To use Gateway to control access to your private networks, you need to define your private networks. When you define your private networks, you can configure Gateway to apply the most restrictive privilege and micro-segmentation when users access your network resources. Gateway supports access to more than one private network (for example, segments, data centers, and VPCs) both in on-premises and cloud environments. Gateway blocks users from connecting to any location in your private network unless the user is assigned an access control list (ACL) rule that allows the connection.

You define your private networks by adding a connector group for each private network that you want users to be able to access resources on. If your Gateway service was enabled before July 2023 and included one or more Gateway Connectors, all of your existing connectors have moved to the "Default Connector Group". You can rename the default connector group or add additional groups and assign the connectors as required.

Each tenant supports a maximum of eight connector groups.

To establish a secure tunnel between users' devices and your private networks, you must install one or more Gateway Connectors and assign them to a group.

Each connector group supports a maximum of eight Gateway Connectors.

You can also specify the addresses of your private DNS servers and the private DNS suffixes used for searches. The DNS settings apply to all group connectors in your environment and must be added to one group.

In environments that contain multiple groups with similar destination IP addresses or address ranges, data flow is directed, in order, to the connector groups listed until the IP address is matched to a connector group. The connector group that includes the matching IP address is then used to route the connection to the destination to access resources.