Noob question: Zero trust - 1 rule to allow a specific ip to bypass block

Hi guys

Im new to the zero trust, but have setup a tunnel.
The tunnel is working, and was extremely easy to setup.

But i would like to have certain url’s protected, so only certain ip’s is able to access eg. internal.domain .com.

I have created access groups for the two ip’s i currently need to have access, and i have setup an application. Then i have created a Block rule with ip 0.0.0.0/0, and then i have created an allow with first the groups, which didn’t work. then i tried with include and then ip. But that didn’t do the trick either.

Can someone guide me how to do this ?

Alright, so.
I was of the assumption that i needed to close everything, then open up.
But i was wrong, i just needed to create a bypass, and set in the IP that should be allowed to access.