Introduction
NetFoundry supports deploying a network controller into an on premises network.
In order to successfully deploy a controller a few pre-requisites must be completed before completing the controller creation procedure.
Image
Currently you must deploy the NetFoundry Image in order successfully install a network controller. This image is the same as the NetFoundry Edge Router & can be found in multiple cloud providers & multiple platforms. Please see the Edge Router sections of the downloads page for specific versions:
https://netfoundry.io/products/netfoundry-downloads/
Network Connectivity
Network Connectivity for the Hybrid model installation is outbound only. No inbound port are required to be open unless you plan on running the controller for external devices.
Software Repositories:
github.com(TCP/443) (software download)
get.openziti.io(TCP/443) (software download)
artifacts.elastic.co (TCP/443) (software download)
objects.githubusercontent.com(TCP/443) (software download)
packages.broadcom.com(TCP/443) (software download)
netfoundry.jfrog.io(TCP/443) (software download)
download.docker.com(TCP/443) (software download)
Runtime access:
security.ubuntu.com(TCP/443) (security updates)
gateway.production.netfoundry.io(TCP/443)(status updates)
be51e840-dbe2-4a32-883c-711023d31f3f.production.netfoundry.io(TCP/443) (support network controller)
8fba1458-73d3-47ea-8ed8-f371124c1fec.production.netfoundry.io(TCP/443)(support network fabric)
ipinfo.io(TCP/443)(Gets external IP for login banner)(can be disabled using hush-net-info command)
*.pool.ntp.org(UDP/123) (NTP time sync)
nf-nc-db-backup-production.s3.amazonaws.com(TCP/443) (Ziti DB backup)
logstash.production.netfoundry.io(TCP/5070) (log shipping)
External access:
If the controller is going to use an external IP(internet routable) or is going to support external devices & external edge routers(example NF Hosted ERs). The following ports will also need to be open inbound.
TCP/443 - This is the main port used by the ziti controller
TCP/6262 - This is used by a fabric router running on the controller to provide connectivity for software upgrades. The software management port can be disabled.
Internal access:
If the controller is going to use an internal IP(not internal routable) . All devices & edge router must be allowed to reach the controller. The follow ports will need to be open inbound from local subnets.
TCP/443 - This is the main port used by the ziti controller
TCP/6262 - This is used by a fabric router running on the controller to provide connectivity for software upgrades. The software management port can be disabled.