NetFoundry for connecting devices or users to apps in cloud (Public / Private / Hybrid)

NetFoundry Platform Architecture

Introduction

Organizations might want their users to connect to apps or resources hosted in private or public clouds over a secure & private network. These users may need to connect to apps or resources for various reasons not limited to,

1. DevOps engineers connecting to test & dev environments in public/private cloud

2. Production application access for users working from anywhere (including offices)

3. Users - part of managed service operations who have to connect to resources in public/private cloud.

This article will guide you on steps to establish a Zero Trust Private connection with NetFoundry for users to access applications hosted in Public/ Private/ Hybrid Datacenters.

mceclip0.jpg

 

In our lab set-up, the test applications are hosted at AWS Singapore and Azure Mumbai. The hosted edge routers are provisioned at AWS Singapore and Azure Mumbai. The endpoints are provisioned on devices running Windows / MAC

Pre-requisites :

1. The edge routers and endpoints need to reach the NetFoundry controller and NF-hosted edge routers for registration and operations. Please make sure to have the required ports, IPs, and URLs reachable if you have firewall ACL policies.

2. NetFoundry traffic should be bypassed from proxy or any deep packet inspection in between since it involves mTLS and E2E encryption. 

The guide has the details. 

https://support.netfoundry.io/hc/en-us/articles/4402361752717-Firewall-Requirements

Step 1 - Create a network

The options in a Teams / Growth plan may vary. Refer to the support guide on creating a network on a Teams / Growth account. 

For Enterprise accounts, follow the below steps:

  • Log in to your NetFoundry Console at https://nfconsole.io/.
  • Once logged in, you will be prompted to create your network.
  • Give your network a name.
  • Select the region where you would like to host your network (controller)
  • Hit Create My Network to commence the provisioning of your network.
  • It will take approximately 5-10 minutes for the network provisioning to complete. Once your network is ready, you will see the spinning globe icon turning green.

mceclip0.png

mceclip3.png

mceclip0.png

 

For additional information or assistance please see our Support Hub article Product v7-Create and Manage Networks.

Step 2 - Create edge routers

A) Provision a NetFoundry-hosted Edge Router

NetFoundry-hosted Edge Routers provide data transport as part of the fabric for endpoints and customer edge routers to dial to the fabric.  At least one publicly accessible Edge Router is required for endpoints and edge routers to create a fabric. Having a min of two hosted ERs is a best practice for redundancy and smart routing. 

NetFoundry-hosted Edge Routers provide data transport as part of the fabric for endpoints and customer edge routers to dial to the fabric.  At least one publicly accessible Edge Router is required for endpoints and edge routers to create a fabric. Having a minimum of two hosted ERs is a best practice for redundancy and smart routing. 

Provision a min of 2 NetFoundry hosted edge routers in the region strategic to Cloud Resources. Refer to the instructions for provisioning "NetFoundry-Hosted Edge Router" in the article.

Note that a new " Teams / Growth" account would have self-provisioned NetFoundry-Hosted Edge Routers based on the geo selected during the signup and the step can be skipped. 

Snapshot of two NF-hosted routers provisioned in an enterprise account

mceclip0.png

To learn more about Edge Routers go to the Create and Manage Edge Routers article on the NetFoundry Support Hub.

B) Provision On-prem DC [Private Cloud] or any Public Cloud Customer Edge Router

Customer self-hosted Edge Routers (CERs) act as egress routers for endpoints / other CERs to reach the services terminated on the CER endpoint.

  • Create and Register Customer Edge Router

    • From your Network Dashboard page, navigate to Edge Routers.
    • Under the Edge Routers tab, click on the + sign at the upper right to add an edge router.
    • Give your edge router a name.
    • Give your edge router a router attribute (optional). Router attributes are tags applied to a router. The same tag can be applied to other edge routers to form a collection of Customer-hosted Edge Routers. This attribute can be used for provisioning APPWANs.
    • Select Customer Hosted as your hosting type.
    • Hit Create to complete the process.
    • A new customer-hosted edge router would be created with the registration key as below. This registration key is required to register the edge router to the network.
    • Copy your edge router registration key. You may also opt to save it as a JWT or a config file.

       

    Create and Register CERs in a private cloud

    Use the below deployment guides to provision a Customer-hosted Edge Router into a branch office or a private cloud.

    https://support.netfoundry.io/hc/en-us/articles/5700949793293-Deployment-guides-for-provisioning-customer-edge-routers-in-a-private-cloud

    Create and Register CERs on  AWS / Azure / OCI / any Public Cloud

    Use the below deployment guides to provision a Customer-hosted Edge Router into your AWS / Azure/ GCP/ OCI.

    https://support.netfoundry.io/hc/en-us/articles/5701001893133-Deployment-guides-for-provisioning-customer-edge-routers-in-public-clouds

mceclip10.png

mceclip0.png

Step 3 - Endpoint Creation & ZDE Installation

A) Creating an endpoint

  • From your Network Dashboard page, navigate to Endpoints.
  • Under the Manage Endpoints tab, click on the + sign at the upper right to add an endpoint.
  • Give your endpoint a name.
  • Give your endpoint an endpoint attribute. Endpoint attributes are tags applied to an endpoint. The same tag can be applied to other endpoints to form a group of endpoints.
  • Hit Create to complete the process.
  • You may download your registration key in .jwt file format or scan the client registration key QR code.

mceclip8.png

mceclip21.png

To learn more about Endpoints refer to the Create and Manage Endpoints & Troubleshooting Windows Desktop Edge articles on the NetFoundry Support Hub.

You can also create endpoints by synching your AD in Azure or on-prem. 

B) Installing a Desktop/ Mobile ZITI Edge Client

  • Download a Desktop/ Mobile Ziti Edge client installer for your operating system here: https://netfoundry.io/resources/support/downloads/networkversion7/#zititunnelers
  • Run the .exe file [Windows] and complete the installation process.
  • Confirm that your Ziti Desktop Edge Client is in Start mode before adding your JWT (registration key). 
  • Click on Add Identity and select your recently downloaded JWT (registration key). Please know that registration keys are for one-time use only. Once registered, it cannot be reused.
  • After a few seconds, your Ziti Edge Client should now be enabled and running.
  • In case you deleted or failed to download your JWT, you may download one by going back to Endpoints > click on your endpoint > hit Download Key.

mceclip15.png

mceclip24.png

mceclip17.png

mceclip25.png

mceclip3.png

To know more about NetFoundry Ziti Desktop Edge for Windows go to the Installing Ziti Desktop Edge on Windows article on the NetFoundry Support Hub.

Also, ensure that Co-existing solutions[e.g. Zscaler policies] are not blocking the Ziti Desktop Edge from accessing the services.

Step 4 - Creating a Service

The service definition provides the details of what device, or devices) will be utilized to provide access to services, either on the device(Zero Trust Client SDK Application) or on the network connected to the device (via its LAN, for example).  The service also defines how the endpoints acting as clients to the service will access the service.  Also, the service hosting details are provided.

In AWS, create an EC2 instance for a Web server with Http access in the same VPC as that of the NetFoundry Edge router and make a note of the Internal IP address.

  • From your Network Dashboard page, navigate to Services.
  • Under the Services tab, click on the + sign at the upper right to add a service.
  • Choose the type of your service. Clicking on Advanced Services allows you to create services with IP/Port ranges.
  • Select Advanced Service as the service type and give the service a name. Give your service a service attribute (optional). Service Attributes are tags applied to a service. The same tag can be applied to other services to form a group of services.
  • In the Edge Router Attributes field, specify the public ( ex NF Hosted) edge routers participating in this service. If all edge routers are participating in this service, then leave this field blank. 
  • The Client intercept configuration is the section used to denote how the Client Endpoints that will be utilizing this service need to access it. There can be a hostname or IP Address or IP subnet specified, along with the application port numbers or port ranges. Multiple individual ports or port ranges can be configured. The hostname can be any contrived hostname to be utilized by the Client user.  The protocol - TCP or UDP or both may be allowed.
  • The Destination Configuration is used to configure the terminating endpoints and the destination details if forwarding is disabled. Select one or more endpoints to host the service by the individual endpoint names or endpoint group attributes. Select protocol/address/port forwarding if the destination is reachable on the same hostname / IP / protocol/port or ports as in the client intercept configuration.
  • If the destination IP / hostname/port is different from the client configuration, you can disable forwarding of IP / hostname or port or protocol and provide the details. The NetFoundry local DNS will resolve the client configuration to the destination configuration. Ensure that the application/destination is reachable on the IP / port/port range/protocol as specified in the destination configuration.

  • Hit Create to complete the process.

mceclip23.png

mceclip4.png

For additional information or assistance please see our Support Hub article Create and Manage Services.

Step 5 - Creating an AppWAN

The AppWAN defines the services that can be accessed by one or more client endpoints.

  • From your Network Dashboard page, navigate to AppWANs.
  • Under the AppWANs tab, click on the + sign at the upper right to add an AppWAN.
  • Give your AppWAN a name.
  • In the Service Attributes field, specify the services or service attributes to be associated with this AppWAN.
  • In the Edge Router Attributes field, specify the edge routers or edge router attributes to be associated with this policy.
  • In the Endpoint Attributes field, specify the endpoints or endpoint attributes to be associated with this policy.
  • Hit Create to complete the process.

Note: Use of endpoint/service/edge router attribute will select all endpoints/services/edge routers having that specific attribute. The @ symbol is used to tag Individual endpoints/services/edge routers and the # symbol is used to tag a group of endpoints/services/edge routers.

mceclip3.png

mceclip5.png

For additional information or assistance please see our Support Hub article Create and Manage AppWANs.

NetFoundry supports MFA Posture check for endpoints. A console administrator can create multiple posture checks with MFA settings and apply them at the APPWAN level. 

To learn more about MFA Posture go to the Posture Check - Multi-Factor Authentication article under Docs & Guides in the Support Hub

Step 6 - Creating an Edge Router Policy

Edge Router Policies - Defines specific Edge Routers for specific Endpoints (can be used for Network Transport segregation/optimization).

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Edge Routers Policies tab, click on the + sign at the upper right to add a policy. An Edge Router Policy allows a specific endpoint or group of endpoints to have access to a specific edge router or group of edge routers.
  • Give your edge router policy a name.
  • In the Edge Router Attributes field, specify the edge routers to be associated with this policy. Use of the edge router attribute will select all edge routers having that specific attribute.
  • In the Endpoint Attributes field, specify the endpoints to be associated with this policy. The use of an endpoint attribute will select all endpoints having that specific attribute.
  • Hit Create to complete the process.

mceclip5.png

mceclip0.png

To know more about Edge Routers Policies go to the Create and Manage Edge Router Policies article on the NetFoundry Support Hub.

Step 7 - AWS Hello World Web Server DEMO

Once the Service, AppWAN configuration is completed in the NetFoundry console, you will see the services listed under the Identity in the Ziti Desktop Client.

The application or server is accessed via a private hostname that is not reachable via the internet. The application is therefore dark to the outside world and reachable only within the NetFoundry network.

mceclip1.png

HTTP access to Hello World Web Server in AWS from user Desktop

mceclip2.png

 

 

 

Was this article helpful?
3 out of 3 found this helpful

Comments

0 comments

Please sign in to leave a comment.