Getting started with NetFoundry Zero Trust Networking - Oracle Cloud Example

 

Getting Started is Easy

We'll walk you through the simple steps below to spin up your first network on AWS.

1. PREREQUISITES

Sign up for an AWS account, then subscribe to the NetFoundry platform in the AWS Marketplace. If you don't have a NetFoundry account yet, sign up for one. These are all free.

mceclip5.png Screenshot.png

Sign up for an AWS Account

Click Here

Subscribe to AWS Marketplace

Click Here

Sign up for NetFoundry

Click Here

2. CREATING A NETWORK

Refer to the support guide for a Trial Account on NetFoundry Cloud

For Enterprise accounts, follow the below steps:

  • Log in to your NetFoundry Console at https://nfconsole.io/.
  • Once logged in, you will be prompted to create your network.
  • Give your network a name.
  • Hit Create My Network to commence the provisioning of your network.
  • It will take approximately 5-10 minutes for the network provisioning to complete. Once your network is ready, you will see the spinning globe icon turning green.

mceclip0.png

 

You will be sent an email to accept your invitation to join the organization. Once you have created your password and upon first login, you will be prompted to create your Network. This step will build your dedicated SDN Controller which behaves as the central element of the Control plane. Once you hit Create my Network, this will deploy a NetFoundry managed Cloud based controller which will take about 5-10 minutes to finish. NOTE: you will not be able to continue until this has finished. 

 

mceclip1.png

 

While the system is building the Controller, you will see a Grey spinning globe in the upper left hand corner as below. Once completed, the globe will turn Green.      

 

mceclip2.png

 

The next step (B) is to create the Fabric Router which essentially builds the transport mechanism for the "middle mile". Choose a location that is Geographically in region to your resources in the cloud. Choose Routers and select the + in the upper right corner of the page.

 

mceclip4.png

 

mceclip5.png

 

Select a name for your Router --- Consider using the the word "Fabric" in the name to indicate it is a NetFoundry managed transit instance. Leave the attribute blank. The default attribute will be @thenameofthisrouter. Select NetFoundry Hosted and choose an Oracle Data Center in or nearest your desired Cloud region and hit Create.

 

mceclip6.png

 

mceclip7.png

 

For Step C, we will create the Edge Router policy which allows Endpoints transit access to the customer edge network in the Cloud. From the Edge Routers screen, select Manage Edge Router Policies and hit the + in the upper right corner to add a policy.

 

mceclip8.png

 

Name the Policy something representing Default-Policy or Base-Policy. NOTE: It can be named anything you want but this may help with logical function representation.

Next click the mouse into the attributes field and select the @fabricrouter you created in the previous step. In the Endpoints Attributes field, type "#all" and hit enter. Then select Create. At this point your base network is complete. NOTE: by using #all in the endpoints field, you are allowing all endpoints to transit this Fabric via @FabricRouter1. For the purposes of a standard deployment and test this is a best practice. For advanced deployments you can utilize this feature to control transit for various endpoints.

 

mceclip10.png

 

Create Customer Hosted Edge Router (Step D)

The next element we will deploy is the Edge Router in the customer VCN containing the WebApp we created for this exercise. From the NetFoundry console, in the Manage Edge Routers tab(section), let's create a new Edge Router. Provide a name representing something like "customer-location-edge",

leave the "Router Attributes" blank and finally selecting "Customer Hosted" and hit Create.

 

mceclip11.png

 

You will be provided a key for registration to be used in future step when creating the instance in the Cloud Marketplace.

 

mceclip13.png

 

Now let's return to the Oracle Cloud console and create the Edge Router from the Marketplace.

 

mceclip14.png

mceclip15.png

 

Again, select the compartment,  Availability Region and select a shape with1 OCPU 2 GB Memory. Select the VCN, Public Subnet, select assign public IPV4 address, SSH keys and hit Show Advanced Options. You will select cloud-init script and paste the following into the script field. Append your registration key created in earlier step to the end of router-registration and hit Create. This will build the image in your VCN and register it for you. NOTE: If for some reason the router fails registration and does not show registered in the NetFoundry console after 10 minutes, it may be necessary to SSH to the instance and attempt registration manually with the same command. You can execute sudo systemctl status ziti-router to see if it is running afterwards.

 

#!/bin/bash
/opt/netfoundry/router-registration {key}
apt update -y

 

mceclip16.png

 

Once registered, you should now have 2 Edge Routers up and running in your Network as shown here: 

 

mceclip17.png

 

Create Endpoint for user access - Windows (Step E)

 

The next step in the process is to register your Laptop/Host as an endpoint in the Fabric. From the NetFoundry console. Select Endpoints from either location in the Network Dashboard.

 

mceclip18.png

From the Endpoints page, select the + in the upper right corner to add Endpoint. Provide a  name for your endpoint, leave "Endpoint Attributes" blank and hit Create.

 

mceclip19.png

 

The next screen provides you the identity key and download location for the software. Save the mylaptop.jwt file somewhere you can easily find on your computer. Hit the "Select an Installer" to download the operating system specific version of the endpoint software. NOTE: The name of your file will be "what-ever-you-named-it.jwt".

 

mceclip20.png

 

mceclip21.png

 

Once you have completed the installation of your software, it is now time to add the created identity to the software client. Open the software and select "Add Identity", then browse to the location of the mylaptop.jwt file previously downloaded and hit open. Your endpoint will now enroll and register on the network.

 

mceclip23.png

 

Now within the client application you will have your entry listed with No Services at this point.

NOTE: Author has several identities in different networks and should be disregarded.

 

mceclip25.png

 

Returning back to the NetFoundry console and the Endpoints page. You will see your endpoint appear as registered. Allow 5 minutes.

 

mceclip26.png

 

 

Create Services and AppWAN (Step F)

The final step is to create a service for the web app in our VCN and to build an AppWAN to allow our endpoint (mylaptop) access to this service (port 80) on the private VCN IP address. The customer edge router will be used to terminate the service as show in this example. From the NetFoundry dashboard, select services from either location and hit the + sign in the upper right corner.

 

mceclip27.png

 

From within the create service context menu, provide a name for your service, deselect native application SDK based on the right side and select Endpoint Hosted. Leave "Service Attributes" blank, leave "Edge Router Attributes" blank(default is #all). Select your edge router/endpoint created in Step D from the drop down list. Insert your private ip and port for the Intercept hostname/ip. Again at the bottom, select TCP and your IP/port 80. Hit Create.

 

service_doc.jpg

 

Next select AppWAN from the Services/AppWAN screen  and hit the + sign in the upper right corner.

 

mceclip29.png

 

Within the AppWAN create page, select a name suggesting it's function/location e.g. webapp-ash-appwan. Mouse click in the service attributes and select the service created in the previous step. Mouse click in the Endpoint Attributes field and select your endpoint e.g. @mylaptop. Leave posture attributes blank. Hit Create

 

mceclip30.png

 

Now return to your endpoint client. You should see a service show up in a few minutes. Once the service has populated, you should now be able to use a browser to connect to the cloud web app by the private ip from the service you created.

 

If after 5 minutes it does not show up, Stop and Start the service by clicking the connect button at the top. 

Note you can click the arrow next to your identity to see what the service looks like in your client.

 

mceclip31.png

 

mceclip33.png

 

mceclip35.png

Congratulations on spinning up your first complete network. If you no longer wish to be connected to the NetFoundry network you can disable the button to the left of your identity. 


 

 

 

 

 

 

 

 

Was this article helpful?
1 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.