Overview
A Service is defined (in Console provisioning: See Create a Service - Service Configuration and Provisioning ) as Hosted by an Edge router. In this example, the Edge Router is Customer Self Hosted so it can be "dark" (not open to be publicly accessible). It calls out to the Network Controller to communicate with the NetFoundry Zero Trust Network for configuration and Data transport setup.
An Identity (Client) is provisioned and enrolled/registered to be the consumer of the service (customer defined application).
The Service Policy [APPNET] is defined (refer to Create and Manage Service Policies [APPNETs] ) to connect the Identity to the service.
To enable the Network Fabric to setup connections and transport data, there needs to be at least one Publicly accessible Edge Router defined. Either the Customer Self Hosted Edge Router can be configured to be accessible through the customer firewall (specific ports need to be opened) or a second Edge Router, the NetFoundry Hosted Edge Router is required.
Note: - With Advanced services, the services can also be hosted by identities as stand alone or identities running on the customer self hosted edge router
Create a Service - Service Configuration and Provisioning
Creating a Service is straightforward. Go to Services section in the NetFoundry console to get the process started. Click the blue plus-sign in the upper right corner to create a new service.
Common Service Provisioning Items
The Sections on the Service Provisioning Console Page are utilized based on the type of Service desired. Some of the common ones are provisioning boxes for Service Name, Service Attributes, and Client Configuration.
Best Practice Note:
When configuring service hosting, it is best practice to use identity attributes (#) rather than discrete identities (@). This allows for expansion to multiple hosting devices, if necessary, simply by adding another host with that identity attribute, or replacement of a host by creating a new one and adding that attribute. This is much easier and less prone to error than having to manually reconfigure each service.
Service Name
A unique name is needed to create a Service. This will also be used to create an "@" Attribute for the service, so the service can be referenced by name on the AppWAN provisioning page. Attributes are explained below in Service Attributes and their utilization.
Service Attributes
Client Configuration
This is the section used to denote how the Client Identities that will be utilizing this service need to access it. There can be a hostname or IP Address specified, along with the application port number. The hostname can be any contrived hostname to be utilized by the Client user. A local DNS resolver will resolve it as a Zero Trust Service and route it over the Zero Trust Network to the proper Service being hosted. This service can be hosted by any of the methods listed above in the section: Overview
Note: the hostname/ip address could be a public one, as long as the network routing will allow the Edge Router to access the address. Moreover, Protocol IP/Hostname must include a "."
Service Type -
While trying to create a service, you will get the option of creating a Simple Service or Advaced Service.
Simple Service
Edge Router Terminated Services - Provisioning
(Supported on N/Ws with ERs provisioned prior to 29th June 2021)
Steps For Provisioning Services with Edge Router Terminated Services
For edge router Terminated Services, First select "Enable Router Based Termination" field to ON in the "Router Termination" Section. This will "grey" out the Sections of the page that are not applicable to Edge Router Terminated Services.
The rest of the fields need to be completed. Complete Service Name, Service Attributes, and Client Configuration Sections as described above in sections:
Service Attributes and their utilization
Enable HA Capability by clicking 'ADD ANOTHER'. Users can add up to 4 different Edge Routers.
End to end encryption
Encrypts all packets entering the network at the source and decrypts at the destination.
Services Hosted in a Customer Private Network
These are services(hostnames or Ip Addresses, combined with application port number) that exist in the customer private data center or customer network. They are services that need to be exposed to NetFoundry Zero Trust Identities (NetFoundry Zero Trust Clients or other Zero Trust Edge Router/gateways)
In the ROUTER BASED TERMINATION SECTION, select a Customer Self-Hosted Edge Router that has been provisioned and Registered.
NOTE: You will not be able to provision a service hosted on the edge router until it is registered. This "Registration" status is shown on the Console "Edge Router List view" or "Edge Router Details/Edit Page" Under the Manage Edge Routers Button and Tab.
Protocol - Select the Protocol Transport Required (TCP or UDP) for the service
HOSTNAME/IP Address - Enter the existing hostname or IP Address that is configured for the Service/Application on the Customer Network, along with the application port for the service/application.
Note: the hostname/ip address could be a public one, as long as the network routing will allow the Edge Router to access the address. Moreover, Protocol IP/Hostname must include a "." as seen below.
After Selecting Create, the service will be provisioned in the Controller. To utilize the service, add it to a NetFoundry AppWAN by referencing the Service Attribute (either "@" attribute or any "#" attribute that you may have assigned to it).
Service Type - SDK Application Identity(s) Hosted Service - Provisioning
One or more Identities may host a service exposed by an Identity using a Zero Trust SDK Application. This service can also be accessible by one or more other Identities. A unique name is needed to create a Service. Next, either select from your list of already created service attributes, or create a new one. If you have service attributes already created, you'll need to click on the field to populate the list of attributes to choose from. When creating a new one, hit 'return' or 'enter' to populate the attribute.
Similarly, add or create the list of clients hosting the service using attributes. Also select a set of edge routers that will be utilized to provide access to those services, using attributes.
Optionally, for "Client Configuration", Enter the host name or IP Address (and port) on which the Clients of this service will access this service. This configuration is necessary for clients that are tethered via Tunneler. Identities that are SDK apps will ignore this configuration.
Service Type - Identity Hosted Service - Provisioning
An Identities used as a Zero Trust Edge Device Tunneler may host a service accessible on a network behind the tunneler device. accessible by one or more other Identities. A unique name is needed to create a Service. Next, either select from your list of already created service attributes, or create a new one. If you have service attributes already created, you'll need to click on the field to populate the list of attributes to choose from. When creating a new one, hit 'return' or 'enter' to populate the attribute.
Similarly, add or create the list of clients hosting the service using attributes. Also select a set of edge routers that will be utilized to provide access to those services, using attributes.
Optionally, for "Client Configuration", Enter the host name or IP Address (and port) on which the Clients of this service will access this service. This configuration is necessary for clients that are tethered via Tunneler. Identities that are SDK apps will ignore this configuration.
Advanced Service
Advanced services provide additional options than simple service such as service creation for IP and port ranges, HA of identity hosted services, source IP transparency etc. Let's look at the individual components under advance services. Service name, Service attributes, edge router attributes and end to end encryption are the same as simple services.
-
Client intercept configuration
This is the section used to denote how the Client Identities that will be utilizing this service need to access it. There can be a hostname or IP Address or IP subnet specified, along with the application port numbers or port ranges. Multiple individual ports or port ranges can be configured. The hostname can be any contrived hostname to be utilized by the Client user. The protocol - TCP or UDP or both may be allowed.
Note: the hostname/ip address could be a public one, as long as the network routing will allow the Edge Router to access the address. Moreover, Protocol IP/Hostname must include a "."
-
Destination Configuration
Select one or more identities to host the service by the individual identity names or identity group attributes . Select protocol / address / port forwarding if the destination is reachable on the same hostname / IP / procotol / port or ports as in the client intercept configuration.
If the destination IP / hostname / port are different from the client configuration, you can disable forwarding of IP / hostname or port or protocol and provide the details. The NetFoundry local DNS will resolve the client configuration to the destination configuration. Ensure that the application / destination is reachable on the IP / port / port range / protocol as specified in the destination configuration.
Note that when forwarding is disabled, only a single IP / port is supported in the destination configuration at this point.
-
Source Transparency
Enabling the source transparency allows the source IP of the device to be visible at the destination app of host. While having it disabled, the source IP will be NATTED to the IP of the egress router or identity . Make sure that the source IPs have a route allowed at the destination network.
Note: Do not use "0.0.0.0/0" in the allow source addresses field as it will result in loopback route provisioning on the egress Edge Router.
Know more about source transparency here.
HA of identity hosted services
Enable HA Capability by adding the required identities. You can add up to 4 different identities.
Manage Your Service
To manage your existing Services, navigate to Services section in the NetFoundry Console. You can click on a service row to edit it or use the ellipsis menu at the end of each row to take actions on the individual service. Use the select bubbles in the first column of the table to select multiple services for bulk delete.
When editing an existing service, the screen will look the same as the 'Create a New Service' screen, except that you'll click 'Update' to finish editing your service, instead of create.
NOTE:
For ROUTER BASED TERMINATION servcies, you cannot change the Terminating Router on which you have defined the service. A new service should be created for this purpose