Create and Manage Endpoints

Overview

This guide goes over the specifics of creating and managing Endpoints in the web console. Creating an Endpoint is the first step in getting your AppWAN created. 

An Endpoint may be created in an existing Network. You may go back to Create and Manage Your Networks if you still need a network.

Your Choice: SDK or Tunneler

You may customize your apps with the Endpoint SDK so that they may join your network directly, or you may tether them to your network with Tunneler. Connecting your app directly to your network as an endpoint has significant advantages.

  • create a truly zero-trust distributed system from the start
  • host an invisible server in your custom app that's instantly accessible only to authorized endpoints
  • deploy clients and servers anywhere without any dependence upon network infrastructure and configuration beyond a commodity internet circuit.
Ziti is an open-source secure networking framework that is maintained by NetFoundry. Know more about the Ziti endpoint SDK for your preferred programming language and stack by visiting the Open Ziti project site.

Create an Endpoint

To get started with creating your Endpoint, navigate to Network Settings → Manage Endpoints. From there, click the blue plus-sign in the upper right-hand corner to create a new Endpoint.

create_endpoint_ziti1.png

On the 'Create a New Endpoint' screen, you'll see fields for a name and attributes, along with a registration key to download. A unique name is needed to create an Endpoint. Next, either select from your list of already created attributes, or create a new one. If you have endpoint attributes already created, you'll need to click on the field to populate the list of attributes to choose from. When creating a new one, hit 'return' or 'enter' to populate the attribute. 

ziti_create_endpoints_w__attr2.png

Once you've filled in all fields, click 'create' and you'll be brought to a new screen like this. 

endpoint_complete__download_key3.png

If you have chosen to use Tunneler for this endpoint then you will follow these instructions to enroll Tunneler as your endpoint, and your endpoint will show up as 'Enrolled'. For you endpoint to function properly, your Edge Router must be provisioned. You can check this status on the Manage Edge Routers page, under the 'Type' column. You will see 'Provisioned', 'Provisioning', 'New', or 'Deleting' in that column. Provisioning can take a few minutes but once that has completed, your endpoints, and services, AppWANs, etc... should function as expected. 

With your endpoint created you may wish to go ahead to Create and Manage Edge Routers.

Manage Your Endpoints

To manage your existing Endpoint, navigate to Manage Endpoints. You can click on an Endpoint row to edit it or use the context menu at the end of each row to take actions on the individual Endpoint. Use the select bubbles in the first column of the table to select multiple endpoints for bulk delete.

mange_endpoints_elipses4.png

When editing an existing endpoint, the screen will look the same as the 'Create a New Endpoint' screen, except that you'll click 'Update' to finish editing your Endpoint, instead of create. 

 

Firewall Requirements

Endpoints must be able to reach the predictable Network controller IP and at least one (typically) unpredictable Edge Router IP on a predictable TCP port: 443. Predictable IPs are listed in the NetFoundry web console when you click on "Firewall requirements" for a particular Network when viewing "Manage Networks". Your Endpoints must be able to dial outbound to the internet on 443/tcp. 

  • An Endpoint will dial outbound to the Network's dedicated Controller on 443/tcp. This destination IP is predictable.
  • An Endpoint will dial outbound to the Network's Edge Routers that are configured for that Endpoint through Edge Router Policies on 443/tcp. These IPs are not typically predictable.

It is possible but not typically necessary for security nor expedient to write a firewall ruleset that severely limits outgoing traffic only to expected destination IPs i.e. "outgoing IP whitelist". If you find yourself looking for a way to ensure that outboud traffic is flowing only to predictable destinations then please inquire about customer-hosted Edge Routers which would be VMs you run inside your security perimeter and for which outbound access is granted. In that scenario, Endpoints are configured to connect only to your authorized points of egress.

 

 

 

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Article is closed for comments.