NetFoundry Platform Architecture
Introduction
NetFoundry provides a zero-trust dark network alternative solution to traditional solutions such as VPNs / SSL / TLS for IoT & Edge networks. Additionally, NetFoundry's software orchestration, APIs, and "Network as a code" helps in managing the scale of deployment and operations of IoT / Edge networks. This guide will cover steps in setting up a NetFoundry network for IoT / Edge embedded requirements.
Network Diagram & Lab Set-Up:
In our setup, we have considered the IoT / Edge device to be an open WRT device such as Teltonika RU240T. A computer connected to Teltonika edge is the LAN device that would act as the source device accessing the application. The Teltonika SDK toolchain is used to compile a Linux package with NetFoundry Linux c-sdk- tunnel. The Teltonika appliance runs the Linux tunnel package. At the cloud end, we have set up a "Hello World" webserver at AWS behind a NetFoundry customer edge router. Both the webserver in the cloud and the computer at our lab are on private subnets. Services are created for accessing the webserver from the computer and the computer from the webserver to demonstrate that either side can host and access services.
Pre-requisites :
1. The edge routers and endpoints need to reach the NetFoundry controller and NF-hosted edge routers for registration and operations. Please make sure to have the required ports, IPs, and URLs reachable if you have firewall ACL policies.
2. NetFoundry traffic should be bypassed from any deep packet inspection in between since it involves mTLS and E2E encryption.
The guide has the details.
https://support.netfoundry.io/hc/en-us/articles/4402361752717-Firewall-Requirements
Step 1:
Step 1. Create your NetFoundry account
If you are an existing customer having a NetFoundry Cloud account, proceed to step 2. Else get an account.
For additional information or assistance please see our Support Hub article Product v7-Create and Manage Networks.
Step 2: Create the customer edge router hosting the service:
Customer self-hosted Edge Routers (CERs) act as egress routers for endpoints / other CERs to reach the services terminated on the CER endpoint.
For this lab demonstration, we have set up the customer edge router at AWS Singapore where the test application resides.
Create and Register Customer Edge Router
- From your Network Dashboard page, navigate to Edge Routers.
- Under the Edge Routers tab, click on the + sign at the upper right to add an edge router.
- Give your edge router a name.
- Give your edge router a router attribute (optional). Router attributes are tags applied to a router. The same tag can be applied to other edge routers to form a collection of Customer-hosted Edge Routers. This attribute can be used for provisioning APPWANs.
- Select Customer Hosted as your hosting type.
- Hit Create to complete the process.
- A new customer-hosted edge router would be created with the registration key. This registration key is required to register the edge router to the network.
- Download the JWT registration token.
See more details here - https://support.netfoundry.io/hc/en-us/articles/360044956032-Create-and-Manage-Edge-Routers on the NetFoundry Support Hub.
Step 3: Provision NetFoundry-hosted Edge routers to build the fabric
NetFoundry-hosted Edge Routers provide data transport as part of the fabric for endpoints and customer edge routers to dial to the fabric. At least one publicly accessible Edge Router is required for endpoints and edge routers to create a fabric. Having a min of two hosted ERs is a best practice for redundancy and smart routing.
- From your Network Dashboard page, navigate to Edge Routers.
- Under the Edge Routers tab, click on the + sign at the upper right to add an edge router.
- Give your edge router a name.
- Give your edge router a router attribute (optional). Router attributes are tags applied to a router. The same tag can be applied to other edge routers to form a group of NetFoundry-hosted Edge Routers.
- Select NetFoundry Hosted as your hosting type, and choose the Data Center region strategic to Cloud Resources.
- Hit Create to commence the provisioning of your edge router.
- Once your edge router is registered, it will start accepting outbound fabric connections from a private edge router or endpoints.
See more details here - https://support.netfoundry.io/hc/en-us/articles/360044956032-Create-and-Manage-Edge-Routers on the NetFoundry Support Hub.
For this lab demonstration, we have created hosted edge routers at AWS Singapore and US East.
Step 4: Build the NetFoundry executable for the Teltonika OpenWRT edge device
A software development kit (SDK) is a set of software development tools that provides the possibility to create applications for a certain software package, software framework, computer system, or similar development platform.
1. The OpenWRT hardware manufacturers provide their own pre-configured SDKs for download. For our lab, we are using Teltonika RU240T as an IoT / Edge device.
You can download SDKs from one of the links in the section below, based on the choice of the Teltonika device.
https://wiki.teltonika-networks.com/view/Software_Development_Kit
2. For instructions on how to compile your own firmware using the SDK package - follow instructions to build the toolchain and target image for your target platform/device (it takes a while)
https://wiki.teltonika-networks.com/view/RUTOS_Software_Development_Kit_instructions
https://wiki.teltonika-networks.com/view/Legacy_RUTOS_Software_Development_Kit_instructions
You must compile the SDK first before compile ziti-tunneler. After your compile the SDK, write down the following two values:
- ZT_WORKDIR (the root directory where you extracted the SDK)
- SDK_DIRNAME (the SDK directory name), this value most likely is "rutos-ath79-rut9-gpl"
In our example, The ZT_WORKDIR is "/home/ziggy/rutos-ath79-rut9-gpl", and SDK_DIRNAME is "rutos-ath79-rut9-gpl"
3. Ziti Tunneler SDK for building `ziti-edge-tunnel`. You do not need to checkout the ziti tunnel code by hand. You can specify it in the script. The script is prepopulated with "latest", and it will fetch the latest tunneler code.
4. Building ziti-edge-tunnel
for Teltonika
Use script "build_teltonika.bash" (https://raw.githubusercontent.com/netfoundry/iot_build_scripts/main/build_teltonika.bash) to build the tunneler. Transfer the script to your SDK build machine. Modify the script to have correct ZT_WORKDIR and SDK_DIRNAME value (from Step 2).
Run the script with root privilege:
sudo ./build_teltonika.bash
Once the compile is done, your ZT_WORKDIR will contain three directories: Teltonika SDK directory, vcpkg and tunnel-sdk directory:
$ ls -l
total 98304
-rw-r--r-- 1 root root 100644952 Nov 1 03:23 RUT9_R_GPL_00.07.02.7.tar.gz
drwxr-xr-x 17 ziggy ziggy 4096 Nov 2 15:24 rutos-ath79-rut9-gpl
-rw-r--r-- 1 root root 789 Nov 2 16:44 toolchain.cmake
drwxr-xr-x 15 root root 4096 Nov 2 15:36 vcpkg
drwxr-xr-x 15 root root 4096 Nov 2 15:36 ziti-tunnel-sdk-c-0.22.12
5. Move the executable file and the jwt token to the Teltonika device:
The ziti tunnel executable is under the tunnel sdk direcotry
$ ls -l ziti-tunnel-sdk-c-0.22.12/build/programs/ziti-edge-tunnel/
total 4452
drwxr-xr-x 4 root root 4096 Nov 2 16:44 CMakeFiles
-rw-r--r-- 1 root root 2901 Nov 2 15:39 cmake_install.cmake
-rw-r--r-- 1 root root 19002 Nov 2 15:39 Makefile
-rwxr-xr-x 1 root root 4527012 Nov 2 16:44 ziti-edge-tunnel
- Recommend to copy binary file and jwt directly to the device.
6. Register the Ziti edge tunnel on the Teltonika device with the JWT
- "ziti-edge-tunnel" needs the following libraries. If they are not installed already on the device, you can find them under the SDK directory.
- bin/packages/mips_24kc/packages/libuv1_1.40.0-3_mips_24kc.ipk
- bin/targets/ath79/generic/packages/libatomic1_8.4.0-3_mips_24kc.ipk
- transfer them to the device and install them by: "opkg install <package>"
- register the identity by running "./ziti-edge-tunnel enroll -j <jwt file> -i <identity file output>
7. Run the Ziti edge tunnel on the Teltonika device
The Teltonika Ziti edge tunnel is online
Step 5: Create service, APPWAN & ER- Policy
A) Service
The service definition provides the details of what device, or devices) will be utilized to provide access to services, either on the device(Zero Trust Client SDK Application) or on the network connected to the device (via its LAN, for example). The service also defines how the endpoints acting as clients to the service will access the service. Also, the service hosting details are provided.
- From your Network Dashboard page, navigate to Services.
- Under the Services tab, click on the + sign at the upper right to add a service.
- Choose the type of your service. Clicking on Advanced Services allows you to create services with IP/Port ranges.
- Select Advanced Service as the service type and give the service a name. Give your service a service attribute (optional). Service Attributes are tags applied to a service. The same tag can be applied to other services to form a group of services.
- In the Edge Router Attributes field, specify the public ( ex NF Hosted) edge routers participating in this service. If all edge routers are participating in this service, then leave this field blank.
- The Client intercept configuration is the section used to denote how the Client Endpoints that will be utilizing this service need to access it. There can be a hostname or IP Address or IP subnet specified, along with the application port numbers or port ranges. Multiple individual ports or port ranges can be configured. The hostname can be any contrived hostname to be utilized by the Client user. The protocol - TCP or UDP or both may be allowed.
- The Destination Configuration is used to configure the terminating endpoints and the destination details if forwarding is disabled. Select one or more endpoints to host the service by the individual endpoint names or endpoint group attributes . Select protocol / address / port forwarding if the destination is reachable on the same hostname / IP / procotol / port or ports as in the client intercept configuration.
-
If the destination IP / hostname / port are different from the client configuration, you can disable forwarding of IP / hostname or port or protocol and provide the details. The NetFoundry local DNS will resolve the client configuration to the destination configuration. Ensure that the application / destination is reachable on the IP / port / port range / protocol as specified in the destination configuration.
- Hit Create to complete the process.
Service for the APP at AWS
Service for the Teltonika device management portal:
Note that the services can also be hosted on the computer connected to Teltonika RU240T.
For additional information or assistance please see our Support Hub article Create and Manage Services.
B) APPWAN
The AppWAN defines the services that can be accessed by one or more client endpoints.
- From your Network Dashboard page, navigate to AppWANs.
- Under the AppWANs tab, click on the + sign at the upper right to add an AppWAN.
- Give your AppWAN a name.
- In the Service Attributes field, specify the services or service attributes to be associated with this AppWAN.
- In the Endpoint Attributes field, specify the endpoints or endpoint attributes to be associated with this policy.
- Click Create to complete the process.
Note: The use of the endpoint/service attribute will select all endpoints/services having that specific attribute. The @ symbol is used to tag Individual endpoints/services and the # symbol is used to tag a group of endpoints/services/edge routers.
APPWAN to access services hosted on Teltonika RU240T:
APPWAN to access the hello world app hosted in AWS from the computer connected to TeltonikaRU240T:
For additional information or assistance please see our Support Hub article Create and Manage AppWANs.
C) ER-Policy:
Edge Router Policies - Defines specific Edge Routers for specific Endpoints (can be used for Network Transport segregation/optimization).
- From your Network Dashboard page, navigate to Edge Routers.
- Under the Edge Routers Policies tab, click on the + sign at the upper right to add a policy. An Edge Router Policy allows a specific endpoint or group of endpoints to have access to a specific edge router or group of edge routers.
- Give your edge router policy a name.
- In the Edge Router Attributes field, specify the edge routers to be associated with this policy. Use of edge router attribute will select all edge routers having that specific attribute.
- In the Endpoint Attributes field, specify the endpoints to be associated with this policy. Use of endpoint attribute will select all endpoints having that specific attribute.
- Hit Create to complete the process.
To know more about Edge Routers Policies go to the Create and Manage Edge Router Policies article on the NetFoundry Support Hub.
Step 6: Access your services
Teltonika device management portal being accessed over NetFoundry network
Laptop connected to Teltonika RU240T accessing hello world app hosted in AWS
The applications or the service is accessed via a private hostname that is not reachable via the public internet. The application is therefore dark to the outside world and reachable only within the NetFoundry network.