Network Routes let you route traffic from ZTB peers to private networks without installing the agent on every device. A routing peer forwards packets between your ZTB overlay network and your internal networks (LANs, VPCs, data centers).
Network Routes vs Networks: For most remote access scenarios (VPN-to-Site, Site-to-Site), use the Networks feature instead — it enforces access control by default. Network Routes remain the correct choice only for exit nodes (routing internet-bound traffic through a specific peer). If you use Network Routes without explicitly configuring ACL Groups, traffic flows freely to the routed network with no access control.
Key concepts
Network identifier and range
A network identifier is a name for the network you want to route (e.g. office-lan). A range is the IP address block in CIDR notation representing that network (e.g. 192.168.1.0/24). Together they form a single network route.
Routing peer
A routing peer is a ZTB device that forwards traffic between the overlay network and a private network. It must have direct network access to the resources you want to reach. A network route grants access to resources behind the routing peer — not to the routing peer itself. To reach services on the routing peer directly (SSH, a dashboard), create a separate peer-to-peer access policy.
Routing group
A routing group is a set of routing peers. Using a group instead of a single peer provides automatic high availability — if one peer goes offline, traffic is rerouted through another.
Masquerade
When enabled (default), the routing peer performs NAT on forwarded traffic, hiding the original source IP. This simplifies setup by removing the need for return routes on the remote network. Disable masquerade only when source IP visibility is required for auditing or compliance — in that case, you must configure a return route on the destination network.
Distribution groups
Distribution groups specify which peers receive the route configuration. Only peers in these groups will have the route pushed to them.
ACL groups
ACL groups enable access control on routed networks. When a route has ACL groups configured, access to the routed network is governed by the access policies where those groups are defined as destinations. Routes without ACL groups allow unrestricted access to the routed network.
Metric
Metric determines routing peer priority in high availability configurations. Lower value = higher priority. Outside HA setups, metric has no effect.
DNS routes
Instead of a CIDR range, a route can be based on a domain name. The client dynamically resolves the domain and routes traffic to the resolved IP. Useful when a service's IP changes frequently or you prefer to reference it by name.
DNS routes re-resolve every 60 seconds by default. The Keep routes option (enabled by default) preserves existing routes if a domain temporarily stops resolving, preventing disruption to active connections.
Create a network route
- Go to Network Routes and click Add Route.
- Enter a network identifier and description.
- Enter the network range in CIDR notation (e.g.
172.31.0.0/16). - Select the routing peer (or peer group for HA).
- Select the distribution groups (which peers receive this route).
- Click Add Route.
High availability
To avoid a single point of failure, assign multiple routing peers to the same route:
- Via peer group: select a group with multiple peers when creating the route. All peers share the same metric and load-balance by latency.
- Via individual peers: click Add Peer in the High Availability column and add additional peers with different metrics. Lower metric = primary, higher metric = failover.
Keep routing peers in different failure domains for maximum resilience.
Important caveats
Network Routes bypass access control by default
Unless you explicitly configure ACL groups on the route, all peers that receive the route can reach the entire routed network regardless of access control policies. This is a fundamental difference from Networks, which enforces access control by default.
Do not mix Network Routes and Networks on the same routing peer
If the same routing peer is used for both a Network Route and a Network resource, the unrestricted access granted by the Network Route can overflow to the Network resource, bypassing its ACL policies. To prevent this, always use dedicated routing peers for Network Routes — never share them with Networks configurations.
