How to restrict access to second-level domain names of Tunnels?

I have added a domain name using Tunnels e.g. test.a.com, so is there any way for me to allowlist zones or allowlist ip’s directly to this test.a.com without affecting access to a.com?