Introduction
When you want to be able to see or restrict the source IP address of devices that access a NetFoundry service, the source transparency feature has to be enabled. This guide walks you through a practical demonstration of source transparency including config steps. The feature is currently supported when the traffic "ingresses" into the NetFoundry network from an edge router.
Source Transparency
Enabling the source transparency allows the source IP of the device to be visible at the destination app of host. While having it disabled, the source IP will be NATTED to the IP of the egress router or endpoint . Make sure that the source IPs have a route allowed at the destination network.
Note: Do not use "0.0.0.0/0" in the allow source addresses field as it will result in loopback route provisioning on the egress Edge Router.
Sample Architecture
For this demonstration, we have considered setting up a network between an ER running on a VMWARE VM on premise( Assume it is the head quarters) (ingress ER) and Azure South India that hosts the target application (egress ER). The NetFoundry hosted edge routers are provisioned at Azure & AWS in India. We expect to see the IP address of the device behind the ingress ER that accesses the service at the destination web server in Azure.
After creating the network, the following steps were followed:
1.Provision of NetFoundry-hosted Edge routers
At least one publicly accessible Edge Router is required for endpoints and edge routers to create a fabric. Having a min of two hosted ERs is a best practice for redundancy and smart routing.
- From your Network Dashboard page, navigate to Edge Routers.
- Under the Edge Routers tab, click on the + sign at the upper right to add an edge router.
- Give your edge router a name.
- Give your edge router a router attribute (optional). Router attributes are tags applied to a router. The same tag can be applied to other edge routers to form a group of NetFoundry-hosted Edge Routers.
- Select NetFoundry Hosted as your hosting type, and choose the Data Center region strategic to Cloud Resources.
- Hit Create to commence the provisioning of your edge router.
- Once your edge router is registered, it will start accepting outbound fabric connections from a private edge router or endpoints.
To learn more about Edge Routers go to the Create and Manage Edge Routers article on the NetFoundry Support Hub.
2. Provision of Customer-hosted Edge Routers ( On-prem and Azure) :
Customer self-hosted Edge Routers (CERs) act as egress routers for endpoints / other CERs to reach the services terminated on the CER endpoint.
Create and Register Customer Edge Routers on prem and at Azure:
- From your Network Dashboard page, navigate to Edge Routers.
- Under the Edge Routers tab, click on the + sign at the upper-right to add an edge router.
- Give your edge router a name.
- Give your edge router a router attribute (optional). Router attributes are tags applied to a router. The same tag can be applied to other edge routers to form a collection of Customer-hosted Edge Routers. This attribute can be used for provisioning APPWANs.
- Select Customer Hosted as your hosting type.
- Hit Create to complete the process.
- A new customer-hosted edge router would be created with the registration key as below. This registration key is required to register the edge router to the network.
- Copy your edge router registration key. You may also save it as a JWT or a config file.
Create and Register CERs in a private cloud
Use the below deployment guides to provision a customer-hosted Edge Router into a branch office or a private cloud.
Create and Register CERs on AWS / Azure / OCI / any Public Cloud
Use the below deployment guides to provision a customer-hosted Edge Router into your AWS / Azure/ GCP/ OCI.
3. Create a Service
The service definition provides the details of what device or devices will be utilised to provide access to services, either on the device (Zero Trust Client SDK Application) or the network connected to the device (via its LAN, for example). The service also defines how the endpoints acting as clients will access the service. Also, the service hosting details are provided.
In Azure, create a VM instance for a Web server with HTTP access in the same Vnet as the NetFoundry Edge router and note the Internal IP address.
- From your Network Dashboard page, navigate to Services.
- Under the Services tab, click on the + sign at the upper right to add a service.
- Choose the type of your service. Clicking on Advanced Services allows you to create services with IP/Port ranges. Clicking on Simple Service allows you to create services with a specific IP/Port.
- Select Advanced Service as the service type and give the service a name. Give your service a service attribute (optional). Service Attributes are tags applied to a service. The same tag can be applied to other services to form a group of services.
- In the Client Intercept Configuration box, enter the hostname/IP address at intercept IP and Port for the service; if it does not have a hostname, you can create one; make sure you do not use reserved names, e.g. web.com.
- Select the Protocol Type
- In the Destination/App Configuration box, select the router endpoint that is the service host.
- Toggle Enable Source Transparency to yes, enter the source IP address of the devices that are allowed to access the service.
- Hit Create to complete the process.
Run the below command to verify the source transparency is enabled at egress ER. You will see the route (192.168.158.0/24) added on the loopback port of the egress edge router at Azure.
$ ip a
4.Creating the AppWAN
The AppWAN defines the services that one or more client endpoints can access.
- From your Network Dashboard page, navigate to AppWANs.
- Under the AppWANs tab, click on the + sign at the upper right to add an AppWAN.
- Give your AppWAN a name.
- In the Service Attributes field, specify the services or service attributes associated with this AppWAN.
- In the Edge Router Attributes field, specify the edge routers or edge router attributes associated with this policy.
- In the Endpoint Attributes field, specify the endpoints or endpoint attributes associated with this policy.
- Hit Create to complete the process.
Note: The endpoint/service/edge router attribute will select all endpoints/services/edge routers with that specific attribute. The @ symbol is used to tag Individual endpoints/services/edge routers and the # symbol is used to tag a group of endpoints/services/edge routers.
For additional information or assistance please see our Support Hub article Create and Manage AppWANs.
5. Add routes where needed
Add a Reverse Route in the webserver
The return traffic must be routed to the Egress Edge router in Azure from the web server. Add a reverse route at the web server
- Login to a web server hosted at Azure
- To add a reverse route on the web server:
$ sudo ip r add 192.168.158.0/24 via 10.80.2.5
- To view the changes on the route table:
$ ip route
Add a Route entry in the Azure route table
Add a route in Azure for subnet 192.168.158.0/24 of the head quarters pointing to the egress ER interface-10.80.2.5
- Go to the Azure portal
- In the search bar, search for Route Tables
- Create a routing table if you don’t have one already
- Go to routes in the route table, add a route by adding the IP address 192.168.158.0/24 in destination IP addresses/CIDR Ranges, select the next hop type as a virtual appliance, and add the egress router IP address 10.80.2.5
- Go to subnets in the route table, and associate a subnet to the route that was added earlier. Click on associate and assign the appropriate Vnet and subnet for the route.
Go to the mange route table to know more about the Azure Routes.
Enable IP forwarding for the subnet in Azure
Enable IP forwarding for egress ER and web server at the VM interface on Azure
- Go to a virtual machine in the Azure portal
- Select networking, go to associate network interface enable IP forwarding for both web server and egress ER hosted on Azure
Add a route in the source endpoint ( if it is on a different subnet than the ingress ER)
End the configuration by adding a route at the source machine pointing to ingress ER (192.168.158.130) in the head quarters for the destination subnet (10.80.2.0/24)
- Open command prompt as admin
- To add a route on windows CMD:
>route -p ADD 10.80.2.0 MASK 255.255.255.0 192.168.158.130
- To verify the route table on CMD:
>route print
6. Watch source transparency in action - HTTP access to the Azure web server from HQ
The application or server is accessed via a private hostname or address that is not reachable via the internet. The application is therefore dark to the outside world and reachable only within the NetFoundry network.
To verify the source IP address at the destination server
$ sudo tcpdump -nni any port 80
Comments
0 comments