Manage network access
NetBird allows administrators to restrict access to resources (peers) by creating access rules and defining what peer groups are permitted to establish connections with one another. Rule can allow connections by specific protocol and ports.
A NetBird account comes with a
Default rule that allows all peers of the account to connect to each other by all protocols,
forming a full mesh network. In most cases, this is the desired state for a small network or network that has low-security requirements.
When you need to restrict access to certain resources that belong to specific users or services within your organization,
you can create rules that dictate who can access what.
Access control rules make use of groups to control connections between peers; these groups can be added as
Destination of a rule and will be evaluated when the Management service distributes the list of peers across your network.
A NetBird group works and follows a similar concept to tags in other platforms; they are easily created and can be associated with peers and used in rules to control traffic within your network.
Some characteristics of groups:
- They are unique.
- One group can have multiple peers.
- Peers can belong to multiple groups.
- Rules can have multiple groups in their
- They are created in the
- They can only be deleted via API.
- There is a default group called
All group is a default group to which every peer in your network is automatically added to. This group cannot be modified or deleted.
Rules are defined as sets of Source and Destination peer groups, which specify the allowable communication between them. Depending on the rule configuration, this communication can be either bidirectional or unidirectional. Rules are processed when the Management service distributes a network map to all peers of your account. Because you can only create ALLOW rules, there is no processing order or priority, so the decision to distribute peer information is based on its association with a group belonging to an existing rule.
Currently, the communication between lists of groups in source and destination lists of a rule for ALL and ICMP protocols, and for TCP and UDP when you don't define limitation by port, it is bidirectional, meaning that destinations can also initiate connections to a group of peers listed in the source field of the rule.
The behavior of a network without any rules is to deny traffic. No peers will be able to communicate with each other.
Default rule is created when you first create your account. This rule is very permissive because it allows communication between all peers in your network.
It uses the
All group as a source and destination. If you want to have better
control over your network, it is recommended that you delete this rule and create more restricted rules with custom groups.
As mentioned above, rules by default are bidirectional which is basically the control of how your network will behave as a mesh network. But for TCP and UDP protocols, if you define ports in the rule, rule can be unidirectional.
There is a
Default rule, which configures a Default mesh connection between all peers of your network. With rules,
you can define smaller mesh networks by grouping peers and adding these groups to
Also you can create unidierectional rules to restrict traffic between groups for TCP and UDP protocols if you define ports.
After accessing the
Access Control tab, you can click the
Add Rule button to create a new rule.
In the popup, specify a name for the rule, and define source and destination groups.
You can set traffic direction only when you choose TCP or UDP protocols.
If required, you can create new groups by entering new names in the input box for either source or destination lists.
Once you are done configuring the rule, click the
Create button to save it. You will then see your new rule in the table.
If you create a new group when defining a rule, you will need to add a peer to the group for the rule to take effect.
You can do it by accessing the
Peers tab and clicking the
Groups column of any peer you want to associate with the new group.
To update a rule, you can click on the rule's
Name or on either
Destinations columns. You could also click the menu
button of a rule and select
View. This will open the same screen where you can update rule groups, description, and status or change allowed
traffic direction and protocols with ports.
To disable a rule, use the switch in the
Enabled column of the table.
To delete a rule, click
Delete in the table. A confirmation window will pop up.