Introduction

Services define resources on your local network that you want to make available over your NetFoundry network. Once you've created a service, add it to one or more AppWANs to make it available to those AppWAN members. Think of a service as a rule in a firewall whitelist, which defines the exact set of network resources that one may access over an AppWAN, while all other traffic is blocked.

Every service must be assigned to a gateway, which is the exit point for traffic egressing NetFoundry toward the service host. Therefore, the egress gateway must be able to reach the service host to function correctly. By default, packets arriving at the service host will have a source IP address of the egress gateway.

See Create and manage Services for more information about creating and managing services in the console.

Service Types

You may choose from three types of services, based on the resource(s) you are exposing:

IP Host Service: Allow access to a single IP host, protocol, and one or more ports.

IP Network Service: Allow access to an entire range of IP hosts on any protocol/port.

Host Ping Service: Allow ICMP echo request and ICMP echo reply packets to a single IP host, without allowing any other protocols or ports.

Examples:

Single Host

Expose a single secure web server hosted in an AWS private VPC:

  • Service type: IP Host
  • IP address: 10.100.200.17
  • Protocol: TCP
  • Port/Range: 443

Single host with range of ports

If you want to specify a range of ports, say all privileged TCP/UDP ports 1-1023, use a hyphen-separated range:

  • Service type: IP Host
  • IP address: 10.100.200.17
  • Protocol: TCP/UDP
  • Port/Range: 1-1023

Single Host with ICMP ping only

Use an Ping Host service to allow ICMP echo request/reply packets to the destination, minus any TCP/UDP ports. This service is ideal for diagnostics and troubleshooting a network configuration:

  • Service type: Host Ping
  • IP address: 10.100.200.17

Multiple Hosts

Services can also define a range of addresses. If the above web server was instead fronted by an ALB, which lived on a private subnet 10.100.200.16/28, then you can create a service for the entire subnet:

  • Service type: IP Network
  • IP range: 10.100.200.16/28

Notice that an IP Network service does not limit traffic to a sub-set of TCP and/or UDP ports, like an IP Host service does.

Using Intercept address / Intercept ports

If you want to make a service available to AppWANs on an alternate IP address or port, you may use the service intercept function. Intercept is similar to Destination NAT. It is not common to use intercept, but certain circumstances call for it. One common example is duplicate address space in use in the network. Intercepts can remap services to unique address space in order to resolve the duplication.

Intercept is available to both IP Host and IP Network services:

Examples

IP Host with intercept address

  • Service type: IP Host
  • IP address: 10.100.200.17
  • Intercept address: 11.100.200.17
  • Protocol: TCP
  • Port/Range: 443

With this intercept address in place, AppWAN members must use address 11.100.200.17 to reach this web server on TCP/443. As packets leave the egress gateway toward the service host, the destination IP is replaced with the real IP address (10.100.200.17).

IP Host with intercept ports

  • Service type: IP Host
  • IP address: 10.100.200.17
  • Protocol: TCP
  • Port/Range: 443
  • Intercept port/range: 8443

With this intercept address in place, AppWAN members must use TCP/8443 to reach this web server at 10.100.200.17. As packets leave the egress gateway toward the service host, the destination port is replaced with the real port (443).

IP Host with intercept address and intercept ports

Services can specify both Intercept addresses and ports at the same time:

  • Service type: IP Host
  • IP address: 10.100.200.17
  • Intercept address: 11.100.200.17
  • Protocol: TCP
  • Port/Range: 443
  • Intercept port/range: 8443

With this service, the web service will be reachable to AppWAN members at 11.100.200.17 TCP/8443.

IP Network with intercept address

  • Service type: IP Network
  • IP range: 10.100.200.16/30
  • Intercept address: 11.100.200.16

The entire 10.100.200.16/30 address range is mapped to the 11.100.200.16/30 space. Notice that the Intercept address field does not specify a bitmask, because it uses the same bitmask from the IP range field:

Real address of 10.100.200.16/30 Intercepted address
10.100.200.16 11.100.200.16
10.100.200.17 11.100.200.17
10.100.200.18 11.100.200.18
10.100.200.19 11.100.200.19

 

Conflicting Service Rules

If there are ever conflicting rules between two or more Services of different types, then the priority of resolution are as follows:

  1. IP Host Service
  2. IP Network Service

 

Note: Host Ping service will never conflict with the above.  It utilizes an intercept IP address to transport ICMP ping echo/reply only.  Since the ICMP is an IP Protocol on the same level as TCP and UDP, it will not conflict with IP Host Services and IP Network Services which transport IP Protocols TCP and UDP only. 

If there are ever conflicting rules with overlap/conflict between services of same type, the result may be unpredictable as the system will take the first one provisioned, depending upon the case provisioned.

 

Example of overlapping differing types of services

AppWAN has the following Services:

1. IP Host Service:  IP = 10.10.10.200, Port = 40001

2. IP Network Service:   IP Range = 10.10.10.1 – 10.10.10.254

 

Scenario 1:  Packet to intercept has DEST IP=10.10.10.200,  Port=40001

 Action: Packet will be sent to far end Gateway hosting Client Service

Scenario 2:  Packet to intercept has DEST IP=10.10.10.200,  Port=22

Action: Packet will be sent to far end Gateway hosting Gateway Service

 

 

Example of overlapping same types of services

  AppWAN has the following Services:

1. IP Host Service A:  IP = 10.10.10.200, Intercept IP = 3.4.5.6 Ports = 1-100

2. IP Host Service B:  IP = 10.10.10.100, Intercept IP = 3.4.5.6 Ports = 1-100

 The destination IP is different for the same Intercept IP, so a conflict occurs. Which service is utilized will be unpredictable, as user has created conflicting situation.

Note, the following scenario is allowed, since ports are not overlapping:

1. IP Host Service A:  IP = 10.10.10.200, Intercept IP = 3.4.5.6 Port = 200-300

2. IP Host Service B:  IP = 10.10.10.100, Intercept IP = 3.4.5.6 Port = 1-100

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.