Document that routing peers require a separate policy for direct access (#611)

Users commonly run services (Pi-hole, Home Assistant, monitoring) on routing peer machines but have no guidance that a network resource policy only grants access to the network behind the peer, not the peer itself. Add notes to Networks, Network Routes, Access Control, and the Zero Trust guide clarifying that a peer-to-peer access policy is needed. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-04 16:26:36 +00:00 · 2026-02-17 19:00:11 +01:00
parent bca8559980
commit 6ead42305a
4 changed files with 13 additions and 1 deletions
--- a/src/pages/use-cases/security/implement-zero-trust.mdx
+++ b/src/pages/use-cases/security/implement-zero-trust.mdx
@@ -521,7 +521,7 @@ NetBird Network access policies are unidirectional. They allow traffic from NetB
 If you need true bidirectional initiation between two endpoints, run NetBird on both machines and create an access policy that allows traffic in both directions.

 <Note>
-If you need to access the routing peer itself, there must be an access policy explicitly allowing traffic. You may add the routing peer to a group of resources, or create an entirely new access policy.
+If you need to access the routing peer itself (for example, to reach services like Pi-hole or a monitoring dashboard running on it), create a peer-to-peer access policy with the routing peer's group as the destination. See [Routing Peers](/manage/networks#routing-peers) for details.
 </Note>

 ### 5.3 DNS for routed networks