






















NetBird provides a fast and secure peer-to-peer mesh network with end-to-end encryption. By default, you install the NetBird agent on every machine—be it a developer laptop, container, VM, or server—and each device securely connects to others on the mesh, forming a zero-trust overlay network.
But what if you can’t install the agent on all your machines?
In real-world deployments, especially within enterprise environments, it’s common to encounter private infrastructure that doesn’t support custom software. IoT devices, printers, managed services (like AWS RDS), or legacy servers might not be compatible with NetBird. Even if they are, you may be mid-migration and still need secure access to entire LANs, VPCs, or office networks where many machines haven’t yet joined the NetBird network.
To address these scenarios, NetBird introduced the Networks feature —starting in version . With Networks, you can map private networks, route traffic through NetBird-enabled gateways, and grant granular access without needing to install NetBird on every internal machine.
This article explains why you might need full network access, how the Networks feature works, and how to configure it for your infrastructure.
There are many real-world use cases where installing NetBird on every device simply isn’t feasible. Let’s examine the most common ones:
Partial or side-by-side migrations: If your organization is transitioning from traditional VPNs or firewall-based access control to NetBird, some machines might already be using the new setup while others are still pending migration. During this phase, users and services need uninterrupted access to systems that don’t yet run the NetBird agent.
Systems with OS limitations: Certain classes of devices—such as industrial machines, IoT endpoints, legacy Windows servers, and network printers—often don’t support installing agents. Similarly, you can’t install third-party software on most managed services (like Google Cloud SQL or AWS RDS).
Legacy networks: Older infrastructure may be too sensitive or fragile to modify. Admins may face compatibility issues or lack permission to install software due to vendor restrictions, outdated operating systems, or production-critical environments.
In all of these cases, granting secure, audited access without modifying every host becomes essential. This is where NetBird’s Networks feature offers a powerful solution.
Networks in NetBird represent a major architectural improvement over the earlier Network Routes concept. Rather than requiring you to set up individual routes per IP or domain, you can now create a logical representation of your internal network, assign one or more routing peers, and define resources inside that network—whether IP ranges, hostnames, or entire wildcard domains.
You can think of a Network as a container that includes:
This approach simplifies configuration, improves manageability, and provides more intuitive access control than the now-deprecated Network Routes feature.

A routing peer is a NetBird-enabled device that sits inside your private infrastructure—such as an EC2 instance inside an AWS VPC or a Linux server on your corporate LAN.
Routing peers:
You can assign a single peer or an entire peer group as your routing peer(s). This makes it easy to scale and build resilient access points into your infrastructure.
A resource in NetBird defines an internal service or destination you want to make accessible through the mesh network. Resources can be:
Resources are grouped and assigned descriptive names, making them easier to organize and manage. This logical grouping is especially helpful when creating access policies for different user teams.
NetBird uses access control policies to define which users or devices can access which resources. Policies define:
Policies can be unidirectional or bidirectional—they specify who can access what—and can be adjusted at any time via the dashboard. This gives you complete control over internal access without having to modify your firewalls or DNS servers.
Let’s walk through an example to demonstrate NetBird's ability to securely expose individual internal resources—without opening access to an entire subnet or installing agents on the resource itself.
1. Create a Network

2. Add a Resource

3. Create an Access Policy
Click Create Policy and define access for just the DevOps group:
You can also add posture checks or device trust constraints to further restrict access.

4. Create resources for the internal DNS servers

5. Create an access policy for the DNS resources

6. Add a Routing Peer

That’s it! Now users only see the resources they are allowed to access, and DNS resolution flows securely through your internal infrastructure. This example showcases NetBird’s ability to granularly route and authorize access to internal services based on identity, protocol, and destination domain, all without altering the VPC firewall or installing agents on the RDS instance.
In many enterprise environments, services are addressed by domain name rather than static IPs. Load balancers, DNS-based failover, and dynamic scaling make it impractical to hardcode IP routes.
NetBird supports both specific domains and wildcard domains :
When DNS wildcard routing is enabled, the routing peer—not the client—resolves domain names. This change from the legacy Network Routes behavior allows for:
You can assign multiple routing peers or entire peer groups to each Network. NetBird handles:
When there are 2 or more routing peers for a network, this will enable the High Availability feature. This ensures that remote access remains reliable, even during maintenance or unexpected failures.
The masquerade setting hides NetBird peer IPs behind the routing peer's IP when accessing internal networks. This is useful if:
Additionally, each routing peer can have a metric, allowing you to control which peer is preferred when multiple options exist (lower metric = higher priority).
While Network Routes still function for legacy setups, we recommend migrating to Networks , which offer:
| Feature | Networks | Network Routes |
|---|---|---|
| Simplified access control | ✅ | ❌ (manual setup) |
| Wildcard domain support | ✅ | ❌ |
| Resource-level editability | ✅ | ❌ |
| Peer groups for HA | ✅ | ✅ |
| DNS routing at gateway | ✅ | ❌ |
| Exit-node support | 🚧 (planned) | ✅ |
| Site-to-site routing | 🚧 (planned) | ✅ |
See the full migration guidance in NetBird's documentation .
Need help? Refer to these official guides:
NetBird’s Networks feature is a powerful, scalable, and secure way to access internal infrastructure without requiring you to install agents on every device. Whether you’re connecting to cloud VPCs, legacy data centers, or restricted environments, Networks provide a single, unified mechanism for routing, access control, and observability.
Compared to the older Network Routes feature, Networks offer clearer configuration, more flexible access, and better future compatibility. If you're managing secure access in a hybrid or segmented environment, Networks should be your go-to solution.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。