1. NetFoundry
  2. Docs & Guides
  3. Organizations & Networks

Spinning up a Netfoundry On-prem network

Introduction

The NetFoundry On-prem network deployment model helps to enable Zero Trust, secure, and programmable connectivity within your own data center, branch office, factory, or private clouds. It gives organizations full control over their network overlay and data paths while applying Zero Trust principles internally and across hybrid environments. Common usecases for the NetFoundry on-prem deployment are:

  • Factory Floor OT Connectivity (e.g., secure access to SCADA/HMI)
  • Secure Access to Legacy Apps in Data Center using private lines
  • Privately hosted APIs/Microservices access
  • Air-gapped or highly sensitive environments

This guide walks you through setting up a NetFoundry On-prem Network with deploying the Controller on your infrastructure in any private or public cloud, factory or branch.

 

Prerequisites

A UBUNTU 24.04 LTS ( 22.4 is also supported)  VM with min hardware spec of 4 CPUs and 16GB or RAM, and 50GB of storage

Firewall config

The following ports need to be opened in the firewall behind which the VM is deployed

IP Version/ ProtocolPort rangePurpose
IPV4/ TCP1280Default controller advertise address ( you can decide your port number above 1024) 
IPV4/ TCP3022Default router advertise address ( you can decide your port number above 1024)
IPV4/ TCP22SSH access

Steps involved

1. Spin up a VM instance

  • To begin setting up a NetFoundry On-prem Network, you need spin up a VM in your infrastructure - factory, DC, public cloud, site etc  with the prerequisites and firewall configuration mentioned in the above sections.
  • Your VM must have a DNS-resolvable name that doesn’t change across reboots. Example  - in AWS, this is typically the EC2 Public DNS (IPv4).

2. Download and Run the Installation Software

A. Update System & Elevate Privileges

  • Ensure your packages are up to date and elevate to root to avoid permission issues during the install.
sudo apt update

B. Clone the Installer Repo

  • The NetFoundry On-Prem Installer is hosted privately on Bitbucket. The access is token-controlled and provided to you by NetFoundry.
git clone https://x-token-auth:###REDACTED###@bitbucket.org/netfoundry/k8s-on-prem-installations.git
  • Use your unique Bitbucket token to clone the NetFoundry On-Prem installer repo.
  • This repo contains the Quickstart script and Kubernetes manifests to set up the controller environment.

C. Running The Quickstart In Interactive Mode

  • The quickstart.sh script is designed to guide you step-by-step through the installation process in interactive mode.
# Change directories into the repo
cd k8s-on-prem-installations

#Run the quickstart installer script
./quickstart.sh

  • The quickstart installer is built around a k3s installation

  • Set the OpenEBS storage class as the default storage class for your Kubernetes cluster.

  • Choose 'n' to skip the Support Stack.
  • Respond with 'y' to proceed to install the Ziti Controller and Router components.

  • During the coutse of installation process, you’ll be prompted to enter a DNS address for the controller’s advertised address.
  • Use the EC2 public DNS name from Step 1.

With our current generation of installer, you will need to decide which ports you want to serve ziti services on prior to installation. You will be prompted to enter them during the install process. Future versions of the installer will support ALPN, which will simplify the port scheme.

  • Ziti Client Access (Default 1280) - This needs to be accessible by all identities that need to use the Ziti network. By default the router control plane also listens on this port via ALPN.
  • Router Edge Listener (Default 3022) - This needs to be accessible by all identities that need to use the Ziti network. By default the router’s link listener also listens on this port via ALPN.

For the k3s installation option you must chose ports higher than 1024.

At the end of the Quickstart process, you’ll see output similar to the following

This section provides essential access information:

  • Ziti Admin Console URL
    Example: https://ec2-13-215-60-22.ap-southeast-1.compute.amazonaws.com:1280/zac/
  • Default Admin Credentials
    These are generated during install. Make sure to copy and store them securely.
  • Helm Upgrade Commands
    Also shown are the exact Helm upgrade/install commands you can run later to modify/update the configuration.

3. Log in to Ziti Admin Console [ZAC]

Use the default admin credentials provided during the install.

After login, you’ll land on the Ziti Admin Console Dashboard.

Articles in this section

Was this article helpful?
1 out of 1 found this helpful