1. NetFoundry
  2. Docs & Guides
  3. Organizations & Networks

Spinning up a NetFoundry Hybrid Cloud Network

Introduction

The NetFoundry Hybrid Cloud deployment model enables organizations to run key networking components—like the Controller and Fabric Routers—in the infrastructure they control, whether on-premise, in private data centers, or in their own public cloud environments like AWS or Azure.

The NetFoundry Hybrid Cloud deployment model is well-suited for scenarios that require data sovereignty, or tight integration with private systems—including OT, IIoT, and regulated enterprise environments. The model is also useful for organizations who want to have the controller in countries where the public clouds are not available and the NetFoundry managed Cloud controller cannot be hosted.

This guide walks you through setting up a NetFoundry Hybrid Cloud Network with deploying the Controller considering the AWS cloud.

Pre-requisites

VM with internet of the required sizing: Min Requirements - 4 VCPU and 8 GB of memory. Disk of 100 GB.

SSH RSA key in the PEM format

NetFoundry account

1. Create and upload a private RSA key in the"pem" key fomat to the NetFoundry console

To begin setting up a Hybrid Cloud Network, you need to generate and add a private RSA key in the NetFoundry Console in the 'pem' format. This key is used to authorize access for the NetFoundry Management Orchestration Platform to deploy and manage the controller in your own environment (e.g., AWS, on-prem, or private cloud) via a private & secure zero trust network .

  • Sign in to your NetFoundry Console.
  • Navigate to Organizations> Stored Secrets

  • To add a private RSA key, click on the   symbol at the top right of the page

  • Select your 'Network Group' from the drop down.
  • Give a 'name' to the Private Key.

  • Paste the entire contents of your private RSA key - Pem file and click 'Create'

  • You should now be able to see your new private key under the 'Stored Secrets' now

 

2. Create the controller VM with the NetFoundry image

The next step is to create the virtual machine (VM) that will host the NetFoundry Controller in your public cloud or private cloud infrastructure. 

  • For Public cloud deployments, NetFoundry Marketplace image is available for AWS, GCP, Azure, OCI
  • For Private cloud or On-prem deployments, Netfoundry supported images available from our downloads page - NetFoundry Ziti Overlay Network Routers

When launching an AWS Instance, you’ll need to select the NetFoundry Marketplace image.

Select the Tab for “AWS Marketplace AMIs” and enter “Netfoundry” in the search bar. This should return the latest “Netfoundry Edge Router” AMI for your selected region.

A. NetFoundry Platform IP Whitelisting requirements

The below IPs and Ports need to be whitelisted in the security group for our Netfoundry Platform to communicate with the controller in the outbound direction.

Port

Purpose

Audience

8001

Saltstack API Endpoint

MOP NAT Gateway and Bastion IPs

"34.195.87.14",
"35.170.207.35",
"34.237.12.31",
“3.214.111.111”

8443

Ziti Controller - Management API

MOP NAT Gateway and Bastion IPs

"34.195.87.14",
"35.170.207.35",
"34.237.12.31",
“3.214.111.111”

22

SDS (Netfoundry Platform software installation / management)

MOP NAT Gateway and Bastion IPs

"34.195.87.14",
"35.170.207.35",
"34.237.12.31",
“3.214.111.111”

 

The below Ports need to be whitelisted in the security group for control plane communications and managing software distribution inbound to the controller

Port

Purpose

Audience

6262

Network Controller Router - for software distribution channel. Can be disabled via Console if necessary.

0.0.0.0/0
Or any IP range routers need to connect from

443

Ziti Controller - Client API

V8 Includes Management API

0.0.0.0/0

Or any IP range identities and routers need to connect from
  • One you have successfully deployed the VM for the controller, get the elastic IP / static public IP of the VM and share it with NetFoundry Support.
  • NetFoundry will create the Network in the console using the elastic IP / static public IP of the VM to host the Customer hosted Controller.

The create network step may be extended to customers in the future. At this point, our engineers will be creating the network. 

 

B. Register the tunneler for the connection to MOP

Installing ziti tunnel on the instance created and enrolling the same is required to proceed with the network provisioning.

As we hit 'create my network' in the console, you can see the real time Network creation progress in the 'Processes' section as shown below.

  • In the NetFoundry console, navigate to Network Infrastructure -> Network Controllers page and click on the controller list item to get the registration details.

  • Copy the Enrollment Instructions inside the network controller details page.

  • Login (user name is ziggy) to the instance created in AWS and run 'sudo apt update'.
  • Then run the copied instructions.

  • These instructions will complete the registration of the instance (i.e installing ziti tunnel and enrollment) which is required to proceed with the network provisioning.
  • A private, highly secure ZT connection over a mTLS tunnel with E2E encryption on a NetFoundry management network is now being created

  • Once the ziti tunnel registration completes, you will further see Network creation progress resume and getting completed in the 'Processes' section of the console as shown below.

 

At this point, the NetFoundry Hybrid Cloud Network is successfully provisioned, with the Controller hosted in your AWS environment

 

 

  • You can view the IP, DNS, Port details for the controller in the Network section under the Network Firewall Info 

Articles in this section

Was this article helpful?
0 out of 0 found this helpful