Add a Network for secure internet access
The Network Wizard provides a convenient way to configure a CloudConnexa Network, representing the physical network you intend to connect to CloudConnexa. Here, the wizard is used to configure a secure Internet network scenario.
On completion of the Network Wizard steps, a CloudConnexa Network is added.
The configuration wizard will guide you to configure this network as an Internet Gateway for all internet traffic entering your WPC. The Internet Access settings for entities that need to channel all their internet traffic to CloudConnexa will be set to 'Split tunnel OFF,' and the network that is being configured will be set as an Internet Gateway to provide a default route for your WPC to handle the incoming internet traffic.
Note
If you want to secure just the traffic to specific internet destinations and not all internet traffic, refer Add a Network for secure internet access to select internet destinations
Add a network for secure internet access using the Network Configuration Wizard
To use the Network Wizard to connect a physical network that you want to use for secure internet access as an Internet Gateway, follow the steps below:
Navigate to Networks > Networks.
Click Add Network.
Select the Secure Internet Access network scenario from the three choices: Remote Access, Site-to-site, and Secure Internet Access.
Note
Multiple scenarios can be chosen as the same network can be used for multiple kinds of access.
Click Continue. The configuration wizard can be skipped by clicking Skip Wizard.
The Network Configuration wizard is displayed with a progress bar on the right that leads you through six steps:
Define Network
Deploy Network Connector
Add Application
Add Routes and IP Services
Configure Access Group (Optional)
Define Network
Enter a Network Name.
(Optional) Enter a Description.
Choose either OpenVPN or IPsec as the tunneling protocol from the Connector Tunneling Protocol.
Note
The chosen protocol will apply to all the Connectors for this Network. A Network cannot have a mix of Connectors with both protocols.
In the Connector section, edit the default Name and Region if needed and optionally add a description.
Click Add Additional Connector to configure more Connectors.
Click Next to move to the next step of the Wizard.
Deploy OpenVPN Network Connector
If the OpenVPN tunneling protocol was chosen in the earlier step, follow the steps below:
Select the Operating System, Virtual Private Server (VPS) provider, OpenVPN-compatible router, or the IaaS provider where you will install the Connector from the Provider Type drop-down menu. Refer to About Connectors and About Network Connectors.
Follow the displayed steps to install the Connector.
Click Next to move to the next step of the Wizard.
A test is run to check if the Connector is online. Click Next if it passes. If it fails, click Back to Instructions to see the installation steps or click Proceed Without Testing to continue with the configuration.
Note
If multiple Connectors were added in the Define Network section, the deploy Connector steps will repeat for the additional Connectors.
Deploy IPsec Network Connector
If the IPsec tunneling protocol was chosen, follow the steps below:
Select the IPsec-compatible router or an IaaS provider for the IPsec connection from the Platform to Connect drop-down menu. Refer to About Connectors, and About Network Connectors.
Follow the displayed steps and provide the needed configuration information.
Test the connectivity and view logs if needed.
Click Next to move to the next step of the Wizard.
Note
If multiple Connectors were added in the Define Network section, the deploy Connector steps will repeat for the additional Connectors.
Configure Internet Access
To use this network as an Internet Gateway for all internet traffic entering your WPC, two things need to happen: the Internet Access settings for entities that need to channel all their internet traffic to CloudConnexa needs to be set to 'Split tunnel OFF', and the network that is being configured needs to be set as an Internet Gateway to provide a default route to your WPC for the incoming internet traffic.
The Configure Internet Access section allows you to do both by following the steps below:
Click the All Internet Traffic tab (default).
From the provided list of User Groups, Networks, and Hosts, select the ones for which internet traffic needs to be routed to CloudConnexa.
Click Next.
Note
If there are multiple Networks configured as Internet Gateways, Internet Access settings can be used to constrain the choice of Internet Gateways. Refer to Constrain the choice of Internet Gateways for User Groups, Networks, and Hosts.
Add Application (Optional)
In addition to acting as an Internet Gateway, if this Network will provide access to any applications, you must add Applications. Applications that are reachable by this network are identified by their domain names and act as routes to this network. Refer to About Network Applications.
Click Next to skip adding an Application, or click Add Application and continue.
Provide a Name for the Application.
Add an optional Description.
Change the All for Application Type (Network) protocols to select specific application protocols to permit while restricting all others.
Provide a domain name for the Application in the Domain field.
Enable Allow Embedded IP if you will use the above domain to create domain names with IP addresses.
Embedded IP enables you to append an IP address to a domain and resolve such domains without adding a DNS record. This is useful for IoT networks. For example, ssh root@192-168-1-1.server.example.com can be used to SSH into the computer with a private IP address of 192.168.1.1 on the Network that has the domain name of server.example.com configured as an Application with Allow Embedded IP ON.
Additional Domain names with the corresponding Allow Embedded IP setting can be added as desired. For example, for a web application, you could add two domain names: cnn.com and www.cnn.com
Click Add Application.
The newly added Application will be listed. Click Add Application to add additional Applications.
Click Next to move to the next step of the Wizard.
Note
The Applications added can represent private applications or internet applications reachable from this Network.
Set DNS Records in CloudConnexa or in your Private DNS Server for private applications.
Add Routes and IP Services (Optional)
In addition to acting as an Internet Gateway, if this Network will provide access to any applications using IP addresses, you must add Routes. Routes define public and private IP address subnets that will be routed to this Network. Routes are pushed to the routing table of clients so that they can access IP Services.
It is recommended to use Applications whenever possible instead of Routes because with Applications, you can:
Hide the routes to your private networks, even from clients connected to CloudConnexa
Hide the IP address of the actual application server because the client receives an intermediary IP address from the WPC domain routing range.
Reduce the possibility of lateral movement because private network routes are not exposed.
Enforce least privilege policies and use zero trust principles, as all Applications need to be identified.
Click Next to skip adding a Route and IP Service, or click Add Route and continue.
Provide the IP Address or Subnet for the Route.
Add an optional Description.
Click Add Route.
The newly added Route will be listed. Click Add Route to add additional Routes.
Specific IP address ranges that are present in the Route subnets can be configured as IP services. You would want to configure IP Services to:
Designate an IP address range as a source of traffic to be used later in Access Groups.
Restrict the protocols that will be used to access the service.
Define who can access the IP service using Access Groups.
Easily identify the traffic destined to the IP service by using a named IP Service when viewing statistics in Access Visibility.
Note
Ensure that a Route has been configured before adding an IP Service.
Click Add IP Service.
Provide a Name for the IP Service.
Add an optional Description.
Change All for Service Type (Network protocols) to select specific application protocols to permit while restricting all others.
Toggle Use as Source if you want to use the IP address or subnets you will provide as a traffic source and as a traffic destination. For example, if the IP service is a software update application, and you want to restrict which destination subnets that software update application can communicate with using Access Groups.
Add one or more IP Address or Subnet that is already part of the configured Route.
Click Add IP Service.
The newly added IP Service will be listed. Click Add IP Service to add additional IP Services.
Click Next to move to the next step of the Wizard.
Configure Access Group (Optional)
Refer to About Access Groups.
Note
For Access Groups to take effect, the Topology of the WPC must be set to Custom. Refer to Set WPC Topology to control the applicability of access control.
Click Finish to conclude the configuration wizard, or click Add Access Group and continue.
Provide a Name and, optionally, a Description.
Expand/Collapse and search the Hosts, Networks, and User Groups sections in the Source column to find the entity that you want to give access to.
Click on the check boxes of the source entities to select.
Expand/Collapse and search the Hosts, Networks, and User Groups sections in the Destination column to find the resources you want access to be granted. You will see an Applications shared with you section as a Destination if you have accepted access to shared applications using AppHub. Refer to Access control
Click on the check boxes of destination resources to select.
Click Add Access Group.
The newly added Access Group will be listed. Click Add Access Group to add additional Access Groups.
Click Finish to complete the configuration wizard.
You will see a detailed view of the newly configured Network. Refer to View, make changes, and delete a Network
Warning
After adding an Access Group, delete the Default Full Mesh Access Group if it exits. The continued presence of the Default Full Mesh Access Group will make other Access Groups ineffective.
Skip Wizard to add Network
When the Network configuration wizard is skipped, instead of a step-by-step wizard, a form-based entry is provided that collects the information needed for the sections below:
Define Network
Add Application
Add Routes and IP Services
The Network Details section has the Internet Accessconfiguration and the Internet Gateway setting.
Toggle Internet Gateway to ON because this Network will be used as the exit point for internet traffic to provide secure internet access to other connected clients. After Network configuration, go to Access > Internet to change the 'Internet Access' settings for the applicable User Groups, Hosts, and Networks to 'Split Tunnel Off' to channel their internet traffic to CloudConnexa.
The IP Services section does not contain the Route field because the IP subnets used in the IP Service configuration are automatically added as a Route for the Network.
Click Add Network to submit the configuration, and you will see a detailed view of the newly configured Network. Refer to View, make changes, and delete a Network
The Connector needs to be deployed after the Network has been added. Refer to Deploy a Network OpenVPN Connector for a configured Network. Any needed Access Groups also need to be added separately. Refer to About Access Groups.