Accessing entire domains within networks

Companies often operate internal environments using assigned domains that remain inaccessible to the public for security and compliance reasons. Creating routing resources for these environments can quickly become a problem for DevOps and Platform teams, especially as different stakeholders frequently request new resources. Moreover, when these resources span across different networks, managing them becomes even more challenging.

NetBird's Networks streamlines this process, allowing organizations to configure secure access to internal resources efficiently using Wildcard domain resources. This reduces the administrative burden on IT teams and enhances overall productivity.

Example Use Case Scenario

In this scenario, an AI software company needs secure access to its internal domains, encompassing both development and AI model training environments. This integration is vital for maintaining robust internal network security while ensuring seamless domain access across the entire network infrastructure.

Configuration Overview

  1. Development Environment:

    • Wildcard Domain: *.dev.example.com
    • Purpose: Provides developers with access to a shared workspace for code development, testing, and collaboration.
  2. AI Model Training Environment:

    • Wildcard Domain: *.ai.example.com
    • Purpose: Houses sensitive AI models and datasets, requiring restricted access to ensure security and integrity.

Implementation Steps

  • Network Setup: Using NetBird's Networks you can configure a secure network that connects local and remote users to these internal environments through routing peers. This involves configuring wildcard domains for both environments to enable seamless access while accommodating future growth.
  • Access Control: NetBird's Access Policies allows you to implement stringent policies that enforce zero trust principles, assigning different access permissions to developers and data scientists. For instance, you can grant developers access to *.dev.example.com, while data scientists gain access to *.ai.example.com. This clear separation ensures that team members only access the resources essential to their roles, maintaining a robust security posture.
  • Operational Benefits: This configuration supports uninterrupted workflows, allowing developers and data scientists to work efficiently without connectivity issues. Furthermore, NetBird's centralized management of routing peers simplifies handling resources distributed across different networks, ensuring seamless connectivity and reducing complexity. Additionally, the process of creating new resources is streamlined, reducing administrative overhead and accelerating responses to frequent resource requests.

Pre-requisites

To effectively access entire domains within your internal networks using NetBird, ensure the following pre-requisites are met:

  • NetBird Clients: Install NetBird clients on all devices used by developers and data scientists. This is essential to establish secure connectivity to your internal resources.
  • Routing Peers: Configure NetBird routing peers within your network infrastructure using setup keys. Routing peers facilitate traffic routing across different network segments, ensuring seamless access to both internal domains.
  • Nameserver Configuration: Ensure that your Nameservers are properly configured within your NetBird account to resolve all domain queries. This step is critical for enabling seamless domain name resolution across your network, facilitating efficient connectivity to both your development and AI model training environments. For detailed instructions, refer to the Manage DNS in Your Network.

Enabling DNS Wildcard Routing

Enabling DNS wildcard routing is crucial for handling sub-domain requests across your development and AI model training environments, ensuring seamless access for developers and data scientists to all necessary subdomains without requiring additional configuration.

Note that enabling DNS wildcard routing shifts the DNS resolution responsibility from the local client system to the routing peer. Compared to the previous behavior of DNS routes via network routes, this transition facilitates enhanced access control rules available in newer NetBird client versions and optimizes traffic management by directing queries to the nearest routing peer service. This setup simplifies the DNS management process and bolsters security and network efficiency.

To enable DNS wildcard routing in your NetBird account, follow these steps:

  • Navigate to Settings > Networks within your NetBird account.
  • Enable DNS wildcard routing by toggling the appropriate setting. This will allow your network to resolve all subdomains under a specified domain.

Enabling DNS wildcard routing

Setting Up Developers' Network Environment

To create a network for the developer environment:

  • Navigate to Networks > Networks in NetBird's dashboard.
  • Click the Add Network button.
  • Give a descriptive name to the network, e.g., Development Network. Optionally, add a description.
  • Click Add Network to continue.

Creating Developers Domain Network

Adding Routing Peers

Click Add Routing Peer to make accessible the resources within this network to the developers.

Add Routing Peers Window

You will see two tabs: Routing Peers and Peer Group.

  • Select Routing Peers to add one peer at a time to the network.
  • Select Peer Group to enable high availability by adding multiple peers to the network.
  • Click Continue once ready.

Local Routing Peers

In the Advanced Settings tab:

  • Set Masquerade if you want to access private networks without configuring local routers or other devices.
  • Set the Metric to prioritize routers, using lower values for higher priority peers.
  • When ready, click Add Routing Peer.

Masquerade and Metric

Adding a Wildcard Domain Resource

Click Add Resource to create the wildcard domain resource.

Add Domain Resource

  • Give the resource a descriptive name, e.g., Development Wildcard Domain
  • Enter the wildcard domain for this environment, e.g., *.dev.example.com.
  • Under Assigned Groups, select or create a group, e.g., Development Domain. This group will be used to create an access policy to allow developers access to all subdomains ending with .dev.example.com.
  • Click Add Resource when ready.

Add Accounting Website Restricted Subdomain Resource

Creating an Access Policy

Click Create Policy to grant developers access to *.dev.example.com.

Add Policy

  • Under Protocol, leave ALL.
  • Under Source choose the group corresponding to developers, e.g., Developers.
  • The Destination is automatically set to the group you used when creating the resource, e.g., Development Domain.

Developers Policy

  • Click Continue to set Posture Checks. This step is optional, meaning you can click Continue for this example.
  • Provide a descriptive name for the policy, e.g., Development Wildcard Domain Policy.
  • Click Add Policy to finish.

Developers Policy Name

Now that the development environment is set up, you can streamline the process of creating new resources using NetBird.

Adding a Regular Domain Resource

The wildcard domain you configured, *.dev.example.com, only covers subdomains following the . (dot). Therefore, you need to configure a primary domain alongside your wildcard domain within your network settings. This dual approach guarantees that all levels of your domain hierarchy are adequately resolved and accessible.

Suppose you want to create the regular domain dev.example.com.

  • Navigate to Networks > Development Network and click Add Resource.

Development Network

  • Provide an appropriate name for the resource, such as Development Regular Domain.
  • In the Address field, enter the regular domain dev.example.com.
  • Under Assigned Groups select the same group used for the wildcard domain, e.g., Development Domain.
  • Click Add Resource to continue.

Regular Domain Resource

That's it! Since you used the group Development Domain, NetBird will automatically configure for you routing peers and access policies, granting your developers the necessary access permissions.

Development Network Resources

You can confirm the configuration by listing the available networks using the command netbird networks ls from any developer workstation. The output should resemble the following:

$ netbird networks ls
Available Networks:

  - ID: Development Regular Domain
    Domains: dev.example.com
    Status: Selected
    Resolved IPs:
      [example.com]: 93.184.215.14, 2606:2800:21f:cb07:6820:80da:af6b:8b2c

  - ID: Development Wildcard Domain
    Domains: *.dev.example.com
    Status: Selected
    Resolved IPs: -

Creating AI Model Training Network

For our use case, data scientists operate from different network segments or diverse geographical locations. Using the same steps previously outlined, you can overcome the challenges associated with this scenario by creating a new network with its corresponding routing peers, resources, and access policies.

From the Networks screen, click Add Network to set up an appropriate network for your data scientists:

AI Network

As with developers, you can configure a single routing peer or a group of routing peers for high availability:

AI Routing Peers

You can also set up a wildcard domain resource for this environment:

AI Wildcard Domain Resource

And establish an access policy tailored to your data scientists:

AI Team Access Policy

You will need a regular domain, too; simply create the corresponding resource. The overview of your new network might resemble the following:

AI Network

Need a new subdomain for testing the latest model? From NetBird's Networks screen, just click Add Resource, name it, enter the desired subdomain, and assign it to the appropriate group for this environment:

New AI Model Resource

In summary, you can easily add, remove, and edit network resources from the Networks dashboard.

AI Training Model Network

With this setup, all members of the Data Scientists group have access to ai.example.com and its subdomains:

$ netbird networks ls
Available Networks:

  - ID: AI Model Training Wildcard Domain
    Domains: *.ai.example.com
    Status: Selected
    Resolved IPs: -

  - ID: AI Regular Domain
    Domains: ai.example.com
    Status: Selected
    Resolved IPs: -

  - ID: DataSage Model
    Domains: datasage.ai.example.com
    Status: Selected
    Resolved IPs: -

  - ID: NeuroPulse Model
    Domains: neuropulse.ai.example.com
    Status: Selected
    Resolved IPs: -

  - ID: QuantumNet Model
    Domains: quantumnet.ai.example.com
    Status: Selected
    Resolved IPs: -

However, using your newly acquired knowledge, you can create access policies for each subdomain or organize data scientists into teams with varied permissions. With NetBird, the possibilities are endless.