NetFoundry Platform Architecture
Introduction
Branch offices might want to connect to centralized data centers or public clouds over a secure & private network.
Branch offices users, as a part of business operations, may have to
- Connect to applications/ resources hosted in the public/private cloud.
- Access PaaS, SaaS, IaaS service offered by public clouds.
This article will guide you on steps to establish a Zero Trust Private connection between branch office locations and Public/ Private/ Hybrid Datacenters with NetFoundry Zero Trust Network as a Service.
In our lab set-up, the cloud is considered to be in AWS
Pre-requisites :
1. The edge routers and endpoints need to reach the NetFoundry controller and NF hosted edge routers for registration and operations. Please make sure to have the required ports, IPs and URLs reachable if you have firewall ACL policies.
2. NetFoundry traffic should be bypassed from proxy or any deep packet inspection in between since it involves mTLS and E2E encryption.
The guide has the details.
https://support.netfoundry.io/hc/en-us/articles/4402361752717-Firewall-Requirements
Step 1 - Create a network
The options in a Teams / Growth plan may vary. Refer to the support guide on creating a network on a Teams / Growth account.
For Enterprise accounts, follow the below steps:
-
- Log in to your NetFoundry Console at https://nfconsole.io/.
- Once logged in, you will be prompted to create your network.
- Give your network a name.
- Select the region where you would like to host your network (controller)
- Hit Create My Network to commence the provisioning of your network.
- It will take approximately 5-10 minutes for the network provisioning to complete. Once your network is ready, you will see the spinning globe icon turning green.
For additional information or assistance please see our Support Hub article Product v7-Create and Manage Networks.
Step 2 - Create edge routers
Edge Router Connectivity Diagram
A) Provision a NetFoundry-hosted Edge Router
NetFoundry-hosted Edge Routers provide data transport as part of the fabric for endpoints and customer edge routers to dial to the fabric. At least one publicly accessible Edge Router is required for endpoints and edge routers to create a fabric. Having a minimum of two hosted ERs is a best practice for redundancy and smart routing.
Provision a min of 2 NetFoundry hosted edge routers in the region where you operate the branch and cloud. Refer to the instructions for provisioning "NetFoundry-Hosted Edge Router" in the article.
Note that a new " Teams / Growth" account would have self-provisioned NetFoundry-Hosted Edge Routers based on the geo selected during the signup and the step can be skipped.
Snapshot of two NF-hosted routers provisioned in an enterprise account
B) Provision a Branch Office and a cloud edge router
Customer self-hosted Edge Routers act as egress routers for branches to reach the applications/ resources hosted in their on-premise or cloud data center.
Create and Register Branch Office Edge Router
Use the deployment guide below to provision a Customer-hosted Edge Router into a branch office
Create and Register Cloud Edge Router
( Your cloud can be On-prem DC / AWS / Azure / OCI / GCP etc)
Use the below deployment guides to provision a Customer-hosted Edge Router in any public cloud
If you are trying to connect to a private cloud from a branch, refer to the instructions in the below guide to spin up your customer-hosted ER in a private cloud
Step 3 - Create Services for branch and cloud
The service definition provides the details of what device, or devices) will be utilized to provide access to services, either on the device(Zero Trust Client SDK Application) or on the network connected to the device (via its LAN, for example). The service also defines how the endpoints acting as clients to the service will access the service. Also, the service hosting details are provided.
In the AWS console, create an EC2 instance for an Nginx server with HTTP access in the same VPC as that of the NetFoundry Edge router and make a note of the Internal IP address.
- From your Network Dashboard page, navigate to Services.
- Under the Services tab, click on the + sign at the upper right to add a service.
- Choose the type of your service. Clicking on Advanced Services allows you to create services with IP/Port ranges.
- Select Advanced Service as the service type and give the service a name. Give your service a service attribute (optional). Service Attributes are tags applied to a service. The same tag can be applied to other services to form a group of services.
- In the Edge Router Attributes field, specify the public ( ex NF Hosted) edge routers participating in this service. If all edge routers are participating in this service, then leave this field blank.
- The Client intercept configuration is the section used to denote how the Client Endpoints that will be utilizing this service need to access it. There can be a hostname or IP Address or IP subnet specified, along with the application port numbers or port ranges. Multiple individual ports or port ranges can be configured. The hostname can be any contrived hostname to be utilized by the Client user. The protocol - TCP or UDP or both may be allowed.
- The Destination Configuration is used to configure the terminating endpoints and the destination details if forwarding is disabled. Select one or more endpoints to host the service by the individual endpoint names or endpoint group attributes. Select protocol/address/port forwarding if the destination is reachable on the same hostname / IP / protocol/port or ports as in the client intercept configuration.
-
If the destination IP / hostname/port is different from the client configuration, you can disable forwarding of IP / hostname or port or protocol and provide the details. The NetFoundry local DNS will resolve the client configuration to the destination configuration. Ensure that the application/destination is reachable on the IP / port/port range/protocol as specified in the destination configuration.
- Hit Create to complete the process.
Example - Service for cloud
Example - Service for branch
For additional information or assistance please see our Support Hub article Create and Manage Services.
Step 4: Creating an AppWAN
The AppWAN defines the services that can be accessed by one or more client endpoints.
- From your Network Dashboard page, navigate to AppWANs.
- Under the AppWANs tab, click on the + sign at the upper right to add an AppWAN.
- Give your AppWAN a name.
- In the Service Attributes field, specify the services or service attributes to be associated with this AppWAN.
- In the Edge Router Attributes field, specify the edge routers or edge router attributes to be associated with this policy.
- In the Endpoint Attributes field, specify the endpoints or endpoint attributes to be associated with this policy.
- Hit Create to complete the process.
Note: Use of endpoint/service/edge router attribute will select all endpoints/services/edge routers having that specific attribute. The @ symbol is used to tag Individual endpoints/services/edge routers and the # symbol is used to tag a group of endpoints/services/edge routers.
For additional information or assistance please see our Support Hub article Create and Manage AppWANs.
A) APPWAN 'Branch to Cloud' is created to allow the branch edge router to connect to the HTTP server in cloud ( In this example, the cloud is considered to be AWS)
B) APPWAN 'Cloud to branch' is created to allow the customer hosted Edge router in cloud to connect to the Nginx server in the branch
Step 5 - Test your application access from branch to cloud and vice-versa
Inter-cloud Application access
Test app in the cloud from branch :
Service " Hello World" is accessed from a machine connected to branch ER
The application or server is accessed via a private hostname that is not reachable via the internet. The application is therefore dark to the outside world and reachable only within the NetFoundry network.
Test a server in branch from cloud :
Service " Branch-NGINX" is accessed from a server in AWS
The application or server is accessed via a private hostname that is not reachable via the internet. The application is therefore dark to the outside world and reachable only within the NetFoundry network.
Comments
0 comments