Create and Manage Endpoints


This guide goes over the specifics of creating and managing Endpoints in the web console. Creating an Endpoint is the first step in getting your AppWAN created. 

An Endpoint may be created in an existing Network. You may go back to Create and Manage Your Networks if you still need a network.

Your Choice: Endpoints for any device / any APP

NetFoundry offers software packages for devices with various operating systems - See them here - 

If you are a developer you can download our SDKs and follow examples at on embedding our SDK code to your apps. Ziti is an open-source secure networking framework that is maintained by NetFoundry.

Connecting your app directly to your network as an endpoint (via SDKs) has significant advantages.

  • Create a truly zero-trust connection - Zero Trust Application Access right from the app.
  • Host an invisible server in your custom app that's instantly accessible only to authorized endpoints
  • Deploy clients and servers anywhere without any dependence upon network infrastructure and configuration beyond a commodity internet circuit.
Create an Endpoint

To get started with creating your Endpoint, navigate to Network Settings → Endpoints. From there, click the blue plus sign in the upper right-hand corner to create a new Endpoint.


On the 'Create a New Endpoint' screen, you'll see fields for a name and attributes, along with a registration key to download. A unique name is needed to create an Endpoint. Next, either select from your list of already created attributes, or create a new one. If you have endpoint attributes already created, you'll need to click on the field to populate the list of attributes to choose from. When creating a new one, hit 'return' or 'enter' to populate the attribute. 

Endpoint Name:  Assign the endpoint a name

Endpoint Attribute: Select and existing Attribute or create a new one

Authorization Policy:

  • Select the Policy, if none is selected the default policy will be applied.
  • Optionally add an external ID to coordinate with the Authentication Policy or JWT Signer requirements.

Once you've filled in all fields, click 'create' and you'll be brought to a new screen like this. 


This key will be needed to add your identity to the endpoint. based on the type of endpoint you are using, follow the instructions on the installation guides to add the identity and register your endpoint to the network.

Once registered, your endpoint will show in "green" on the console. When the endpoint is offline, it would show in "red". For an unregistered endpoint the registration status will show as unregistered in the console. Note that the registration token is valid for a period of 48 hours from the time of endpoint creation. 

You can also create endpoints with our "network as a code " feature via JSON or YAML. Learn more here.

For you endpoint to be able to dial to the fabric , your Edge Router must be provisioned. With your endpoint created you may wish to go ahead to Create and Manage Edge Routers.

Manage Your Endpoints

To manage your existing Endpoint, navigate to Manage Endpoints. You can click on an Endpoint row to edit it or use the context menu at the end of each row to take actions on the individual Endpoint. Use the select bubbles in the first column of the table to select multiple endpoints for bulk delete.


Edit - you can edit the endpoint name or attributes

Re-issue token- If the endpoint is not registered within 48 hrs of token issue and the token has expired, you can always reissue the key from the console.

Share - You can share the registration key via an e-mail to the user or someone you intend to register the endpoint

Visualize - You can visualize how your endpoint has a path via the fabric to a service and if the path is broken or not.



Firewall Requirements

Here's a direct link to the main article about firewall requirements.

Endpoints must be able to reach the predictable Network controller IP and at least one (typically) unpredictable Edge Router IP on a predictable TCP port: 443. Predictable IPs are listed in the NetFoundry web console when you click on "Firewall requirements" for a particular Network when viewing "Manage Networks". Your Endpoints must be able to dial outbound to the internet on 443/tcp. 

  • An Endpoint will dial outbound to the Network's dedicated Controller on 443/tcp. This destination IP is predictable.
  • An Endpoint will dial outbound to the Network's Edge Routers that are configured for that Endpoint through Edge Router Policies on 443/tcp. These IPs are not typically predictable.

It is possible but not typically necessary for security nor expedient to write a firewall ruleset that severely limits outgoing traffic only to expected destination IPs i.e. "outgoing IP whitelist". If you find yourself looking for a way to ensure that outboud traffic is flowing only to predictable destinations then please inquire about customer-hosted Edge Routers which would be VMs you run inside your security perimeter and for which outbound access is granted. In that scenario, Endpoints are configured to connect only to your authorized points of egress.




Was this article helpful?
1 out of 2 found this helpful



Article is closed for comments.