1. NetFoundry
  2. Docs & Guides
  3. Service Policies (AppNets) & Services

Create and Manage Services

Overview

This guide covers the specifics of creating and managing NetFoundry Services in the web console. To use a Zero Trust (Ziti) Service you will need a NetFoundry Version 7 (or higher) Network.   You will also need to decide which of the following methods you will utilize for hosting the Service: 

  • Service Terminating on Edge Router (Supported on ERs provisioned  before June 29th 2021)
  • Service Termination on HA Edge Router (Supported on ERs provisioned before June 29th 2021)
  • Tunneler Identity Hosted Service
  • Client SDK Application Identity(s) Hosted Service

Examples of these configurations will be described below. 

As part of the configuration setup, you may refer to the following support articles for information on creating other necessary components: 

 

A Service is defined (in Console provisioning: See Create a Service - Service Configuration and Provisioning ) as Hosted by an Edge router.  In this example, the Edge Router is Customer Self Hosted so it can be "dark" (not open to be publicly accessible).    It calls out to the Network Controller to communicate with the NetFoundry Zero Trust Network for configuration and Data transport setup.   

An Identity (Client) is provisioned and enrolled/registered to be the consumer of the service (customer defined application).   

The Service Policy [APPNET] is defined (refer to Create and Manage Service Policies [APPNETs] ) to connect the Identity to the service.    

To enable the Network Fabric to setup connections and  transport data, there needs to be at least one Publicly accessible Edge Router defined.  Either the Customer Self Hosted Edge Router can be configured to be accessible through the customer firewall (specific ports need to be opened) or a second Edge Router, the NetFoundry Hosted Edge Router is required.   

 

Note: - With Advanced services, the services can also be hosted by identities as stand alone or identities running on the customer self hosted edge router

Create a Service - Service Configuration and Provisioning

Creating a Service is straightforward. Go to Services section in the NetFoundry console to get the process started. Click the blue plus-sign in the upper right corner to create a new service. 

 

Common Service Provisioning Items

The Sections on the Service Provisioning Console Page are utilized based on the type of Service desired.  Some of the common ones are provisioning boxes for Service Name, Service Attributes, and Client Configuration.

Best Practice Note:
When configuring service hosting, it is best practice to use identity attributes (#) rather than discrete identities (@).  This allows for expansion to multiple hosting devices, if necessary, simply by adding another host with that identity attribute, or replacement of a host by creating a new one and adding that attribute.  This is much easier and less prone to error than having to manually reconfigure each service.

 

Service Name

A unique name is needed to create a Service.  This will also be used to create an "@" Attribute for the service, so the service can be referenced by name on the AppWAN provisioning page.  Attributes are explained below in Service Attributes and their utilization.

 

Service Attributes 

Service attributes provide the reference to any tagged services that are to be made available to the identities(via Service Policies [APPNETs]).   For referring to a specific single service, the attribute with "@" is used.  Those "@" attributes are automatically created for each service.  For example, if a service named "marketingDocs" is created, the attribute @marketingDocs will also be available for reference in Service Policies [APPNETs] provisioning in the "Service Attributes" Box.
In the Service Attributes field on the Service Screen, enter attributes such as "#allMarketingServices".  For example, #allMarketingService attribute (once created on this or any other service) may be added in the Service Attributes Box, thus adding that service to the group of services that can be referenced by that attribute/tag.   The system operator can provision the attribute (#allMarketingServices, for example) on any service related to applications accessible by marketing.    The "#" attribute(tag) is created by the system operator and assigned as desired.  If you want this service to be included in Service Policies [APPNETs], you can refer to it with the "@" attribute or any "#" attribute to which it belongs(has assigned to it, as seen on the Service Details/Edit Screen).

 

Client Configuration

This is the section used to denote how the Client Identities that will be utilizing this service need to access it.    There can be a hostname or IP Address specified, along with the application port number.  The hostname can be any contrived hostname to be utilized by the Client user.  A local DNS resolver will resolve it as a Zero Trust Service and route it over the Zero Trust Network to the proper Service being hosted.  This service can be hosted by any of the methods listed above in the section: Overview

Note: the hostname/ip address could be a public one, as long as the network routing will allow the Edge Router to access the address. Moreover, Protocol IP/Hostname must include a "." 

 

Service Type -

While trying to create a service, you will get the option of creating a Simple Service or Advaced Service.

mceclip0.png

 

Simple Service

Edge Router Terminated Services - Provisioning 

(Supported on N/Ws with ERs provisioned prior to 29th June 2021)

 

Steps For Provisioning Services with Edge Router Terminated Services

For edge router Terminated Services, First select "Enable Router Based Termination" field to ON in the "Router Termination" Section.  This will "grey" out the Sections of the page that are not applicable to Edge Router Terminated Services.   

The rest of the fields need to be completed.   Complete Service Name, Service Attributes, and Client Configuration Sections as described above in sections:

Service Name

Service Attributes and their utilization

Either select from your list of already created service attributes, or create a new one. If you have service attributes already created, you'll need to click on the field to populate the list of attributes to choose from. When creating a new one, hit 'return' or 'enter' to populate the attribute. 

Client Configuration

 

Screen_Shot_2021-02-02_at_11.43.56_AM.png

Enable HA Capability by clicking 'ADD ANOTHER'. Users can add up to 4 different Edge Routers.

 

Screen_Shot_2021-02-02_at_11.44.38_AM.png

End to end encryption 

Encrypts all packets entering the network at the source and decrypts at the destination.

Services Hosted in a Customer Private Network

These are services(hostnames or Ip Addresses, combined with application port number) that exist in the customer private data center or customer network.  They are services that need to be exposed to NetFoundry Zero Trust Identities (NetFoundry Zero Trust Clients or other Zero Trust Edge Router/gateways)

In the ROUTER BASED TERMINATION SECTION, select a Customer Self-Hosted Edge Router that has been provisioned and Registered. 

NOTE: You will not be able to provision a service hosted on the edge router until it is registered.  This "Registration" status is shown on the Console "Edge Router List view" or "Edge Router Details/Edit Page" Under the Manage Edge Routers Button and Tab.

Protocol - Select the Protocol Transport Required (TCP or UDP) for the service

HOSTNAME/IP Address - Enter the existing hostname or IP Address that is configured for the Service/Application on the Customer Network, along with the application port for the service/application. 

Note: the hostname/ip address could be a public one, as long as the network routing will allow the Edge Router to access the address. Moreover, Protocol IP/Hostname must include a "." as seen below.

 

image__1_.png

 

After Selecting Create, the service will be provisioned in the Controller.    To utilize the service, add it to a NetFoundry AppWAN by referencing the Service Attribute (either "@" attribute or any "#" attribute that you may have assigned to it).     

 

Service Type - SDK Application Identity(s) Hosted Service - Provisioning

One or more Identities may host a service exposed by an Identity using a Zero Trust SDK Application.  This service can also be  accessible by one or more other Identities. A unique name is needed to create a Service. Next, either select from your list of already created service attributes, or create a new one. If you have service attributes already created, you'll need to click on the field to populate the list of attributes to choose from. When creating a new one, hit 'return' or 'enter' to populate the attribute. 

Similarly, add or create the list of clients hosting the service using attributes.  Also select a set of edge routers that will be utilized to provide access to those services, using attributes.

Optionally, for "Client Configuration", Enter the host name or IP Address (and port) on which the Clients of this service will access this service. This configuration is necessary for clients that are tethered via Tunneler. Identities that are SDK apps will ignore this configuration.

 

mceclip1.png

Service Type - Identity Hosted Service - Provisioning

An Identities used as a Zero Trust Edge Device Tunneler may host a service accessible on a network behind the tunneler device. accessible by one or more other Identities. A unique name is needed to create a Service. Next, either select from your list of already created service attributes, or create a new one. If you have service attributes already created, you'll need to click on the field to populate the list of attributes to choose from. When creating a new one, hit 'return' or 'enter' to populate the attribute. 

Similarly, add or create the list of clients hosting the service using attributes.  Also select a set of edge routers that will be utilized to provide access to those services, using attributes.

Optionally, for "Client Configuration", Enter the host name or IP Address (and port) on which the Clients of this service will access this service. This configuration is necessary for clients that are tethered via Tunneler. Identities that are SDK apps will ignore this configuration.

 

mceclip0.png

 

Advanced Service

Advanced services provide additional options than simple service such as service creation for IP and port ranges, HA of identity hosted services, source IP transparency etc. Let's look at the individual components under advance services. Service name, Service attributes, edge router attributes and end to end encryption are the same as simple services.

  • Client intercept configuration

This is the section used to denote how the Client Identities that will be utilizing this service need to access it. There can be a hostname or IP Address or IP subnet specified, along with the application port numbers or port ranges. Multiple individual ports  or port ranges can be configured. The hostname can be any contrived hostname to be utilized by the Client user.  The protocol - TCP or UDP or both may be allowed.

Note: the hostname/ip address could be a public one, as long as the network routing will allow the Edge Router to access the address. Moreover, Protocol IP/Hostname must include a "." 

  • Destination Configuration

Select one or more identities to host the service by the individual identity names or identity group attributes . Select protocol / address / port forwarding if the destination is reachable on the same hostname / IP / procotol / port or ports as in the client intercept configuration.

If the destination IP / hostname / port are different from the client configuration, you can disable forwarding of IP / hostname or port or protocol and provide the details. The NetFoundry local DNS will resolve the client configuration to the destination configuration. Ensure that the application / destination is reachable on the IP / port / port range / protocol as specified in the destination configuration.

 

Note that when forwarding is disabled, only a single IP / port is supported in the destination configuration at this point. 

  • Source Transparency

Enabling the source transparency allows the source IP of the device to be visible at the destination app of host. While having it disabled, the source IP will be NATTED to the IP of the egress router or identity . Make sure that the source IPs have a route allowed at the destination network.

Note: Do not use "0.0.0.0/0" in the allow source addresses field as it will result in loopback route provisioning on the egress Edge Router.  

mceclip5.png

Know more about source transparency here.

HA of identity hosted services 

 

Enable HA Capability by adding the required identities. You can add up to 4 different identities.

 

mceclip0.png

 

Manage Your Service

To manage your existing Services, navigate to Services section in the NetFoundry Console. You can click on a service row to edit it or use the ellipsis menu at the end of each row to take actions on the individual service. Use the select bubbles in the first column of the table to select multiple services for bulk delete.

manage_services_ziti.png

When editing an existing service, the screen will look the same as the 'Create a New Service' screen, except that you'll click 'Update' to finish editing your service, instead of create. 

NOTE:

For ROUTER BASED TERMINATION servcies, you cannot change the Terminating Router on which you have defined the service.  A new service should be created for this purpose

 

 

 

Articles in this section

Was this article helpful?
1 out of 1 found this helpful