This guide goes over the specifics of creating and managing Edge Routers in the NetFoundry Console. You may also go back to Create and Manage Your Network.
Create Your Edge Router
To create your Edge Router, go to Network Settings → Edge Routers to get the process started. Click the blue plus-sign in the upper right corner to create a new Edge Router.
On the 'Create a New Edge Router' screen, you'll see options for name, attributes, and hosting. A unique name is needed to create an Edge Router. Next, either select from your list of already created attributes, or create a new one. If you have service attributes already created, you'll need to click on the field to populate the list of attributes to choose from. When creating a new attribute, hit ENTER to populate the attribute. The Edge Router role attributes you assign here are potential matches for Edge Router Policies. A matching role attribute causes the matched policy to apply to this Edge Router.
Edge Router hosting is optional. If the switch is toggled OFF that means you will need to get the Edge Router VM and register it with the provided token. This is useful for hosting a Service in your private network. If the switch it toggled ON then your Edge Router will be hosted by NetFoundry in the selected data center. You will need at least one of these hosted Edge Routers, and preferably one per geography where you have an Endpoint or a Service. Hosted Edge Routers ensure that all parts of your network are online.
NetFoundry-Hosted Edge Router
After Selecting the CREATE button, the console will display the Manage Edge Routers list page. The hosted Edge Router will be created automatically in the background and will show PROVISIONED status when completed.
Self-Hosted Edge Router
NOTICE: You've found an early version of this section about self-hosted Edge Routers. Self-Hosting for Edge Routers is under aggressive development. Please reach out to Support and let us know what you are building! We're excited to support your case and will continue to publish the latest here in Support Hub.
After Selecting the CREATE button, the console will display the information page. Edge Routers are typically self-hosted. The easiest way to self-host is to launch or download our cloud gateway VM. The VM may be deployed by following the DOWNLOAD button and enrollment instructions will be made available via the VIEW (instructions) button. After enrollment, Console will show statuses PROVISIONED and REGISTERED.
Manage Your Edge Routers
To manage your existing Edge Router, navigate to the Edge Routers page. You can click on an Edge Router row to edit it or use the ellipsis menu at the end of each row to take actions on the individual Edge Router. Use the select bubbles in the first column of the table to select multiple Edge Routers for bulk delete.
When editing an existing Edge Router, the screen will look the same as the 'Create a New Edge Router' screen, except that you'll click 'Update' to finish editing your Edge Router, instead of create.
Your Edge Routers must be able to dial outbound to the internet on 80,443,6262/tcp and 80/udp.
- An Edge Router will dial outbound to the server hostname:port for any Services hosted by the Edge Router.
- An Edge Router will dial outbound to the network's dedicated Controller on 80,443,6262/tcp;80/udp.
- An Edge Router will dial outbound to the network's Edge Routers that are publicly hosted by NetFoundry on 80/tcp,udp.
It is possible but not typically necessary nor expedient to write a firewall ruleset that severely limits outgoing traffic only to expected destination IPs i.e. "outgoing IP whitelist". This is because your Edge Router(s) will by only allow outgoing traffic from an authenticated Endpoints to authorized Services, and so does not function as a general-purpose router i.e. default gateway. If you wish to further limit outgoing traffic beyond destination port+protocol, then consider allowing any IP destination only for the expected source IPs of your Edge Routers. This is more flexible and resilient than a destination IP allowance because you are in full control of the source IPs and system security for your Edge Routers.
Most people will never need to configure their own customer-hosted Edge Routers to accept incoming connections. However, if you have specific Ziti fabric or Ziti edge design requirements that can not be fulfilled by publicly-hosted Edge Routers in a NetFoundry data center then you may manually configure your own customer-hosted Edge Routers to listen for Endpoints dialing the Ziti edge (443/tcp) or other Edge Routers dialing Ziti fabric links (80/tcp,udp) or both.
For details about configuring Ziti edge listener for Endpoint dialers and Ziti fabric listener for Edge Router dialers see the appropriate article for your situation:
- Most people will register the NetFoundry VM as an Edge Router. This is your "customer-hosted Edge Router": How to Register the NetFoundry VM
- Few people will bring their own Ziti router software or operating system or both. This is your "customer-installed Edge Router": How to Self-install an Edge Router