Admins set access rules by defining entitlements, which include actions. Within an action, host(s) can be defined by IP addresses, subnets, hostnames, URLs, resource names (cloud resolvers), and host entitlement scripts. Resource names and entitlement scripts support the dynamic least privilege access mode, which is a key part of the product. These extend the capabilities of the system, allowing it to adapt in near real time to changes in the infrastructure.
Hosts can be the target (in the case of up rules - from Client to Gateways) or source (in the case of down rules from the Gateway to the Client).
There are additional topics providing more detail about these different types of host definitions:
IP addresses and/or ranges - of the protected hosts
Hostnames - typically resolved using (internal) DNS
URLs - used with URL access (HTTP up Action type)
Resource names - the Gateway will dynamically discovers all the the IP addresses (from its hosting environment) that are allowed for the given Entitlement. (Not for Protected URLs.)
Entitlement scripts - that can populate the Entitlement's (protected) hosts based on Claims or external attributes. Even when a script returns a resource name then the Gateway will discover the IP addresses dynamically and use these for the specific Entitlement.
The system is designed to respond to changes in resolved names, such as when an autoscaled instance is added. However, it is not designed to handle large numbers of frequently changing resolved names. Gateways run a dynamic queuing system to handle such changes on a per-user basis. If the system has 500 users of which all have 20 actions that change, then the queue is immediately 10,000 in size. Larger Gateways will have larger queues and faster Gateways will process the queue in less time, but care still needs to be taken to ensure that host definitions resolve to consistent values appropriate for your use case.