• Blocking high-risk countries for compliance requirements
• Restricting access to countries where the organization has offices
• Limiting contractor access to known working locations

How Location Is Determined

Twingate uses IP address-based geolocation to determine a device’s location. IP addresses are mapped to geographic coordinates, which are truncated to two decimal places and then mapped to a country. Country mapping uses geographical boundary data from Natural Earth.

Geographic coordinates are obtained from a combination of MaxMind GeoLite2 data and Google Cloud load balancers. The accuracy of IP address-based geolocation varies and may not be precise in all cases.

Configuring Location Requirements

Open the Resource Policy you want to configure and click Enable next to Location Requirements.

Choose the restriction type:

• Allowlist: Only devices in the specified countries can access Resources protected by this policy. All other countries are blocked.
• Denylist: Devices in the specified countries are blocked from accessing Resources protected by this policy. All other countries are allowed.

Select the countries for the chosen restriction type.

Restricted Countries

Certain countries are always blocked due to embargoes or other legal restrictions and cannot be overridden:

• Cuba
• Iran
• North Korea
• Syria

These countries do not appear in the list of countries available for selection. Certain non-country regions are also always blocked.

Blocked Devices

Devices blocked from accessing a Resource due to geoblocking see an error message indicating that their location does not meet the policy requirements.