Getting started with NetFoundry Zero Trust Networking - Google Cloud Example

 

Getting Started is Easy

We'll walk you through the simple steps below to spin up your first network on GCP.

 

1. PREREQUISITES

Sign up for a GCP account, then access the NetFoundry platform in the GCP Marketplace. If you don't have a NetFoundry account yet, sign up for one. These are all free.

mceclip3.png mceclip3.png

Sign up for a GCP Account

Click Here

Launch in GCP Marketplace

Click Here

Sign up for NetFoundry

Click Here

2. CREATING A NETWORK

  • Log in to your NetFoundry Console at https://nfconsole.io/.
  • Once logged in, you will be prompted to create your network.
  • Give your network a name.
  • Hit Create My Network to commence the provisioning of your network.
  • It will take approximately 5-10 minutes for the network provisioning to complete. Once your network is ready, you will see the spinning globe icon turning green.

mceclip9.png

3. CREATING EDGE ROUTERs

A. Adding a NetFoundry-hosted Edge Router - aka Fabric Router

NetFoundry-hosted edge routers create the fabric for your network. These are public routers that the endpoints shall dial to reach the destination service via the fabric. One or more hosted edge routers group to form the fabric.

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Manage Edge Routers tab, click on the + sign at the upper right to add an edge router.
  • Give your edge router a name.
  • Give your edge router a router attribute (optional). Router attributes are tags applied to a router. Apply the same tag to other routers to form a group of routers. For this demo, we will use #demopublic.
  • Select NetFoundry Hosted as your hosting type, and choose the Data Center region that is close to where your endpoints are located.
  • Hit Create to commence the provisioning of your edge router.
  • Once your edge router is registered, it will start accepting outbound fabric connections from a private-launched edge router, as well as from clients accessing the fabric.

mceclip10.png

mceclip11.png

B. Adding a Customer-hosted Edge Router

Customer-hosted edge routers with link listeners turned off are private routers. 

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Manage Edge Routers tab, click on the + sign at the upper-right to add an edge router.
  • Give your edge router a name.
  • Give your edge router a router attribute (optional). Router attributes are tags applied to a router. Apply the same tag to other routers to form a group of routers. For this demo, we will use #demopublic.
  • Select Customer Hosted as your hosting type.
  • Hit Create to complete the process.
  • Copy your edge router registration key. You may also opt to save it as a JWT or a config file.
  • Download your VM here: https://netfoundry.io/resources/support/downloads/networkversion7/#zitirouters
mceclip12.png
mceclip13.png
mceclip14.png

C. Launching your Edge Router in GCP Marketplace

GCP.png

  • In the GCP console, search for NF, select NF edge router, and click on launch.
  • In the 'Deployment name' section, specify the name of the instance to the name of your choice.
  • Specify the region you would like to launch your appliance in the Zone section. Please be sure you are launching in the same region where your NetFoundry Edge Router is.
  • In the 'Machine type' specify the instance type and size for your appliance. For optimal performance, it is recommended that small (2 vCPU/8 GB RAM) is chosen, or better.
  • Under Boot disk type select SSD Persistent Disk for the appliance since there is minimal disk I/O for the instance.
  • Boot disk size in GB: The instance by default comes with a 10 GB boot disk.
  • If you would like to apply an instance level ssh key give the SSH in the GCP format.
  • Under 'Networking' select the network[VPC] you would like to place your appliance in with external IP as Ephemeral.
  • In the 'Firewall' section, If you would like to allow ssh access to your instance, please check the box & fill out the restricted source IP/networks. We do not recommend leaving this open to 0.0.0.0/0 if you choose this option.
  • IP forwarding must be set to on, if you would like to reach applications within your networks.
  • 'EdgeRouterRegistrationKey' field allows you to provide the edge router registration key that will be passed into the launching image, automating the registration portion of the setup. The registration key can be copied from the corresponding Edge router page in the NetFoundry console.

mceclip1.png

  • You can access the gateway via ssh & register after this deployment is complete.

4. CREATING AN ENDPOINT

  • From your Network Dashboard page, navigate to Endpoints.
  • Under the Manage Endpoints tab, click on the + sign at the upper right to add an endpoint.
  • Give your endpoint a name.
  • Give your edge router an endpoint attribute. Endpoint attributes are tags applied to an endpoint. Apply the same tag to other services to form a group of endpoints. For this demo, we will add #demouser.
  • Hit Create to complete the process.
  • You may download your registration key in .jwt file format or scan the client registration key QR code.
  • Download an installer for your operating system here: https://netfoundry.io/resources/support/downloads/networkversion7/#zititunnelers

mceclip0.png

 

5. CREATING AN EDGE ROUTER POLICY

An edge router policy is needed for endpoints to dial to the fabric.

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Manage Edge Routers Policies tab, click on the + sign at the upper right to add a policy. An Edge Router Policy allows a specific endpoint or group of endpoints to have access to a specific edge router or group of edge routers.
  • Give your edge router policy a name.
  • In the Edge Router Attributes field, specify the edge routers to be associated with this policy. For this demo, we will add the #demopublic router attribute to select all edge routers having that router attribute.
  • In the Endpoint Attributes field, specify the endpoints to be associated with this policy. For this demo, we will add the #demouser endpoint attribute to select all endpoints having that endpoint attribute.
  • Hit Create to complete the process.

mceclip2.png

6. CREATING A SERVICE

  • From your Network Dashboard page, navigate to Services.
  • Under the Manage Services tab, click on the + sign at the upper right to add a service.
  • Choose the type of your service. Clicking on Advanced Services allows you to create services with IP/Port ranges. For this demo, we will use Simple Service as the service type.
  • Give your service a service attribute (optional). Service Attributes are tags applied to a service. Apply the tag to other services to form a group of services. For this demo, we will add #demoservice.
  • In the Edge Router Attributes field, specify the edge routers participating in this service. If all edge routers, then leave this field blank. 
  • In the Client Configuration box, type in mydemoapp.ziti for the Intercept Host Name/IP field and 80 for the Port field.
  • Toggle the Native Application SDK Based to No.
  • In the Host Configuration box, select Endpoint Hosted as your service host.
  • Select the associated endpoints capable of accepting connections from clients.
  • Select TCP for the Protocol Type.
  • In the Host Name/IP field, enter the IP address for the demo server. This is the internal IP address of the Web server hosted in the GCP.
  • Use 80 for the Port field.
  • Hit Create to complete the process.

mceclip4.png

 

7. CREATING AN AppWAN

  • From your Network Dashboard page, navigate to Services.
  • Under the Manage AppWANs tab, click on the + sign at the upper right to add an AppWAN.
  • Give your AppWAN a name.
  • In the Service Attributes field, specify the services or service groups to be associated with this AppWAN. For this demo, we will add the #demoservice service attribute to select all services having that service attribute.
  • In the Edge Router Attributes field, specify the edge routers to be associated with this policy. For this demo, we will add the #demopublic router attribute to select all edge routers having that router attribute.
  • In the Endpoint Attributes field, specify the endpoints to be associated with this policy. For this demo, we will add the #demouser endpoint attribute to select all endpoints having that endpoint attribute.
  • Hit Create to complete the process.

mceclip5.png

 

8. INSTALLING A ZITI EDGE CLIENT

Note: You must have an endpoint already created for you via the NetFoundry console. If not, follow all the instructions laid out in CREATING AN ENDPOINT section above before proceeding in this section.

  • Download an installer for your operating system here: https://netfoundry.io/resources/support/downloads/networkversion7/#zititunnelers
  • Run the .exe file and complete the installation process.
  • Confirm that your Ziti Desktop Edge Client is in Start mode before adding your JWT (registration key). In case you deleted or failed to download your JWT, you may download one by going back to Manage Endpoints > click on your endpoint > hit Download Key.
  • Click on Add Identity and select your recently downloaded JWT (registration key). Please know that registration keys are for one-time use only. Once registered, it cannot be reused.
  • After a few seconds, your Ziti Edge Client should now be enabled and running.

9. TEST CONNECTION WITH THE HELLOW WORLD WEBPAGE

  • Open your web browser and go to http://mydemoapp.ziti.
  • The Hello World webpage should come up for the webserver which concludes this demo.
  • Congratulations! You have successfully accessed a private service via the NetFoundry network.

10. REMOVAL OF GCP RESOURCES

Once the demo is complete, you may now remove your GCP resources. From the GCP console, select the instances from the appropriate 'Resources' and then choose Delete to complete the process.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.