Applies to NetFoundry network Products version 7 or higher.  Refer to Finding Your Network Version for detailed information on determining your Network Version.

The intersection of your policies represent the conditions under which Endpoints are able to connect to Services. In practice, you will probably think most about AppWANs which authorize connections.

Put another way, an Endpoint needs two things: an Edge Router and an AppWAN; and a Service needs the same two things, and so for an Endpoint to connect to a Service they need at least one common Edge Router and one common AppWAN.


Example: Global Edge Routers

In this example the dialing and service Endpoints both use the same Edge Router Policy which is a global pool of publicly-reachable Edge Routers.


Edge Router

This Edge Router is hosted in a NetFoundry data center and is likely be dialed by Endpoints that are geographically near, depending on internet conditions.


Edge Router Policy

This Edge Router Policy configures all Endpoints to dial the network via the first-responding Edge Router in the policy. With a policy matching #all Endpoints, there's no need to further configure router attributes for Endpoints.


Example: Regional Edge Routers

Here we add a router attribute to the service and dialing Endpoints so that their connections to the network can be limited to their respective geographic regions.



This Endpoint has a role attribute #euWestEndpoints that causes it to match a particular Edge Router Policy, and #terminalClients which grants it permission to use a particular AppWAN's services.


Edge Router

This Edge Router has a role attribute #euWestRouters that causes it to match a particular Edge Router Policy.


Edge Router Policy

This Edge Router Policy configures particular Endpoints to dial the network via the first-responding of a particular set of Edge Routers. This example steers some Endpoints to only dial via routers in EU-WEST.



This Service has a role attribute #terminalServers that causes it to match a particular AppWAN, and Edge Router attribute #usEastRouters causing it to only receive connections from those routers. It's not always best to specify the router attributes for a service. The default is #all meaning the service will receive connections from the first reachable router that responds.



This AppWAN authorizes particular Endpoints to connect to particular Services.




Resources are governed by policies that have the same #hashtag attributes as the resource itself. A policy may also @mention a particular resource by name to apply the policy to the mentioned resource. Alternatively, policies may use the magic attribute #all to match all of the resources of one type i.e. Endpoints, Services, or Edge Routers. There are three types of policies:

  • AppWAN
        authorizes Endpoints to connect to Services
  • Edge Router Policy
        configures Endpoints to use Edge Routers to dial the network
  • Service Edge Router Policy
        configures Services to receive connections via Edge Routers


Attributes appear like #hashtag on three types of resources to authorize and configure connections.


Endpoints need at least one online, reachable Edge Router in order to dial the network.

  • Endpoints may connect to Services via a matching AppWAN.
  • Endpoints may dial the network via a matching Edge Router Policy

Edge Routers

Edge Routers are dialed by Endpoints, fabric-linked by other Edge Routers, and may terminate services they can reach outside the Zero Trust network.

  • Edge Routers become available to Endpoints for dialing the network by matching Edge Router Policies.
  • Edge Routers receive connections for Services by matching Service Edge Router Policies.


Services need at least one online, reachable Edge Router to receive connections.

  • Services become available to Endpoints by matching AppWANs.
  • Services also have a property "Edge Router Attributes". This property creates a Service Edge Router Policy for the service which can be used to constrain the selection of Edge Routers by which the Service receives connections. The default is #all.




Was this article helpful?
2 out of 3 found this helpful



Article is closed for comments.