How to Manually Configure an Edge Router.

This article applies to NetFoundry networks version 7 or higher. Refer to Finding Your Network Version for detailed information on determining your Network Version.

Edge Routers

This will introduce the manual steps you would take if neither of the following preferred solutions would work for you:

  1. NetFoundry-hosted Edge Routers are internet-reachable, automatically registered and configured, and are the preferred way to form your NetFoundry network fabric. Learn how to create a hosted Edge Router.
  2. Customer-hosted Edge Routers are typically used for hosting Services in private networks. They are registered and configured by running a command-line utility described in How to Register the NetFoundry VM.

The Manual Way

  1. Obtain the one-time enrollment token (.jwt) and Jinja2 configuration template (.yml.j2) from the NetFoundry API.

    Fetch the Jinja2 template that you will render as your edge router configuration YAML file.
    GET /core/v2/edge-routers/{{edgeRouterId}}/config
    Fetch your edge router's object to obtain the value of the JWT, the temporary enrollment token.
    GET /core/v2/edge-routers/{{edgeRouterId}}/
  2. Render the Jinja2 template as a YAML file according to your preferences. 
  3. On your computer, copy the edge router config YAML file and one-time enrollment token to the VM.
    $ scp edge-router-config.yml nfadmin@10.11.12.13:/opt/netfoundry/ziti/ziti-router/config.yml
    $ scp exampleEdgeRouter.jwt nfadmin@10.11.12.13:/opt/netfoundry/ziti/ziti-router/exampleEdgeRouter.jwt
  4. On the VM, run Edge Router to enroll.
    nfadmin $ cd /opt/netfoundry/ziti/ziti-router/
    nfadmin $ ziti-router enroll config.yml --jwt exampleEdgeRouter.jwt
  5. On the VM, run Edge Router as a daemon
    nfadmin $ sudo systemctl ziti-router.service start

    # Starting this service executes the following command as root
    # /opt/netfoundry/ziti/ziti-router/ziti-router run /opt/netfoundry/ziti/ziti-router/config.yml

 

You may use OpenZiti Router to provide the Ziti edge and Ziti fabric for your NetFoundry network. Besides the Ziti Router executable for your host architecture, you'll need only the one-time enrollment token and a configuration template to run Ziti Router on your own OS. Both are available through the NetFoundry API after creating an edge router.

 

Edge Listener

Be sure to write the configuration file so that the edge component is enabled. This is necessary for all Ziti Router installs for a NetFoundry network.

An Edge Router may provide a Ziti edge listener by which Endpoints may dial the Ziti edge. The advertised listener IP address or domain name must be internet-reachable by the dialing Endpoints e.g. router123.example.com:443. The advertisement may not change after enrollment.

Here is an example excerpt from an Edge Router config.yml showing the top-level "listeners" object describing an edge listener advertisement.

listeners:
- binding: edge
address: tls:0.0.0.0:443
options:
# (required) The public hostname and port combination that Ziti SDKs should connect on. Previously this was in the chanIngress section.
advertise: router123.example.com:443

 

Transit Link Listener

You may write the configuration file to enable the "link listener" for each install. This opens a port by which the router may listen for transit links from other routers. You need at least one router with an internet-reachable transit link listener for each network. As such, some of your routers may be invisible on the internet by disabling the link listener.

This router may provide a transit link listener to other routers. The advertised link listener IP address or domain name must be reachable by other routers e.g. router123.example.com:80.

Here is an example excerpt from an edge router config.yml showing the top-level "link" object describing a transit link listener advertisement.

link:
dialers:
- binding: transport
listeners:
- binding: transport
bind: tls:0.0.0.0:80
advertise: tls:router123.example.com:80
options:
outQueueSize: 16

 

Firewall

Outbound and Inbound general firewall requirements are described here

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.