Getting started with NetFoundry Zero Trust Networking - AWS Example

 

Getting Started is Easy

We'll walk you through the simple steps below to spin up your first network on AWS.

1. PREREQUISITES

Sign up for an AWS account, then subscribe to the NetFoundry platform in the AWS Marketplace. If you don't have a NetFoundry account yet, sign up for one. These are all free.

mceclip5.png Screenshot.png

Sign up for an AWS Account

Click Here

Subscribe to AWS Marketplace

Click Here

Sign up for NetFoundry

Click Here

2. CREATING A NETWORK

Refer to the support guide for a Trial Account on NetFoundry Cloud

For Enterprise accounts, follow the below steps:

  • Log in to your NetFoundry Console at https://nfconsole.io/.
  • Once logged in, you will be prompted to create your network.
  • Give your network a name.
  • Hit Create My Network to commence the provisioning of your network.
  • It will take approximately 5-10 minutes for the network provisioning to complete. Once your network is ready, you will see the spinning globe icon turning green.

mceclip0.png

3. CREATING EDGE ROUTERs

A. Adding a NetFoundry-hosted Edge Router - aka Fabric Router

Note: NetFoundry Teams / Growth accounts auto-provision NetFoundry hosted routers. Refer to the guide for more details. 

NetFoundry-hosted edge routers create the fabric for your network. These are public routers that the endpoints shall dial to reach the destination service via the fabric. One or more hosted edge routers group to form the fabric.

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Manage Edge Routers tab, click on the + sign at the upper right to add an edge router.
  • Give your edge router a name.
  • Give your edge router a router attribute (optional). Router attributes are tags applied to a router. Apply the same tag to other routers to form a group of routers. For this demo, we will use #demopublic.
  • Select NetFoundry Hosted as your hosting type, and choose the Data Center region that is close to where your endpoints are located.
  • Hit Create to commence the provisioning of your edge router.
  • Once your edge router is registered, it will start accepting outbound fabric connections from a private-launched edge router, as well as from clients accessing the fabric.

mceclip10.png

Screenshot_2022-07-20_at_12.40.33.png

mceclip12.png

 

Note: NetFoundry-hosted edge routers are available only in the Oracle Cloud Platform for Teams / Growth plans

B. Adding a Customer-hosted Edge Router

Customer-hosted edge routers with link listeners turned off are private routers. 

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Manage Edge Routers tab, click on the + sign at the upper right to add an edge router.
  • Give your edge router a name.
  • Give your edge router a router attribute (optional).
  • Select Customer Hosted as your hosting type.
  • Hit Create to complete the process.
  • Copy your edge router registration key. You may also opt to save it as a JWT or a config file.

 

mceclip2.png
mceclip3.png

C. Launching your Edge Router in AWS via CloudFormation

  • Click here to launch the AWS CloudFormation stack. This will automatically launch the AWS CloudFormation console (it will prompt you to sign in if you're not yet logged in). Check at the upper-left corner of your AWS Console that you are in the region where you want to spin up your edge router.
  • Once logged in to the AWS CloudFormation console, you will notice the template is already filled in. Click Next to continue.
  • Paste your router registration key in the appropriate field, and then click Next to continue.
  • On the Configure Stack Options page, leave all as default. Click Next to continue.
  • From the Review page, click on Create Stack at the bottom to launch the stack.
  • This CloudFormation script will create a simple VPC, a subnet, a routing table, an internet gateway, and two EC2 instances, a (1) t3.small for the Hello World webpage and a (2) t3.small for the NetFoundry Zero Trust Networking Platform VM along with a security group, to allow port 80 (HTTP) from anywhere to the Demo App. 
  • Once the stack is launched, go to the CloudFormation "Output" section of the stack created. There you will find the internal IP address of the Demo App you will use for the next section. You may also test the external URL of the Demo App to ensure it is accessible. The internal URL will only work once the NFN network is complete (i.e. approximately 2-3 minutes).
  • The CloudFormation script will launch in the last region your account was signed in. If you would like to launch it in a different region, simply switch regions from the drop-down menu. Please be sure you are launching in the same region where your NetFoundry Edge Router is.

To learn more about Edge Routers go to Create and Manage Edge Routers article on the NetFoundry Support Hub.

4. CREATING AN ENDPOINT

  • From your Network Dashboard page, navigate to Endpoints.
  • Under the Manage Endpoints tab, click on the + sign at the upper right to add an endpoint.
  • Give your endpoint a name.
  • Give your edge router an endpoint attribute. Endpoint attributes are tags applied to an endpoint. Apply the same tag to other services to form a group of endpoints. For this demo, we will add #demouser.
  • Hit Create to complete the process.
  • You may download your registration key in .jwt file format or scan the client registration key QR code.
  • Download an installer for your operating system here: https://netfoundry.io/resources/support/downloads/networkversion7/#zititunnelers

mceclip0.png

To learn more about Endpoints go to Create and Manage Endpoints article on the NetFoundry Support Hub.

5. CREATING AN EDGE ROUTER POLICY

Note: NetFoundry Teams / Growth accounts auto-create the NetFoundry ER policy. Refer to the guide for more details. 

An edge router policy is needed for endpoints to dial to the fabric.

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Manage Edge Routers Policies tab, click on the + sign at the upper right to add a policy. An Edge Router Policy allows a specific endpoint or group of endpoints to have access to a specific edge router or group of edge routers.
  • Give your edge router policy a name.
  • In the Edge Router Attributes field, specify the edge routers to be associated with this policy. For this demo, we will add the #demopublic router attribute to select all edge routers having that router attribute.
  • In the Endpoint Attributes field, specify the endpoints to be associated with this policy. For this demo, we will add the #demouser endpoint attribute to select all endpoints having that endpoint attribute.
  • Hit Create to complete the process.

mceclip4.png

To learn more about Edge Router Policies go to Create and Manage Edge Router Policies article on the NetFoundry Support Hub.

6. CREATING A SERVICE

  • From your Network Dashboard page, navigate to Services.
  • Under the Manage Services tab, click on the + sign at the upper right to add a service.
  • Choose the type of your service. Clicking on Advanced Services allows you to create services with IP/Port ranges. For this demo, we will use Simple Service as the service type.
  • Give your service a service attribute (optional). Service Attributes are tags applied to a service. Apply the tag to other services to form a group of services. For this demo, we will add #demoservice.
  • In the Edge Router Attributes field, specify the edge routers participating in this service. If all edge routers, then leave this field blank. 
  • In the Client Configuration box, type in mydemoapp.ziti for the Intercept Host Name/IP field and 80 for the Port field.
  • Toggle the Native Application SDK Based to No.
  • In the Host Configuration box, select Endpoint Hosted as your service host.
  • Select the associated endpoints capable of accepting connections from clients.
  • Select TCP for the Protocol Type.
  • In the Host Name/IP field, enter the IP address for the demo server. This is the internal IP address from the AWS CloudFormation stack output.
  • Use 80 for the Port field.
  • Hit Create to complete the process.

To learn more about Services go to Create and Manage Services article on the NetFoundry Support Hub.

7. CREATING AN AppWAN

  • From your Network Dashboard page, navigate to Services.
  • Under the Manage AppWANs tab, click on the + sign at the upper right to add an AppWAN.
  • Give your AppWAN a name.
  • In the Service Attributes field, specify the services or service groups to be associated with this AppWAN. For this demo, we will add the #demoservice service attribute to select all services having that service attribute.
  • In the Edge Router Attributes field, specify the edge routers to be associated with this policy. For this demo, we will add the #demopublic router attribute to select all edge routers having that router attribute.
  • In the Endpoint Attributes field, specify the endpoints to be associated with this policy. For this demo, we will add the #demouser endpoint attribute to select all endpoints having that endpoint attribute.
  • Hit Create to complete the process.

mceclip3.png

To learn more about AppWANs go to Create and Manage AppWANs article on the NetFoundry Support Hub.

8. INSTALLING A ZITI EDGE CLIENT

Note: You must have an endpoint already created for you via the NetFoundry console. If not, follow all the instructions laid out in CREATING AN ENDPOINT section above before proceeding in this section.

  • Download an installer for your operating system here: https://netfoundry.io/resources/support/downloads/networkversion7/#zititunnelers
  • Run the .exe file and complete the installation process.
  • Confirm that your Ziti Desktop Edge Client is in Start mode before adding your JWT (registration key). In case you deleted or failed to download your JWT, you may download one by going back to Manage Endpoints > click on your endpoint > hit Download Key.
  • Click on Add Identity and select your recently downloaded JWT (registration key). Please know that registration keys are for one-time use only. Once registered, it cannot be reused.
  • After a few seconds, your Ziti Edge Client should now be enabled and running.

To learn more about Ziti Edge clients go to Installing Ziti Desktop Edge on Windows and Mac article under the Endpoints section in NetFoundry Support Hub.

9. TEST CONNECTION WITH THE HELLOW WORLD WEBPAGE

  • Open your web browser and go to http://mydemoapp.ziti
  • The Hello World webpage should come up for the webserver which concludes this demo.
  • Congratulations! You have successfully accessed a private service via the NetFoundry network.

10. REMOVAL OF AWS RESOURCES

Once the demo is complete, you may now remove your AWS resources. From the AWS console, select the service CloudFormation. Select the NFNDemo stack from the list, and then click Delete to complete the process.

Was this article helpful?
1 out of 2 found this helpful

Comments

0 comments

Article is closed for comments.