Skip to main content

Add a Network for site-to-site connectivity

Abstract

The Network Wizard provides a convenient way to configure a CloudConnexa Network, representing the physical network you intend to connect to CloudConnexa. Here, the wizard is used to configure site-to-site network access.

On completion of the Network Wizard steps, a CloudConnexa Network is added.

The Network Wizard guides you in setting up a single Network and provides you with the information needed to set up static routes in your network's gateway router to enable communication between the devices connected to your networks at various sites.

Note

You must repeatedly run this wizard for every network you want to add to your site-to-site network and add the static routes in each network's gateway router.

Add a network for site-to-site networking using the Network Configuration Wizard

To use the Network Wizard to connect a physical network that you want to use for site-to-site networking, follow the steps below:

  1. Navigate to Networks > Networks.

  2. Click Add Network.

  3. Select the Site-to-site network scenario from the three choices: Remote Access, Site-to-site, and Secure Internet Access.

    Note

    Multiple scenarios can be chosen as the same network can be used for multiple kinds of access.

  4. Click Continue. The configuration wizard can be skipped by clicking Skip Wizard.

  5. The Network Configuration wizard is displayed with a progress bar on the right that leads you through six steps:

    1. Define Network

    2. Deploy Network Connector

    3. Configure Routing

    4. Add Application

    5. Add Routes and IP Services

    6. Configure Access Group (Optional)

Define Network

  1. Enter a Network Name.

  2. (Optional) Enter a Description.

  3. Choose either OpenVPN or IPsec as the tunneling protocol from the Connector Tunneling Protocol.

    Note

    The chosen protocol will apply to all the Connectors for this Network. A Network cannot have a mix of Connectors with both protocols.

  4. In the Connector section, edit the default Name and Region if needed and optionally add a description.

  5. Click Add Additional Connector to configure more Connectors.

  6. Click Next to move to the next step of the Wizard.

Deploy OpenVPN Network Connector

If the OpenVPN tunneling protocol was chosen in the earlier step, follow the steps below:

  1. Select the Operating System, Virtual Private Server (VPS) provider, OpenVPN-compatible router, or the IaaS provider where you will install the Connector from the Provider Type drop-down menu. Refer to About Connectors and About Network Connectors.

  2. Follow the displayed steps to install the Connector.

  3. Click Next to move to the next step of the Wizard.

  4. A test is run to check if the Connector is online. Click Next if it passes. If it fails, click Back to Instructions to see the installation steps or click Proceed Without Testing to continue with the configuration.

    Note

    If multiple Connectors were added in the Define Network section, the deploy Connector steps will repeat for the additional Connectors.

Deploy IPsec Network Connector

If the IPsec tunneling protocol was chosen, follow the steps below:

  1. Select the IPsec-compatible router or an IaaS provider for the IPsec connection from the Platform to Connect drop-down menu. Refer to About Connectors, and About Network Connectors.

  2. Follow the displayed steps and provide the needed configuration information.

  3. Test the connectivity and view logs if needed.

  4. Click Next to move to the next step of the Wizard.

    Note

    If multiple Connectors were added in the Define Network section, the deploy Connector steps will repeat for the additional Connectors.

Configure Routing

When you connect a site's network to WPC, you must ensure devices connected to that site's network are able to route traffic to other sites and remote users. This can be achieved by adding static routes to that network's gateway router.

The static routes need to provide the Connector as the next hop for IP address destinations that match WPC Subnets and Subnets of networks at other sites.

The list of routes that should be configured with the private IP address of Connector as the target are:

Note

After adding the networks in all your sites, each site's gateway router should have static routes to account for the Routes configured for all the other network sites, and the WPC and domain routing subnets.

Add Application

Applications that are reachable by this network are identified by their domain names and act as routes to this network. Refer to About Network Applications.

Note

Either an Application or a Route and IP Service must be added.

  1. Click Next to skip adding an Application, or click Add Application and continue.

  2. Provide a Name for the Application.

  3. Add an optional Description.

  4. Change the All for Application Type (Network) protocols to select specific application protocols to permit while restricting all others.

  5. Provide a domain name for the Application in the Domain field.

  6. Enable Allow Embedded IP if you will use the above domain to create domain names with IP addresses.

    Embedded IP enables you to append an IP address to a domain and resolve such domains without adding a DNS record. This is useful for IoT networks. For example, ssh root@192-168-1-1.server.example.com can be used to SSH into the computer with a private IP address of 192.168.1.1 on the Network that has the domain name of server.example.com configured as an Application with Allow Embedded IP ON.

  7. Additional Domain names with the corresponding Allow Embedded IP setting can be added as desired. For example, for a web application, you could add two domain names: cnn.com and www.cnn.com

  8. Click Add Application.

    The newly added Application will be listed. Click Add Application to add additional Applications.

  9. Click Next to move to the next step of the Wizard.

Note

The Applications added can represent private applications or internet applications reachable from this Network.

Set DNS Records in CloudConnexa or in your Private DNS Server for private applications.

Add Routes and IP Services

If this Network will provide access to any applications using IP addresses, you must add Routes. Routes define public and private IP address subnets that will be routed to this Network. Routes are pushed to the routing table of clients so that they can access IP Services.

Note

Add Routes if your site-to-site network routing relies on adding static routes to subnet IP addresses of other site networks in your gateway router.

It is recommended to use Applications whenever possible instead of Routes because with Applications, you can:

  • Hide the routes to your private networks, even from clients connected to CloudConnexa

  • Hide the IP address of the actual application server because the client receives an intermediary IP address from the WPC domain routing range.

  • Reduce the possibility of lateral movement because private network routes are not exposed.

  • Enforce least privilege policies and use zero trust principles, as all Applications need to be identified.

Note

Either an Application or a Route and IP Service must be added.

  1. Click Next to skip adding a Route and IP Service, or click Add Route and continue.

  2. Provide the IP Address or Subnet for the Route.

  3. Add an optional Description.

  4. Click Add Route.

    The newly added Route will be listed. Click Add Route to add additional Routes.

Specific IP address ranges that are present in the Route subnets can be configured as IP services. You would want to configure IP Services to:

  • Designate an IP address range as a source of traffic to be used later in Access Groups.

  • Restrict the protocols that will be used to access the service.

  • Define who can access the IP service using Access Groups.

  • Easily identify the traffic destined to the IP service by using a named IP Service when viewing statistics in Access Visibility.

Note

Ensure that a Route has been configured before adding an IP Service.

  1. Click Add IP Service.

  2. Provide a Name for the IP Service.

  3. Add an optional Description.

  4. Change All for Service Type (Network protocols) to select specific application protocols to permit while restricting all others.

  5. Toggle Use as Source if you want to use the IP address or subnets you will provide as a traffic source and as a traffic destination. For example, if the IP service is a software update application, and you want to restrict which destination subnets that software update application can communicate with using Access Groups.

  6. Add one or more IP Address or Subnet that is already part of the configured Route.

  7. Click Add IP Service.

    The newly added IP Service will be listed. Click Add IP Service to add additional IP Services.

  8. Click Next to move to the next step of the Wizard.

Configure Access Group (Optional)

Refer to About Access Groups.

Note

For Access Groups to take effect, the Topology of the WPC must be set to Custom. Refer to Set WPC Topology to control the applicability of access control.

  1. Click Finish to conclude the configuration wizard, or click Add Access Group and continue.

  2. Provide a Name and, optionally, a Description.

  3. Expand/Collapse and search the Hosts, Networks, and User Groups sections in the Source column to find the entity that you want to give access to.

  4. Click on the check boxes of the source entities to select.

  5. Expand/Collapse and search the Hosts, Networks, and User Groups sections in the Destination column to find the resources you want access to be granted. You will see an Applications shared with you section as a Destination if you have accepted access to shared applications using AppHub. Refer to Access control

  6. Click on the check boxes of destination resources to select.

  7. Click Add Access Group.

    The newly added Access Group will be listed. Click Add Access Group to add additional Access Groups.

  8. Click Finish to complete the configuration wizard.

You will see a detailed view of the newly configured Network. Refer to View, make changes, and delete a Network

Warning

After adding an Access Group, delete the Default Full Mesh Access Group if it exits. The continued presence of the Default Full Mesh Access Group will make other Access Groups ineffective.

Skip Wizard to add Network

When the Network configuration wizard is skipped, instead of a step-by-step wizard, a form-based entry is provided that collects the information needed for the sections below:

  1. Define Network

  2. Add Application

  3. Add Routes and IP Services

The Network Details section has the Internet Accessconfiguration and the Internet Gateway setting.

The IP Services section does not contain the Route field because the IP subnets used in the IP Service configuration are automatically added as a Route for the Network.

Click Add Network to submit the configuration, and you will see a detailed view of the newly configured Network. Refer to View, make changes, and delete a Network

The Connector needs to be deployed after the Network has been added. Refer to Deploy a Network OpenVPN Connector for a configured Network. Any needed Access Groups also need to be added separately. Refer to About Access Groups.

Tutorial showing how to add two networks using the Network Wizard for site-to-site networking