Add Resources
This page is only visible to organization administrators.
Cloud resources are the infrastructure components where EntryGuard manages IP rules. When users start sessions, their IP is whitelisted on all resources assigned to them through their roles.
Adding a Resource
Navigate to Resources under the Admin section in the sidebar.
- Click Add Resource.
- Fill in the form:
- Name — A descriptive name (e.g., "Production Database")
- Credential — Select the cloud credential to use
- Provider — AWS, GCP, AZURE, APISIX, or VERCEL
- Resource Type — The type of resource (e.g., Security Group)
- Resource Identifier — The cloud resource ID (e.g.,
sg-0abc123def456789) - Region — AWS region (e.g.,
eu-west-1) — optional depending on resource type
- Configure the resource-specific settings:
- Security Group: Protocol (tcp/udp/icmp), From Port, and To Port
- WAFv2 IP Set: IP Set Name and IP Set Scope (Regional or CloudFront)
- APISIX Gateway: Gateway ID
- Vercel Firewall Rule: Rule ID (the ID of the firewall rule to manage)
- Optionally set Active to Yes or No
- Click Create.
The resource appears in the resources table. Click Verify capacity to verify it can be managed by EntryGuard.
Resources Table
| Column | Description |
|---|---|
| Name | Resource display name |
| Provider | AWS, GCP, AZURE, or APISIX |
| Type | Security Group, IP Set, etc. |
| Identifier | Cloud resource ID |
| Credential | Associated credential name |
| Active | Whether the resource is active |
| Health | Verification status |
| Actions | Edit, Verify, Delete buttons |
Health Status Indicators
- Valid (green) — Resource verified and working
- Invalid (red) — Verification failed; check configuration
- Unverified (gray) — Not yet verified
Editing a Resource
- Click the Edit button (pencil icon) on the resource row.
- Modify the fields as needed.
- Click Save.
Deleting a Resource
Click the Delete button (trash icon) on the resource row.
You cannot delete a resource while active sessions are using it. Stop all sessions first.
How EntryGuard Manages Rules
When a user starts a session, EntryGuard adds an ingress rule to each assigned resource:
- IP Range: User's IP as /32 CIDR (e.g.,
203.0.113.42/32) - Protocol: As configured (default: TCP)
- Port: As configured (default: 443)
- Description:
EntryGuard session {sessionId} - {userName}
EntryGuard never modifies or deletes existing rules it didn't create. Only rules with the EntryGuard description pattern are managed.
Managing Multiple Ports
To whitelist multiple ports on the same Security Group, create separate resources with different port configurations. For example:
- "App Server - HTTPS" →
sg-0abc123, port 443 - "App Server - SSH" →
sg-0abc123, port 22
Both resources reference the same Security Group but manage different ports.
Common Configurations
| Use Case | Port | Protocol |
|---|---|---|
| HTTPS Web Server | 443 | tcp |
| PostgreSQL | 5432 | tcp |
| MySQL/MariaDB | 3306 | tcp |
| SSH | 22 | tcp |
| Redis | 6379 | tcp |
Resource Limits by Plan
| Plan | Max Resources |
|---|---|
| Free | 3 |
| Paid | Unlimited (usage-based) |
IP Rule Capacity by Resource Type
Each cloud resource type has a maximum number of IP rules it can hold. Each active session adds one rule per resource per IP version (IPv4 and/or IPv6). Use Verify capacity to see how many rules a resource currently has versus its maximum.
| Resource Type | Default Max IP Rules | Adjustable | Notes |
|---|---|---|---|
| AWS Security Group | 60 inbound rules | Yes — via AWS Service Quotas | Counted separately for IPv4 and IPv6. Total rules × SGs per interface cannot exceed 1,000. |
| AWS WAFv2 IP Set | 10,000 addresses | Yes | Each IP Set is version-locked (IPv4 or IPv6, not both). |
| AWS Route Table | 500 routes | Yes — up to 1,000 | Counted separately for IPv4 and IPv6. Propagated routes have a separate limit of 100. |
| AWS Network ACL | 20 inbound rules | Yes — up to 40 | Increasing beyond 20 may impact network performance. |
| APISIX Route | No fixed limit | N/A | Depends on your APISIX server configuration. |
Custom Capacity Limits (Max Rules)
If you've requested a higher quota from AWS (e.g., increased Security Group inbound rules from 60 to 120), you can tell EntryGuard about it by setting the Max Rules field on the resource.
- Navigate to Resources and click Edit on the resource.
- Set the Max Rules field to your new quota (e.g.,
120). - Click Save, then Verify capacity.
EntryGuard will now show the correct capacity against your custom limit instead of the default. If the field is left empty, EntryGuard uses the default limits shown in the table above.
You only need to set Max Rules if you've changed the default AWS quota. Most users can leave this field empty.
If a resource reaches its maximum capacity, new sessions targeting that resource will fail to apply. Monitor the Health column and use Verify capacity regularly to check current usage.
Next Steps
API Reference: For programmatic access, see Create Resource.