Accessing entire domains within networks

Companies often run entire development and internal environments using assigned domains that are not publicly accessible due to security reasons. Creating routing resources for these environments can quickly become a problem for DevOps and Platform teams because development teams may issue requests for new resources frequently. Taking that with the fact that some resources won't be within the same network, this can become a challenge to manage.

NetBird can help you configure access to these resources by routing your traffic through a routing peer configured with Networks using Wildcard domain resources.

Example

In the following scenario, we will create a new development network and add a wildcard domain resource for the entire dev.example.com to be routed using Routing peers running in the network. All developers will be able to access the development environment using the Network configuration.

Pre-requisites

Configure Nameservers

In order for the the following steps to work, you need to configure Nameservers to resolve all domain queries in your NetBird account. See the Manage DNS in your network guide for more information.

Enable DNS wildcard routing

When you configure wildcard domains as resources, you need to enable DNS wildcard routing. Which has an additional effect in comparison to the previous DNS routes behavior from Network routes; it switches the DNS resolution to the routing peer instead of the local client system. This is also useful for regular DNS routes when you want to resolve the domain names using the routing peer's IP infrastructure, which will allow for more restricted access control rules in newer versions of the clients(1) and for the traffic to go to a near routing peer service.

(1) Support for more restricted rules will be available in future releases.

You can enable DNS resolution on the routing peer by accessing your account Settings > Networks > Enable DNS wildcard routing. See example below:

settings-acl

The Enable DNS wildcard routing is supported by routing peers and routing clients running version 0.35.0 or later. Once the feature is enabled, you may need to restart your routing peers and clients to apply the changes.

Create a Network

To create a Network, navigate to the Networks > Networks section in the NetBird dashboard:

new-net

Click on Add Network to follow a Wizard that will guide you through the steps to create a network and add resources to it.

First, we fill out the network Name and Description as shown in the image below and click Continue:

new-dev-net1

Add a routing peer

Next we are asked to add a routing peer to the network. Let's click on Add routing peer and select a node from that VPC:

new-wild-routing-peer-1

Click on Continue and then accept the defaults to add a routing peer by clicking on Add Routing Peer:

new-routing-peer-2

Add a resource

Following the guide, we are asked to add a new resource.

Click on Add Resource and enter the domain name of the Development domain in this case, *.dev.example.com:

new-wild-resource-1

We can also assign a group to this resource; in this example, we will assign the group development-domains to it. This way, we can create a policy that allows the development team to access the domains in the environment.

Add an access control policy

Next, in the guide, we will be asked to create an access control policy. Here, we will create a policy that allows access to the development-domains group of the *.dev.example.com resource to peers in the Developers group. They will be granted all traffic to domains in the development environment.

Click on Create Policy and fill out the fields as shown in the image below:

new-resource-acl-1

Click on Continue 2 times and then click on Add Policy to save the policy:

new-resource-acl-2

View the network

After completing the wizard, you will be able to see the network you just created in the Networks list:

view-wild-network-1

To access a detailed view of the network, click on the network name:

view-wild-network-2

You can edit or add more resources or routing peers to the network by clicking on the Edit buttons of each section in the detailed view.

Add a regular domain resource

A wildcard domain won't cover the entire domain by itself because the wildcard character * only covers subdomains after the .. If you need to cover the entire domain, you can additionally add a regular domain resource to the network.

This time, let's add a domain from the main Networks list view. Click on the Add Resource button:

view-wild-network-3

Then, enter the domain name of the Regular domain in this case, dev.example.com:

new-wild-resource-2

We can also assign the same group to this resource, allowing us to reuse the previous access control policy for the development-domains group.

With the steps above, we created resources that allow the development team to access the entire dev.example.com domain and the *.dev.example.com subdomains using the same policy.

Get started

Make sure to star us on GitHub
Follow us on Twitter
Join our Slack Channel
NetBird latest release on GitHub

Peers

Access Control

Networks (new)

Network Routes

DNS

Team

Activity

Settings

Integrations

Public API