ZTNA :: Connecting the Digibee Pipeline to Private Services

Clique aqui para ler a versão em Português

Summary

Introduction
What is Zero Trust?
VPN
Is there room for improvement?
Step-by-step Guide
Prerequisites
First Step: EC2 Instance
Network Settings
Key Configuration
Conclusion

Introduction

Hello, my name is Vinícius Christ, Solutions Architect at Digibee. I’d like to share with you my experience in simplifying the efforts required to establish connectivity between Digibee and our customers’ private networks.

At some point, you may have come across the need to connect two different networks securely over the internet. VPN probably came to mind, but have you considered ZTNA? I invite you to explore this article, in which I will demonstrate in practice how simple it is to establish such a connection securely in a few steps using Zero Trust Network Access (ZTNA).

What is Zero Trust?

The concept of Zero Trust represents a security approach that assumes that no user, application or device can be considered intrinsically trustworthy. Zero Trust aims to mitigate the risk of attacks by continuously verifying the authenticity of sessions and keeping access isolated.

We can compare ZTNA to security at the entrance to a company. Instead of simply opening the doors to anyone entering the building (network), ZTNA thoroughly checks the identity and authorization of each individual (device) before granting access. This is done by requesting credentials, verifying them and granting access only to those who have the necessary permissions.

VPN

Did you know that VPN was first used in 1996? Developed by Microsoft, this solution allowed remote and secure access to a company’s internal network via the Internet.

The purpose of a site-to-site VPN is to establish a secure connection between two different private networks via the Internet. This solution involves several configuration steps, requiring close collaboration and alignment between those responsible for the networks. During this process, it is essential to validate configurations and items such as:

• Public IP on the Internet
• Phase 1 and phase 2 tunnels
• Definition of encryption, authentication and hashing algorithms.
• Network

After carrying out this procedure, assuming that everything went as expected, you now have a secure connection between two networks via the VPN. Perhaps a long troubleshooting job was required, and as next steps the teams should be thinking about how to set up the redundancy VPN.

Photo by Petter Lagson on Unsplash

Could it be better?

Moving from theory to reality… let’s not condemn the technology (VPN) that we work with today, but VPN is not always a happy path, often the effort expended is immense. Is there a way to improve this situation? The answer is YES. That’s why Digibee has made access to ZTNA (Zero Trust Network Access) technology available to all customers at no extra cost.

ZTNA is a highly secure solution, eliminating the need for any Inbound Rule on the network and without the need for a public IP. Setting up the connection requires just a few steps. The Edge Router, installed internally in the network, takes responsibility for establishing communication with the ZTNA solution. This eliminates inbound ports susceptible to attack, simplifying both the installation and maintenance of connections.

“We have significantly reduce our VPN complexity and mitigated issues related to NAT an FTP with overlapping IPs. Netfoundry has allowed us to scale faster, safes, and more cost-effectively. CloudZiti’s zero trust provides secure provisioning, management, and networking into our solutions as pure software.”

- Rodrigo Bernardinelli, CEO & Co-Founder, Digibee.
Source: https://netfoundry.io/zero-trust/NF-DigibeeCS.pdf

Step-by-step Guide:

From this point on, I’ll demonstrate how to configure the ZTNA edge router in practice on an EC2 instance on AWS and establish connectivity from your Digibee pipeline to the services on your AWS private network.

Pre-requisites:

• Realm on the Digibee platform.
• Registration Key: Key provided by the Digibee team for each Edge Router.
• Cloud AWS environment.

First step: EC2 instance

When creating the instance, search the marketplace for NetFroundry.

Select the size of your EC2 instance, with the option of starting with a small instance and resizing as necessary.

Network Settings

Outbund rules: Only if you intend to limit outbound rules to the Internet, then you should add exceptions for the ports:

• 80/TCP
• 443/TCP
• 6262/TCP

Inbound rules: No rules need to be specified.
Public IP address: No public IP is required for the instance.

Key configuration:

In advanced settings, we must fill in the user data field with the command below, using the key provided by Digibee:

#!/bin/bash
/opt/netfoundry/router-registration {key}

That’s it, just finish creating the instance and the edge router will be configured.

Next steps

• Ensure that the edge router has access to internal services. For troubleshooting, access the EC2 instance via ssh with the ziggy user and perform a telnet test with its services.
• Request the mapping of all the hostnames and ports you would like to access via the Digibee pipeline.
• Test your endpoints via the Digibee Pipeline, using the same hostname and port as your network, no NAT required.

Conclusion

In this article, we learned how the ZTNA solution works, the security mechanisms, and the simplicity of configuration to enable the Digibee Pipeline connection to your private services, providing a more fluid and secure experience.

Digibee’s commitment to making ZTNA technology available in an affordable way highlights its commitment to offering modern solutions that optimize the customer experience.

Would like to know more about ZTNA, click here and here.