This article applies to NetFoundry networks version 7 or higher. Refer to Finding Your Network Version for detailed information on determining your Network Version.
Ziti Network Overview
Controller, Transport Fabric, Edge Routers, Endpoints
Controller is Deployed as part of Network Creation
Transport Fabric is added by Customer as either NetFoundry Hosted Edge Routers or Customer Self-Hosted Edge Routers. Note: At least one publicly exposed Edge Router needs to be deployed for the Zero Trust Network Transport to operate. See below for options to deploy this.
NetFoundry Hosted Edge Routers can also participate as Transport Fabric for Transport of data over the Internet) or Customer Self-Hosted Edge Routers, which can be "dark" or exposed to public internet. The Edge routers are also utilized as the "on ramp" to the NetFoundry Zero Trust Network Transport.
Edge Routers are also utilized to provide the "on-ramp" to the Zero Trust Network Transport and "off-ramp" to Zero Trust Services.
NetFoundry Hosted publicly accessible Edge Routers are created to be utilized as the Zero Trust Transport fabric and can be utilized as the termination point for publicly accessible services.
Customer Self-Hosted Edge Routers, which can be "dark" (behind customer firewalls), would be utilized for providing Access to the Zero Trust Network Service for Endpoints (on-ramp) on the Customer Private network, and also to host Customer private services(off-ramp) for remote endpoints configured as NetFoundry Zero Trust Clients. Customer Self-Hosted Edge Routers can be exposed to the public internet (by opening specific Firewall ports) to also be utilized for the Transport Fabric. This allows for more regional placement of the Transport Fabric Routers.
Endpoints can be consumers or hosts of Services (or both).
Network Components Diagrams
This section shows the components that make up a Zero Trust Network and how they play a part in delivering access to services for the types of services offered:
- Service Terminating on Edge Router
- Tunneler Endpoint Hosted Service
- Client SDK Endpoint(s) Hosted Service
Service terminating on an Edge Router (Edge Router Hosted Service)
Below is a simplified architecture of the logical and physical components that enable delivery of a service to a NetFoundry Zero Trust Endpoint (Client in this case).
A Service is defined (in Console provisioning: See Create a Service - Service Configuration and Provisioning ) as Hosted by an Edge router. In this example, the Edge Router is Customer Self Hosted so it can be "dark" (not open to be publicly accessible). It calls out to the Network Controller to communicate with the NetFoundry Zero Trust Network for configuration and Data transport setup.
An Endpoint (Client) is provisioned and enrolled/registered to be the consumer of the service (customer defined application).
The APPWAN is defined (refer to Create and Manage AppWANs ) to connect the Endpoint to the service.
To enable the Network Fabric to setup connections and transport data, there needs to be at least one Publicly accessible Edge Router defined. Either the Customer Self Hosted Edge Router can be configured to be accessible through the customer firewall (specific ports need to be opened) or a second Edge Router, the NetFoundry Hosted Edge Router is required.
Create a Service - Service Configuration and Provisioning
Creating a Service is straightforward. Go to Network Settings → Manage AppWANs → Manage Services to get the process started. Click the blue plus-sign in the upper right corner to create a new service.
Common Service Provisioning Items
The Sections on the Service Provisioning Console Page are utilized based on the type of Service desired. Some of the common ones are provisioning boxes for Service Name, Service Attributes, and Client Configuration.
A unique name is needed to create a Service. This will also be used to create an "@" Attribute for the service, so the service can be referenced by name on the AppWAN provisioning page. Attributes are explained below in Service Attributes and their utilization.
Service Attributes and their utilization
This is the section used to denote how the Client Endpoints that will be utilizing this service need to access it. There can be a hostname or IP Address specified, along with the application port number. The hostname can be any contrived hostname to be utilized by the Client user. A local DNS resolver will resolve it as a Zero Trust Service and route it over the Zero Trust Network to the proper Service being hosted. This service can be hosted by any of the methods listed above in the section: Overview
Service Type - Edge Router Terminated Services - Provisioning
Steps For Provisioning Services with Edge Router Terminated Services
For edge router Terminated Services, First select "Enable Router Based Termination" field to ON in the "Router Termination" Section. This will "grey" out the Sections of the page that are not applicable to Edge Router Terminated Services.
The rest of the fields need to be completed. Complete Service Name, Service Attributes, and Client Configuration Sections as described above in sections:
Services Hosted in a Customer Private Network
These are services(hostnames or Ip Addresses, combined with application port number) that exist in the customer private data center or customer network. They are services that need to be exposed to NetFoundry Zero Trust Endpoints (NetFoundry Zero Trust Clients or other Zero Trust Edge Router/gateways)
In the ROUTER BASED TERMINATION SECTION, select a Customer Self-Hosted Edge Router that has been provisioned and Registered.
NOTE: You will not be able to provision a service hosted on the edge router until it is registered. This "Registration" status is shown on the Console "Edge Router List view" or "Edge Router Details/Edit Page" Under the Manage Edge Routers Button and Tab.
Protocol - Select the Protocol Transport Required (TCP or UDP) for the service
HOSTNAME/IP Address - Enter the existing hostname or IP Address at which the Service/Application is found on the Customer Network, along with the application port for the service/application.
Note: the hostname/ip address could be a public one, as long as the network routing will allow the Edge Router to access the address.
After Selecting Create, the service will be provisioned in the Controller. To utilize the service, add it to a NetFoundry AppWAN by referencing the Service Attribute (either "@" attribute or any "#" attribute that you may have assigned to it).
Services Hosted behind publicly accessible Edge Routers
Similar to Services Hosted in a Customer Private Network, a Service hosted publicly can utilize a Publicly Accessible Edge Router, such as a NetFoundry Hosted Edge Router. A Customer Self-Hosted edge Router can also be utilized to host services as mentioned in Ziti Network Overview, as long as it has opened the proper ports to allow for public access. This is utilized for cases where the customer wants to also use the Edge router for fabric Transport, along with the NetFoundry zero trust network "on-ramp or "off-ramp" capability. These scenarios can get more complex for setup and a NetFoundry Representative should be consulted for specific use cases.
Basic provisioning of the service access is similar to the previous use case.
Service Type - Endpoint Hosted Service - Provisioning
One or more Endpoints may host a service, accessible by one or more other Endpoints. A unique name is needed to create a Service. Next, either select from your list of already created service attributes, or create a new one. If you have service attributes already created, you'll need to click on the field to populate the list of attributes to choose from. When creating a new one, hit 'return' or 'enter' to populate the attribute.
Similarly, add or create the list of clients hosting the service using attributes. Also select a set of edge routers that will be utilized to provide access to those services, using attributes.
Optionally, for "Client Configuration", Enter the host name or IP Address (and port) on which the Clients of this service will access this service. This configuration is necessary for clients that are tethered via Tunneler. Endpoints that are SDK apps will ignore this configuration.
Manage Your Service
To manage your existing Services, navigate to Manage AppWANs and switch over to Manage Services. You can click on a service row to edit it or use the ellipsis menu at the end of each row to take actions on the individual service. Use the select bubbles in the first column of the table to select multiple services for bulk delete.
When editing an existing service, the screen will look the same as the 'Create a New Service' screen, except that you'll click 'Update' to finish editing your service, instead of create.
NOTE: For ROUTER BASED TERMINATION servcies, you cannot change the Terminating Router on which you have defined the service. A new service should be created for this purpose.