Accessing entire domains within networks
Companies often operate internal environments using assigned domains that remain inaccessible to the public for security and compliance reasons. Creating routing resources for these environments can quickly become a problem for DevOps and Platform teams, especially as different stakeholders frequently request new resources. Moreover, when these resources span across different networks, managing them becomes even more challenging.
NetBird's Networks streamlines this process, allowing organizations to configure secure access to internal resources efficiently using Wildcard domain resources. This reduces the administrative burden on IT teams and enhances overall productivity.
Example Use Case Scenario
In this scenario, an AI software company needs secure access to its internal domains, encompassing both development and AI model training environments. This integration is vital for maintaining robust internal network security while ensuring seamless domain access across the entire network infrastructure.
Configuration Overview
-
Development Environment:
- Wildcard Domain:
*.dev.example.com
- Purpose: Provides developers with access to a shared workspace for code development, testing, and collaboration.
- Wildcard Domain:
-
AI Model Training Environment:
- Wildcard Domain:
*.ai.example.com
- Purpose: Houses sensitive AI models and datasets, requiring restricted access to ensure security and integrity.
- Wildcard Domain:
Implementation Steps
- Network Setup: Using NetBird's Networks you can configure a secure network that connects local and remote users to these internal environments through routing peers. This involves configuring wildcard domains for both environments to enable seamless access while accommodating future growth.
- Access Control: NetBird's Access Policies allows you to implement stringent policies that enforce zero trust principles, assigning different access permissions to developers and data scientists. For instance, you can grant developers access to
*.dev.example.com
, while data scientists gain access to*.ai.example.com
. This clear separation ensures that team members only access the resources essential to their roles, maintaining a robust security posture. - Operational Benefits: This configuration supports uninterrupted workflows, allowing developers and data scientists to work efficiently without connectivity issues. Furthermore, NetBird's centralized management of routing peers simplifies handling resources distributed across different networks, ensuring seamless connectivity and reducing complexity. Additionally, the process of creating new resources is streamlined, reducing administrative overhead and accelerating responses to frequent resource requests.
Pre-requisites
To effectively access entire domains within your internal networks using NetBird, ensure the following pre-requisites are met:
- NetBird Clients: Install NetBird clients on all devices used by developers and data scientists. This is essential to establish secure connectivity to your internal resources.
- Routing Peers: Configure NetBird routing peers within your network infrastructure using setup keys. Routing peers facilitate traffic routing across different network segments, ensuring seamless access to both internal domains.
- Nameserver Configuration: Ensure that your Nameservers are properly configured within your NetBird account to resolve all domain queries. This step is critical for enabling seamless domain name resolution across your network, facilitating efficient connectivity to both your development and AI model training environments. For detailed instructions, refer to the Manage DNS in Your Network.
Enabling DNS Wildcard Routing
Enabling DNS wildcard routing is crucial for handling sub-domain requests across your development and AI model training environments, ensuring seamless access for developers and data scientists to all necessary subdomains without requiring additional configuration.
Note that enabling DNS wildcard routing shifts the DNS resolution responsibility from the local client system to the routing peer. Compared to the previous behavior of DNS routes via network routes, this transition facilitates enhanced access control rules available in newer NetBird client versions and optimizes traffic management by directing queries to the nearest routing peer service. This setup simplifies the DNS management process and bolsters security and network efficiency.
(1) Support for more restricted rules will be available in future releases.
To enable DNS wildcard routing in your NetBird account, follow these steps:
- Navigate to
Settings
>Networks
within your NetBird account. Enable DNS wildcard routing
by toggling the appropriate setting. This will allow your network to resolve all subdomains under a specified domain.
The Enable DNS wildcard routing
is supported by routing peers and routing clients running version 0.35.0
or later.
Once the feature is enabled, you may need to restart your routing peers and clients to apply the changes.
Setting Up Developers' Network Environment
To create a network for the developer environment:
- Navigate to
Networks
>Networks
in NetBird's dashboard. - Click the
Add Network
button. - Give a descriptive name to the network, e.g.,
Development Network
. Optionally, add a description. - Click
Add Network
to continue.
Adding Routing Peers
Click Add Routing Peer
to make accessible the resources within this network to the developers.
You will see two tabs: Routing Peers
and Peer Group
.
- Select
Routing Peers
to add one peer at a time to the network. - Select
Peer Group
to enable high availability by adding multiple peers to the network. - Click
Continue
once ready.
In the Advanced Settings
tab:
- Set
Masquerade
if you want to access private networks without configuring local routers or other devices. - Set the
Metric
to prioritize routers, using lower values for higher priority peers. - When ready, click
Add Routing Peer
.
Adding a Wildcard Domain Resource
Click Add Resource
to create the wildcard domain resource.
- Give the resource a descriptive name, e.g.,
Development Wildcard Domain
- Enter the wildcard domain for this environment, e.g.,
*.dev.example.com
. - Under
Assigned Groups
, select or create a group, e.g.,Development Domain
. This group will be used to create an access policy to allow developers access to all subdomains ending with.dev.example.com
. - Click
Add Resource
when ready.
Creating an Access Policy
Click Create Policy
to grant developers access to *.dev.example.com
.
- Under
Protocol
, leaveALL
. - Under
Source
choose the group corresponding to developers, e.g.,Developers
. - The
Destination
is automatically set to the group you used when creating the resource, e.g.,Development Domain
.
- Click
Continue
to setPosture Checks
. This step is optional, meaning you can clickContinue
for this example. - Provide a descriptive name for the policy, e.g.,
Development Wildcard Domain Policy
. - Click
Add Policy
to finish.
Now that the development environment is set up, you can streamline the process of creating new resources using NetBird.
Adding a Regular Domain Resource
The wildcard domain you configured, *.dev.example.com
, only covers subdomains following the .
(dot). Therefore, you need to configure a primary domain alongside your wildcard domain within your network settings. This dual approach guarantees that all levels of your domain hierarchy are adequately resolved and accessible.
Suppose you want to create the regular domain dev.example.com
.
- Navigate to
Networks
>Development Network
and clickAdd Resource
.
- Provide an appropriate name for the resource, such as
Development Regular Domain
. - In the
Address
field, enter the regular domaindev.example.com
. - Under
Assigned Groups
select the same group used for the wildcard domain, e.g.,Development Domain
. - Click
Add Resource
to continue.
That's it! Since you used the group Development Domain
, NetBird will automatically configure for you routing peers and access policies, granting your developers the necessary access permissions.
You can confirm the configuration by listing the available networks using the command netbird networks ls
from any developer workstation. The output should resemble the following:
$ netbird networks ls
Available Networks:
- ID: Development Regular Domain
Domains: dev.example.com
Status: Selected
Resolved IPs:
[example.com]: 93.184.215.14, 2606:2800:21f:cb07:6820:80da:af6b:8b2c
- ID: Development Wildcard Domain
Domains: *.dev.example.com
Status: Selected
Resolved IPs: -
Creating AI Model Training Network
For our use case, data scientists operate from different network segments or diverse geographical locations. Using the same steps previously outlined, you can overcome the challenges associated with this scenario by creating a new network with its corresponding routing peers, resources, and access policies.
From the Networks
screen, click Add Network
to set up an appropriate network for your data scientists:
As with developers, you can configure a single routing peer or a group of routing peers for high availability:
You can also set up a wildcard domain resource for this environment:
And establish an access policy tailored to your data scientists:
You will need a regular domain, too; simply create the corresponding resource. The overview of your new network might resemble the following:
Need a new subdomain for testing the latest model? From NetBird's Networks screen, just click Add Resource
, name it, enter the desired subdomain, and assign it to the appropriate group for this environment:
In summary, you can easily add, remove, and edit network resources from the Networks dashboard.
With this setup, all members of the Data Scientists
group have access to ai.example.com
and its subdomains:
$ netbird networks ls
Available Networks:
- ID: AI Model Training Wildcard Domain
Domains: *.ai.example.com
Status: Selected
Resolved IPs: -
- ID: AI Regular Domain
Domains: ai.example.com
Status: Selected
Resolved IPs: -
- ID: DataSage Model
Domains: datasage.ai.example.com
Status: Selected
Resolved IPs: -
- ID: NeuroPulse Model
Domains: neuropulse.ai.example.com
Status: Selected
Resolved IPs: -
- ID: QuantumNet Model
Domains: quantumnet.ai.example.com
Status: Selected
Resolved IPs: -
However, using your newly acquired knowledge, you can create access policies for each subdomain or organize data scientists into teams with varied permissions. With NetBird, the possibilities are endless.