sendnrw/netbird-docs
2
0
Fork 0
mirror of https://github.com/netbirdio/docs.git synced 2026-04-16 07:26:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Restructuring Phase 3 (#492)

Browse Source
This commit is contained in:
Brandon Hopkins
2025-11-24 09:25:44 -08:00
committed by GitHub
parent c40c132caa
commit 0080ae97df
477 changed files with 800 additions and 564 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
src/components/NavigationDocs.jsx
View File

@@ -50,36 +50,36 @@ export const docsNavigation = [
{
title: 'MANAGE NETBIRD',
links: [
{ title: 'Control Center', href: '/how-to/control-center' },
{ title: 'Control Center', href: '/manage/control-center' },
{
title: 'Peers',
isOpen: false,
links: [
{ title: 'Add Peers', href: '/how-to/add-machines-to-your-network' },
{ title: 'Approve Peers', href: '/how-to/approve-peers' },
{ title: 'Setup Keys', href: '/how-to/register-machines-using-setup-keys' },
{ title: 'Browser Client', href: '/how-to/browser-client' },
{ title: 'SSH', href: '/how-to/ssh' },
{ title: 'Lazy Connections', href: '/how-to/lazy-connection'},
{ title: 'Add Peers', href: '/manage/peers/add-machines-to-your-network' },
{ title: 'Approve Peers', href: '/manage/peers/approve-peers' },
{ title: 'Setup Keys', href: '/manage/peers/register-machines-using-setup-keys' },
{ title: 'Browser Client', href: '/manage/peers/browser-client' },
{ title: 'SSH', href: '/manage/peers/ssh' },
{ title: 'Lazy Connections', href: '/manage/peers/lazy-connection'},
{
title: 'Access Infrastructure',
isOpen: true,
links: [
{
title: 'Access Remote Webserver',
href: '/how-to/secure-remote-webserver-access'
href: '/manage/peers/access-infrastructure/secure-remote-webserver-access'
},
{
title: 'Add Servers to the Network',
href: '/how-to/setup-keys-add-servers-to-network'
href: '/manage/peers/access-infrastructure/setup-keys-add-servers-to-network'
},
{
title: 'Access from Kubernetes',
href: '/how-to/access-internal-resources-from-autoscaled-environments'
href: '/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments'
},
{
title: 'Peer Approval for Remote Access',
href: '/how-to/peer-approval-for-remote-worker-access'
href: '/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access'
},
]
},
@@ -89,7 +89,7 @@ export const docsNavigation = [
links: [
{
title: 'Simplify Workload Migrations',
href: '/how-to/db-workload-migration'
href: '/manage/peers/site-to-site/db-workload-migration'
},
]
},
@@ -126,15 +126,15 @@ export const docsNavigation = [
title: 'Networks',
isOpen: false,
links: [
{ title: 'Concept', href: '/how-to/networks' },
{ title: 'Route Traffic to Multiple IP resources', href: '/how-to/routing-traffic-to-multiple-resources' },
{ title: 'Access Restricted Website Domain Resources', href: '/how-to/accessing-restricted-domain-resources' },
{ title: 'Access Entire Domains Within Networks', href: '/how-to/accessing-entire-domains-within-networks' },
{ title: 'Concept', href: '/manage/networks' },
{ title: 'Route Traffic to Multiple IP resources', href: '/manage/networks/routing-traffic-to-multiple-resources' },
{ title: 'Access Restricted Website Domain Resources', href: '/manage/networks/accessing-restricted-domain-resources' },
{ title: 'Access Entire Domains Within Networks', href: '/manage/networks/accessing-entire-domains-within-networks' },
{
title: 'Homelab',
isOpen: true,
links: [
{ title: 'Access Home Network', href: '/how-to/access-home-network' },
{ title: 'Access Home Network', href: '/manage/networks/homelab/access-home-network' },
]
},
]
@@ -143,66 +143,66 @@ export const docsNavigation = [
title: 'Network Routes',
isOpen: false,
links: [
{ title: 'Route Traffic to Private Networks', href: '/how-to/routing-traffic-to-private-networks' },
{ title: 'Configure Default Routes for Internet Traffic', href: '/how-to/configuring-default-routes-for-internet-traffic' },
{ title: 'Configure Routes with Access control', href: '/how-to/configuring-routes-with-access-control' },
{ title: 'Resolve Overlapping Routes', href: '/how-to/resolve-overlapping-routes' },
{ title: 'Route Traffic to Private Networks', href: '/manage/network-routes/routing-traffic-to-private-networks' },
{ title: 'Configure Default Routes for Internet Traffic', href: '/manage/network-routes/configuring-default-routes-for-internet-traffic' },
{ title: 'Configure Routes with Access control', href: '/manage/network-routes/configuring-routes-with-access-control' },
{ title: 'Resolve Overlapping Routes', href: '/manage/network-routes/resolve-overlapping-routes' },
]
},
{
title: 'DNS',
isOpen: false,
links: [
{ title: 'Manage DNS in Your Network', href: '/how-to/manage-dns-in-your-network' },
{ title: 'Manage DNS in Your Network', href: '/manage/dns' },
]
},
{
title: 'Team',
isOpen: false,
links: [
{ title: 'Add Users to Your Network', href: '/how-to/add-users-to-your-network' },
{ title: 'Approve Users', href: '/how-to/approve-users' },
{
title: 'Provision Users & Groups',
href: '/how-to/idp-sync',
isOpen: false,
links: [
{ title: 'Microsoft Entra ID', href: '/how-to/microsoft-entra-id-sync' },
{ title: 'Okta', href: '/how-to/okta-sync' },
{ title: 'Google Workspace', href: '/how-to/google-workspace-sync'},
{ title: 'JumpCloud', href: '/how-to/jumpcloud-sync'},
{ title: 'Keycloak', href: '/how-to/keycloak-sync'},
]
},
{
title: 'Auto-Offboard Users',
href: '/how-to/auto-offboard-users',
isOpen: false,
},
{
title: 'Single Sign-On',
href: '/how-to/single-sign-on',
isOpen: false,
},
{ title: 'Add Users to Your Network', href: '/manage/team/add-users-to-your-network' },
{ title: 'Approve Users', href: '/manage/team/approve-users' },
{
title: 'Provision Users & Groups',
href: '/manage/team/idp-sync',
isOpen: false,
links: [
{ title: 'Microsoft Entra ID', href: '/manage/team/idp-sync/microsoft-entra-id-sync' },
{ title: 'Okta', href: '/manage/team/idp-sync/okta-sync' },
{ title: 'Google Workspace', href: '/manage/team/idp-sync/google-workspace-sync'},
{ title: 'JumpCloud', href: '/manage/team/idp-sync/jumpcloud-sync'},
{ title: 'Keycloak', href: '/manage/team/idp-sync/keycloak-sync'},
]
},
{
title: 'Auto-Offboard Users',
href: '/manage/team/auto-offboard-users',
isOpen: false,
},
{
title: 'Single Sign-On',
href: '/manage/team/single-sign-on',
isOpen: false,
},
]
},
{
title: 'Activity',
links: [
{ title: 'Audit Events Logging', href: '/how-to/audit-events-logging' },
{ title: 'Traffic Events Logging', href: '/how-to/traffic-events-logging' },
{
title: 'Stream Activity Events',
href: '/how-to/activity-event-streaming',
isOpen: false,
links: [
{ title: 'Datadog', href: '/how-to/stream-activity-to-datadog' },
{ title: 'Amazon S3', href: '/how-to/stream-activity-to-amazon-s3' },
{ title: 'Amazon Firehose', href: '/how-to/stream-activity-to-amazon-firehose'},
{ title: 'SentinelOne Data Lake', href: '/how-to/stream-activity-to-sentinelone-data-lake'},
{ title: 'Generic HTTP', href: '/how-to/stream-activity-to-generic-http'},
]
},
{ title: 'Audit Events Logging', href: '/manage/activity' },
{ title: 'Traffic Events Logging', href: '/manage/activity/traffic-events-logging' },
{
title: 'Stream Activity Events',
href: '/manage/activity/event-streaming',
isOpen: false,
links: [
{ title: 'Datadog', href: '/manage/activity/event-streaming/datadog' },
{ title: 'Amazon S3', href: '/manage/activity/event-streaming/amazon-s3' },
{ title: 'Amazon Firehose', href: '/manage/activity/event-streaming/amazon-firehose'},
{ title: 'SentinelOne Data Lake', href: '/manage/activity/event-streaming/sentinelone-data-lake'},
{ title: 'Generic HTTP', href: '/manage/activity/event-streaming/generic-http'},
]
},
],
},
{
@@ -271,10 +271,10 @@ export const docsNavigation = [
{
title: 'USE CASES',
links: [
{ title: 'Serverless and NetBird', href: '/how-to/netbird-on-faas' },
{ title: 'Routing peers and Kubernetes', href: '/how-to/routing-peers-and-kubernetes'},
{ title: 'NetBird Client on AWS ECS', href: '/how-to/examples'},
{ title: 'NetBird on Mikrotik Router', href: '/how-to/client-on-mikrotik-router' },
{ title: 'Serverless and NetBird', href: '/use-cases/netbird-on-faas' },
{ title: 'Routing peers and Kubernetes', href: '/use-cases/routing-peers-and-kubernetes'},
{ title: 'NetBird Client on AWS ECS', href: '/use-cases/examples'},
{ title: 'NetBird on Mikrotik Router', href: '/use-cases/client-on-mikrotik-router' },
{ title: 'Distributed AI on Kubernetes', href: '/use-cases/distributed-multi-cloud-ai-argocd-microk8s-vllm' },
{ title: 'Self-hosted vs. Cloud-hosted NetBird', href: '/selfhosted/self-hosted-vs-cloud-netbird' },
],

2
src/components/announcement-banner/AnnouncementBannerProvider.jsx
View File

@@ -14,7 +14,7 @@ const BANNER_ENABLED = true
export const announcement = {
tag: '',
text: 'NetBird v0.60 Released - Native SSH Access',
link: '/how-to/ssh',
link: '/manage/peers/ssh',
linkText: 'Read Release Documentation',
linkAlt: 'Learn more about the NetBird v0.60 release',
isExternal: false,

4
src/pages/about-netbird/browser-client-architecture.mdx
View File

@@ -63,7 +63,7 @@ Once the connection is closed, the temporary peer will be automatically removed
For the WebAssembly NetBird Client all peers will be named as `{browser}-browser-client` (e.g. `safari-17-browser-client`).
<p>
<img src="/docs-static/img/how-to-guides/browser-client/temporary-peers-filter.png" alt="temporary-peers-filter" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/peers/browser-client/temporary-peers-filter.png" alt="temporary-peers-filter" className="imagewrapper-big"/>
</p>
#### Temporary Policy
@@ -72,7 +72,7 @@ The policy will be created P2P with no groups required. This way the client will
The policies for the WebAssembly NetBird Client will be named as `Temporary access policy for peer {browser-client-name}` (e.g. `Temporary access policy for peer safari-17-browser-client`).
<p>
<img src="/docs-static/img/how-to-guides/browser-client/temporary-policies-filter.png" alt="temporary-policies-filter" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/peers/browser-client/temporary-policies-filter.png" alt="temporary-policies-filter" className="imagewrapper-big"/>
</p>
## Connection Flow

4
src/pages/about-netbird/faq.mdx
View File

@@ -12,10 +12,10 @@ all outgoing traffic, and that may affect how NetBird clients connect to the [co
and negotiate the peer-to-peer connections.
<Note>
Allowing the outbound **P2P (STUN)** service below is **recommended** in more restricted networks for reliable peer connections. This will also improve the reliability of your [High Availability Routes](https://docs.netbird.io/how-to/routing-traffic-to-private-networks#high-availability-routes).
Allowing the outbound **P2P (STUN)** service below is **recommended** in more restricted networks for reliable peer connections. This will also improve the reliability of your [High Availability Routes](https://docs.netbird.io/manage/network-routes/routing-traffic-to-private-networks#high-availability-routes).
</Note>
<Note>
Allowing the outbound **Relay (TURN)** service below is **recommended** in more restricted networks for reliable peer connections. This will also improve the reliability of your [High Availability Routes](https://docs.netbird.io/how-to/routing-traffic-to-private-networks#high-availability-routes).
Allowing the outbound **Relay (TURN)** service below is **recommended** in more restricted networks for reliable peer connections. This will also improve the reliability of your [High Availability Routes](https://docs.netbird.io/manage/network-routes/routing-traffic-to-private-networks#high-availability-routes).
</Note>
<Note>
If using `fail2ban` or similar, you should whitelist each netbird.io endpoint below.

6
src/pages/about-netbird/how-netbird-works.mdx
View File

@@ -43,7 +43,7 @@ It keeps the network state, public WireGuard keys of the peers, authenticates an
The Management Service's responsibilities include:
* **Registering and authenticating new peers.** Every new machine has to register itself in the network in order to connect to other machines.
After installation, NetBird client requires login that can be done through Identity Provider (IDP) like Okta or with a [setup key](/how-to/register-machines-using-setup-keys).
After installation, NetBird client requires login that can be done through Identity Provider (IDP) like Okta or with a [setup key](/manage/peers/register-machines-using-setup-keys).
* **Keeping the network map.** The Management service stores information about all the registered peers including WireGuard public key that was sent during the registration process.
* **Managing private IP addresses.** Each peer receives a unique private IP with which it can be identified in the network.
We use [Carrier Grade NAT](https://en.wikipedia.org/wiki/Carrier-grade_NAT) address space with an allocated address block <em>100.64.0.0/10</em>.
@@ -51,7 +51,7 @@ We use [Carrier Grade NAT](https://en.wikipedia.org/wiki/Carrier-grade_NAT) addr
Whenever a new peer joins the network, all other peers that are authorized to connect to it receive an update.
After that, they are able to establish a connection to the new peer.
* **Creating and managing access control rules.**
* **Managing private DNS.** [DNS](/how-to/manage-dns-in-your-network) allows referring to each of the peers with a fully qualified domain name (FQDN).
* **Managing private DNS.** [DNS](/manage/dns) allows referring to each of the peers with a fully qualified domain name (FQDN).
* **Logging network activity.**
* **Managing users.**
@@ -73,7 +73,7 @@ The Client's roles are the following:
To accept the incoming connections, peers have to know each other, therefore, the generated public keys have to be pre-shared on the machines.
The client application sends its public key to the Management service which then distributes it to the authorized peers.
* **Handling peer registration and authentication.** Each peer has to be authenticated and registered in the system.
The client application requests a user to log in with an Identity Provider (IDP) or a [setup key](/how-to/register-machines-using-setup-keys) so that the peer can be associated with the organization's account.
The client application requests a user to log in with an Identity Provider (IDP) or a [setup key](/manage/peers/register-machines-using-setup-keys) so that the peer can be associated with the organization's account.
* **Receiving network updates from the Management service.**
Each peer receives initial configuration and a list of peers with corresponding public keys and IP addresses so that it can establish a point-to-point connection.
* **Establishing point-to-point WireGuard connection.** To establish a connection with a remote peer, the Client first discovers the most suitable connection candidate, or simply address (IP:port) that other peers can use to connect to it.

2
src/pages/about-netbird/other.mdx
View File

@@ -21,7 +21,7 @@ The goal of the task is to get familiar with the system by setting up a self-hos
It is possible to set up multiple peers on the same machine. Find out how!
</Note>
4. Ping machines and make sure that they are reachable.
5. We might ask you to provide a generated [setup key](/how-to/setup-keys) so that we could test your setup.
5. We might ask you to provide a generated [setup key](/manage/peers/register-machines-using-setup-keys) so that we could test your setup.
Please reach out to us with any questions. We believe you will have some! :)

2
src/pages/get-started/cli.mdx
View File

@@ -403,7 +403,7 @@ Peers count: 2/3 Connected
Command to connect via SSH to a remote peer in your NetBird network. The `ssh` command has several subcommands for different operations.
<Note>
Before using this command, make sure that SSH Access is enabled both on the target peer and in the NetBird Dashboard. Learn more about [enabling SSH access](/how-to/ssh).
Before using this command, make sure that SSH Access is enabled both on the target peer and in the NetBird Dashboard. Learn more about [enabling SSH access](/manage/peers/ssh).
</Note>
#### ssh (connect)

14
src/pages/get-started/index.mdx
View File

@@ -51,7 +51,7 @@ With the client installed, you now need to connect it to your network.
4. Once authorized, you will see a "Login successful" message. The onboarding UI will update to show that your first peer is connected, displaying its name and assigned NetBird IP address.
### Add a Second Peer (Headless Linux Server)
Next, let's add a second, headless peer, like a Linux server or a Raspberry Pi. For devices without a graphical interface, we use a [Setup Key](https://docs.netbird.io/how-to/register-machines-using-setup-keys).
Next, let's add a second, headless peer, like a Linux server or a Raspberry Pi. For devices without a graphical interface, we use a [Setup Key](https://docs.netbird.io/manage/peers/register-machines-using-setup-keys).
![Install NetBird Headless](/docs-static/img/get-started/onboarding/05_headless-installed.jpeg)
@@ -107,7 +107,7 @@ The final onboarding step introduces NetBird's powerful Access Control policies.
In the policy example above, we allowed _IT Admins_ port specific access to peers under the _AWS Servers_ group. Policies are a key building block to access in NetBird. You can learn more about the power of policies [here](https://docs.netbird.io/manage/access-control/manage-network-access).
<Note>
If you manage users and groups with your identity provider, you can provision and sync them with NetBird. Learn more [here](https://docs.netbird.io/how-to/idp-sync) including the supported platforms.
If you manage users and groups with your identity provider, you can provision and sync them with NetBird. Learn more [here](https://docs.netbird.io/manage/team/idp-sync) including the supported platforms.
</Note>
## Remote Network Access
@@ -128,7 +128,7 @@ Next, you'll define the private network you want your users to be able to access
![NetBird Subnet Setup](/docs-static/img/get-started/onboarding/11_entire-subnet.jpeg)
### Add and Configure a Routing Peer
A [routing peer](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) is a NetBird peer that lives inside your private network and acts as a gateway, forwarding traffic between your remote users and the internal resources.
A [routing peer](https://docs.netbird.io/manage/network-routes/routing-traffic-to-private-networks) is a NetBird peer that lives inside your private network and acts as a gateway, forwarding traffic between your remote users and the internal resources.
![Adding a routing peer](/docs-static/img/get-started/onboarding/12_add-routing-peer.jpeg)
@@ -180,11 +180,11 @@ The final step of the onboarding wizard explains the access rule that was automa
Click Go to Dashboard to access the main NetBird admin panel. From here, you can:
* [Control Center](https://docs.netbird.io/how-to/control-center): Visualize your network topology and access relationships with an interactive graph.
* [Peers](https://docs.netbird.io/how-to/add-machines-to-your-network): View and manage all connected devices and their properties.
* [Setup Keys](https://docs.netbird.io/how-to/register-machines-using-setup-keys): Create and manage keys for adding new headless or ephemeral devices.
* [Control Center](https://docs.netbird.io/manage/control-center): Visualize your network topology and access relationships with an interactive graph.
* [Peers](https://docs.netbird.io/manage/peers/add-machines-to-your-network): View and manage all connected devices and their properties.
* [Setup Keys](https://docs.netbird.io/manage/peers/register-machines-using-setup-keys): Create and manage keys for adding new headless or ephemeral devices.
* [Access Control](https://docs.netbird.io/manage/access-control/manage-network-access): Define granular firewall rules to control which peers can access what.
* [Team](https://docs.netbird.io/how-to/add-users-to-your-network): Manage users and create groups for easier policy management.
* [Team](https://docs.netbird.io/manage/team/add-users-to-your-network): Manage users and create groups for easier policy management.
You are now ready to explore the full capabilities of NetBird.

6
src/pages/get-started/install/docker.mdx
View File

@@ -19,7 +19,7 @@ The experience may vary depending on the docker daemon, operating system, or ker
docker run --rm --name PEER_NAME --hostname PEER_NAME --cap-add=NET_ADMIN --cap-add=SYS_ADMIN --cap-add=SYS_RESOURCE -d -e NB_SETUP_KEY=<SETUP KEY> -v netbird-client:/var/lib/netbird netbirdio/netbird:latest
```
See [Docker example](/how-to/examples#net-bird-client-in-docker) for details.
See [Docker example](/use-cases/examples#net-bird-client-in-docker) for details.
### Troubleshooting
1. If you are using self-hosted version and haven't specified `--management-url`, the client app will use the default URL
@@ -58,10 +58,10 @@ volumes:
```
## Running NetBird with a Setup Key
In case you are activating a server peer, you can use a [setup key](/how-to/register-machines-using-setup-keys) as described in the steps below.
In case you are activating a server peer, you can use a [setup key](/manage/peers/register-machines-using-setup-keys) as described in the steps below.
> This is especially helpful when you are running multiple server instances with infrastructure-as-code tools like ansible and terraform.
1. Login to the Management Service. You need to have a `setup key` in hand (see [setup keys](/how-to/register-machines-using-setup-keys)).
1. Login to the Management Service. You need to have a `setup key` in hand (see [setup keys](/manage/peers/register-machines-using-setup-keys)).
```bash
docker run --network host --privileged --rm -d -e NB_SETUP_KEY=<SETUP KEY> -v netbird-client:/var/lib/netbird netbirdio/netbird:<TAG>

4
src/pages/get-started/install/index.mdx
View File

@@ -43,10 +43,10 @@ Check connection status:
```
## Running NetBird with a Setup Key
In case you are activating a server peer, you can use a [setup key](/how-to/register-machines-using-setup-keys) as described in the steps below.
In case you are activating a server peer, you can use a [setup key](/manage/peers/register-machines-using-setup-keys) as described in the steps below.
> This is especially helpful when you are running multiple server instances with infrastructure-as-code tools like ansible and terraform.
1. Login to the Management Service. You need to have a `setup key` in hand (see [setup keys](/how-to/register-machines-using-setup-keys)).
1. Login to the Management Service. You need to have a `setup key` in hand (see [setup keys](/manage/peers/register-machines-using-setup-keys)).
For all systems:
```bash

4
src/pages/get-started/install/linux.mdx
View File

@@ -250,10 +250,10 @@ Check connection status:
```
## Running NetBird with a Setup Key
In case you are activating a server peer, you can use a [setup key](/how-to/register-machines-using-setup-keys) as described in the steps below.
In case you are activating a server peer, you can use a [setup key](/manage/peers/register-machines-using-setup-keys) as described in the steps below.
> This is especially helpful when you are running multiple server instances with infrastructure-as-code tools like ansible and terraform.
1. Login to the Management Service. You need to have a `setup key` in hand (see [setup keys](/how-to/register-machines-using-setup-keys)).
1. Login to the Management Service. You need to have a `setup key` in hand (see [setup keys](/manage/peers/register-machines-using-setup-keys)).
```bash
netbird up --setup-key <SETUP KEY>

4
src/pages/get-started/install/macos.mdx
View File

@@ -108,10 +108,10 @@ Check connection status:
```
### Running NetBird with a Setup Key
In case you are activating a server peer, you can use a [setup key](/how-to/register-machines-using-setup-keys) as described in the steps below.
In case you are activating a server peer, you can use a [setup key](/manage/peers/register-machines-using-setup-keys) as described in the steps below.
> This is especially helpful when you are running multiple server instances with infrastructure-as-code tools like ansible and terraform.
1. Login to the Management Service. You need to have a `setup key` in hand (see [setup keys](/how-to/register-machines-using-setup-keys)).
1. Login to the Management Service. You need to have a `setup key` in hand (see [setup keys](/manage/peers/register-machines-using-setup-keys)).
```bash
netbird up --setup-key <SETUP KEY>

2
src/pages/get-started/install/opnsense.mdx
View File

@@ -15,7 +15,7 @@ there are both managed and [self-hosted](https://docs.netbird.io/selfhosted/self
## Prerequisites
- Shell or Web UI access to your OPNsense system
- A [setup key](/how-to/register-machines-using-setup-keys#types-of-setup-keys) to authenticate and register the OPNsense device
- A [setup key](/manage/peers/register-machines-using-setup-keys#types-of-setup-keys) to authenticate and register the OPNsense device
## Installation

2
src/pages/get-started/install/pfsense.mdx
View File

@@ -13,7 +13,7 @@ This installation is intended for early adopters while the pfSense package is un
## Prerequisites
- Shell/SSH access to pfSense (via Web UI shell or remote SSH)
- A [setup key](/how-to/register-machines-using-setup-keys#types-of-setup-keys) to authenticate and register the pfSense device
- A [setup key](/manage/peers/register-machines-using-setup-keys#types-of-setup-keys) to authenticate and register the pfSense device
- The latest NetBird `.pkg` binary from the [GitHub Releases](https://github.com/netbirdio/pfsense-netbird/releases)
## Installation

6
src/pages/get-started/install/synology.mdx
View File

@@ -22,7 +22,7 @@ ssh user@192.168.0.53
curl -fsSL https://pkgs.netbird.io/install.sh | sh
```
5. Add your Synology NAS as a Peer using the steps from [Add peers to your NetBird network](https://docs.netbird.io/how-to/add-machines-to-your-network) in the documentation.
5. Add your Synology NAS as a Peer using the steps from [Add peers to your NetBird network](https://docs.netbird.io/manage/peers/add-machines-to-your-network) in the documentation.
## Reboot Script
@@ -52,10 +52,10 @@ fi
4. If youd like to see the logs for this task, select the task you create and click on Settings. Check the box that says Save output results, select a save location, and click OK. Now, if you select the task and **Action > View Result**, youll see any error logs and status.
## Running with a Setup Key
In case you are activating a server peer, you can use a [setup key](/how-to/register-machines-using-setup-keys) as described in the steps below.
In case you are activating a server peer, you can use a [setup key](/manage/peers/register-machines-using-setup-keys) as described in the steps below.
> This is especially helpful when you are running multiple server instances with infrastructure-as-code tools like ansible and terraform.
1. Login to the Management Service. You need to have a `setup key` in hand (see [setup keys](/how-to/register-machines-using-setup-keys)).
1. Login to the Management Service. You need to have a `setup key` in hand (see [setup keys](/manage/peers/register-machines-using-setup-keys)).
```bash
netbird up --setup-key <SETUP KEY>

4
src/pages/get-started/install/windows.mdx
View File

@@ -40,10 +40,10 @@ Check connection status:
```
## Running NetBird with a Setup Key
In case you are activating a server peer, you can use a [setup key](/how-to/register-machines-using-setup-keys) as described in the steps below.
In case you are activating a server peer, you can use a [setup key](/manage/peers/register-machines-using-setup-keys) as described in the steps below.
> This is especially helpful when you are running multiple server instances with infrastructure-as-code tools like ansible and terraform.
1. Login to the Management Service. You need to have a `setup key` in hand (see [setup keys](/how-to/register-machines-using-setup-keys)).
1. Login to the Management Service. You need to have a `setup key` in hand (see [setup keys](/manage/peers/register-machines-using-setup-keys)).
For all systems:
```bash

8
src/pages/how-to/acronis-netbird-integration.mdx
View File

@@ -149,7 +149,7 @@ The advantage of deployment plans is that they enable scheduled, repeatable inst
## Installing NetBird in Windows using a PowerShell Script
In addition to packages, Acronis Cyber Protect Cloud allows you to install NetBird using PowerShell scripts. This method is handy to automate NetBird installation on Windows Servers, especially if you plan to use [setup keys](https://docs.netbird.io/how-to/register-machines-using-setup-keys).
In addition to packages, Acronis Cyber Protect Cloud allows you to install NetBird using PowerShell scripts. This method is handy to automate NetBird installation on Windows Servers, especially if you plan to use [setup keys](https://docs.netbird.io/manage/peers/register-machines-using-setup-keys).
### Adding NetBird PowerShell Scripts to Acronis
@@ -567,7 +567,7 @@ From `MANAGEMENT > Scripting plans`, you can click on the three-dot menu of any
For large-scale deployments, you can automate the NetBird client installation on multiple macOS endpoints using a Bash script. This method downloads the official package directly from NetBird's GitHub releases and proceeds with the installation.
You can optionally use NetBird's [setup keys](https://docs.netbird.io/how-to/register-machines-using-setup-keys) to pre-authorize devices during provisioning. The key ensures that once a machine joins the network, it is automatically placed in the correct groups with all the right access permissions already applied.
You can optionally use NetBird's [setup keys](https://docs.netbird.io/manage/peers/register-machines-using-setup-keys) to pre-authorize devices during provisioning. The key ensures that once a machine joins the network, it is automatically placed in the correct groups with all the right access permissions already applied.
### Adding NetBird Bash Scripts to Acronis
@@ -625,9 +625,9 @@ Tip: You can manually trigger any plan outside its schedule. Go to `MANAGEMENT >
## Confirming Endpoint Registration in NetBird
While Acronis Cyber Protect Cloud handles the automated deployment of NetBird clients to your Windows and macOS endpoints, client authentication operates independently through NetBird's identity provider integration system. NetBird [supports major Identity Providers (IdP)](https://docs.netbird.io/how-to/add-users-to-your-network#identity-provider-id-p-sync), including Microsoft Entra ID, Google Workspace, Okta, and others, allowing organizations to maintain their existing authentication infrastructure.
While Acronis Cyber Protect Cloud handles the automated deployment of NetBird clients to your Windows and macOS endpoints, client authentication operates independently through NetBird's identity provider integration system. NetBird [supports major Identity Providers (IdP)](https://docs.netbird.io/manage/team/add-users-to-your-network#identity-provider-id-p-sync), including Microsoft Entra ID, Google Workspace, Okta, and others, allowing organizations to maintain their existing authentication infrastructure.
For example, organizations using Microsoft 365 can use the [NetBird-Microsoft Entra ID integration](https://docs.netbird.io/how-to/microsoft-entra-id-sync#get-started-with-net-bird-entra-id-integration) to automatically authenticate and synchronize users and groups from Entra ID to NetBird. This integration eliminates manual user provisioning by automatically syncing organizational structure, including group memberships and user access permissions. Once synchronized, users automatically inherit the corresponding Access Control Policies created in the initial configuration section (`IT Administrators` group has access to the `Windows Workstations` group), ensuring that network access permissions align with their organizational roles.
For example, organizations using Microsoft 365 can use the [NetBird-Microsoft Entra ID integration](https://docs.netbird.io/manage/team/idp-sync/microsoft-entra-id-sync#get-started-with-net-bird-entra-id-integration) to automatically authenticate and synchronize users and groups from Entra ID to NetBird. This integration eliminates manual user provisioning by automatically syncing organizational structure, including group memberships and user access permissions. Once synchronized, users automatically inherit the corresponding Access Control Policies created in the initial configuration section (`IT Administrators` group has access to the `Windows Workstations` group), ensuring that network access permissions align with their organizational roles.
To confirm that your Acronis-deployed Windows (or macOS) endpoints successfully joined NetBird, navigate to the `Peers` menu in your NetBird dashboard. Successfully registered endpoints will appear in the peers list with their device names, connection status, and assigned IP addresses within your NetBird network.

2
src/pages/how-to/delete-account.mdx
View File

@@ -1,7 +1,7 @@
import {Note} from "@/components/mdx";
# Delete your NetBird account
To delete your NetBird organization account, you must be a user with the [owner role](/how-to/add-users-to-your-network#manage-user-roles). You can ask the owner to delete the organization account if you are not the account owner.
To delete your NetBird organization account, you must be a user with the [owner role](/manage/team/add-users-to-your-network#manage-user-roles). You can ask the owner to delete the organization account if you are not the account owner.
## Delete your account
<Note>
Before proceeding to delete your Netbird account, please be aware that this action is irreversible. Once your account is deleted, you will permanently lose access to all associated data, including your peers, users, groups, policies, and routes.

6
src/pages/how-to/enforce-periodic-user-authentication.mdx
View File

@@ -11,7 +11,7 @@ Every new network has this feature enabled, and the expiration period is set to
Expired peers will appear in the peers' view with the status `Login required`.
<p>
<img src="/docs-static/img/how-to-guides/peer-needs-login.png" alt="peer-needs-login.png" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/peer-needs-login.png" alt="peer-needs-login.png" className="imagewrapper-big"/>
</p>
## Configure and disable expiration
@@ -20,7 +20,7 @@ Go to the Web UI `Settings` tab and set the desired period in the Authentication
You can also disable the expiration for the whole network in the same section.
<p>
<img src="/docs-static/img/how-to-guides/peer-login-expiration.png" alt="peer-login-expiration" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/peer-login-expiration.png" alt="peer-login-expiration" className="imagewrapper-big"/>
</p>
@@ -36,7 +36,7 @@ In the Peers tab of the web UI click on the peer you want to disable expiration
Peers with `Expiration disabled` will be marked with a corresponding label in the Peers table.
<p>
<img src="/docs-static/img/how-to-guides/individual-peer-login-expiration.png" alt="peer-login-expiration" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/individual-peer-login-expiration.png" alt="peer-login-expiration" className="imagewrapper-big"/>
</p>
## Get started

2
src/pages/how-to/intune-netbird-integration.mdx
View File

@@ -18,7 +18,7 @@ In this hands-on tutorial, you'll learn how to deploy NetBird with Intune to gra
Before beginning this tutorial, ensure you have the following prerequisites in place:
- Complete the tutorial [Provision Users and Groups From Microsoft Entra ID](https://docs.netbird.io/how-to/microsoft-entra-id-sync) to ensure you can select Entra ID-managed users and groups within Intune.
- Complete the tutorial [Provision Users and Groups From Microsoft Entra ID](https://docs.netbird.io/manage/team/idp-sync/microsoft-entra-id-sync) to ensure you can select Entra ID-managed users and groups within Intune.
- A [NetBird account](https://app.netbird.io) with administrative permissions to create and manage access policies.
- An active [Microsoft Intune license](https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/licenses) (included with Microsoft 365 E3, E5, F1, F3, Enterprise Mobility + Security E3/E5, or Business Premium plans).
- An Intune admin user with at least the [Policy and Profile Manager](https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/role-based-access-control-reference#policy-and-profile-manager) built-in role (*Intune Administrator* role recommended for full control over advanced features)

8
src/pages/how-to/kubernetes-operator.mdx
View File

@@ -4,7 +4,7 @@ Accessing private Kubernetes clusters can be challenging, especially when connec
having multiple clusters to manage. NetBird Kubernetes operator simplifies this process by enabling secure access
to your Kubernetes clusters using custom resource configurations and annotations to expose your cluster and services in your NetBird network.
The NetBird Kubernetes operator automatically creates [Networks and Resources](/how-to/networks) in your NetBird account, allowing you to
The NetBird Kubernetes operator automatically creates [Networks and Resources](/manage/networks) in your NetBird account, allowing you to
seamlessly access your Kubernetes services and control plane from your NetBird network.
## Deployment
@@ -78,7 +78,7 @@ helm upgrade --create-namespace -f values.yaml -n netbird netbird-operator netbi
## Expose Kubernetes Control Plane to your NetBird Network
To access your Kubernetes control plane from a NetBird network, you can expose your Kubernetes control plane as a
[NetBird resource](/how-to/networks#resources) by enabling the following option in the operator values:
[NetBird resource](/manage/networks#resources) by enabling the following option in the operator values:
```yaml
ingres:
@@ -132,7 +132,7 @@ This will create a Network and a resource similar to the example below:
<Note>
Ingress DNS Resolution requires enabled `DNS Wildcard Routing` and at least one DNS Nameserver configured for clients.
Learn more about Networks settings [here](/how-to/networks#enable-dns-wildcard-routing).
Learn more about Networks settings [here](/manage/networks#enable-dns-wildcard-routing).
</Note>
Other annotations can be used to further configure the resources created by the operator:
@@ -261,7 +261,7 @@ and DNS configurations as any other peer in your NetBird network. This allows yo
through the NetBird network, enabling egress-like access to remote services from your Kubernetes services across various locations or cloud providers.
To enable sidecar functionality in your deployments, you first need to generate a setup key, either via the UI (see image below)
or by following [this guide](/how-to/register-machines-using-setup-keys) for more details.
or by following [this guide](/manage/peers/register-machines-using-setup-keys) for more details.
<p>
<img src="/docs-static/img/how-to-guides/kubernetes/side-cars-setup-key.png" alt="Setup Keys" className="imagewrapper"/>

2
src/pages/how-to/msp-portal.mdx
View File

@@ -42,7 +42,7 @@ In the 'Tenants' section of your dashboard, click on the 'Add Tenant' button to
<img src="/docs-static/img/how-to-guides/msp-portal/add-new-tenant-name-domain.png" alt="add-new-tenant-name-domain" className="imagewrapper"/>
</p>
2. Define who can access the tenant account by selecting the user groups of your account and the applicable [user role](/how-to/add-users-to-your-network#manage-user-roles) when they switch to the tenant. Only users from the selected groups will
2. Define who can access the tenant account by selecting the user groups of your account and the applicable [user role](/manage/team/add-users-to-your-network#manage-user-roles) when they switch to the tenant. Only users from the selected groups will
be able to switch to and manage the tenant account.
<p>
<img src="/docs-static/img/how-to-guides/msp-portal/add-new-tenant-permissions.png" alt="add-new-tenant-permissions" className="imagewrapper"/>

2
src/pages/how-to/plans-and-billing.mdx
View File

@@ -23,7 +23,7 @@ Details can be found on our [pricing page](https://netbird.io/pricing).
NetBird uses a pay-as-you-go model, charging only for active users or machines.
We bill you at the end of each monthly cycle based on actual usage:
* A user or machine counts as "active" only if it connects or logs in (including the admin dashboard) at least once during the billing period.
* If you integrate NetBird with your [Identity Provider (IdP)](/how-to/idp-sync),
* If you integrate NetBird with your [Identity Provider (IdP)](/manage/team/idp-sync),
we automatically sync your users and machines. Inactive synced user accounts that never connect or log in won't incur charges.
Example:

4
src/pages/how-to/troubleshooting-client.mdx
View File

@@ -817,7 +817,7 @@ misconfiguration and resulting lack of connectivity establishment.
This section will provide general directions for verifying connectivity on every step involved in handling
the Domain Resources, to better understand where issue might lie.
For in-depth overview of the mechanism please read [Domain Resources](/how-to/networks#domain-resources) section.
For in-depth overview of the mechanism please read [Domain Resources](/manage/networks#domain-resources) section.
Analyzing those issues will take a "backwards" approach (based on the most common issues), where we will first confirm
that Routing Peer itself is working as expected and will check the client's operating system configuration as one of the
@@ -905,7 +905,7 @@ Address: 100.83.136.209#22054
### Trigger the Domain Resource
I have yet to see a local DNS forwarder fail, but using it is a good way of forcing the NetBird client to set up
routing for the domain (see the [Domain Resources](/how-to/networks#domain-resources) for explanation).
routing for the domain (see the [Domain Resources](/manage/networks#domain-resources) for explanation).
<Note>
On MacOS & Windows the IP address would always be `100.83.255.254` instead of `100.83.73.97`.

2
src/pages/manage/access-control/endpoint-detection-and-response/crowdstrike-edr.mdx
View File

@@ -59,7 +59,7 @@ Before you start creating and configuring a CrowdStrike integration, ensure that
The EDR check will apply only to machines in the selected groups and will require a running CrowdStrike agent.
</Note>
<Note>
You can also use groups [synchronized from your Identity Provider (IdP)](/how-to/idp-sync).
You can also use groups [synchronized from your Identity Provider (IdP)](/manage/team/idp-sync).
</Note>
- Peers that have the CrowdStrike agent installed will be granted access to the network. Peers without the agent will appear

2
src/pages/manage/access-control/endpoint-detection-and-response/intune-mdm.mdx
View File

@@ -148,7 +148,7 @@ At this stage, specify one or more NetBird groups to which the check should appl
The MDM check will apply only to machines in the selected groups and will require a running Intune agent.
</Note>
<Note>
You can also use groups [synchronized from your Identity Provider (IdP)](/how-to/idp-sync).
You can also use groups [synchronized from your Identity Provider (IdP)](/manage/team/idp-sync).
</Note>
Peers that have the Intune agent installed and are compliant will be granted access to the network. Peers without the agent will appear

2
src/pages/manage/access-control/endpoint-detection-and-response/sentinelone-edr.mdx
View File

@@ -74,7 +74,7 @@ Treat the API token securely and store it safely. You will need both the console
<Note>
The EDR check will apply only to peers in the selected groups and will require a running SentinelOne agent.
You can also use groups [synchronized from your Identity Provider (IdP)](/how-to/idp-sync).
You can also use groups [synchronized from your Identity Provider (IdP)](/manage/team/idp-sync).
</Note>
- Configure the compliance criteria that devices must meet to access your network. These security requirements ensure only healthy, properly configured devices can connect. Select the criteria that align with your organization's security policies:

4
src/pages/manage/access-control/index.mdx
View File

@@ -6,7 +6,7 @@ NetBird's access control system is built on Zero Trust security principles, ensu
</p>
<Note>
**NEW:** For a visual overview of your access policies and how peers, groups, and their relationships connect, check out the [**Control Center**](https://docs.netbird.io/how-to/control-center) feature in NetBird. The Control Center provides an interactive graph view that makes it easy to understand your network's access structure at a glance.
**NEW:** For a visual overview of your access policies and how peers, groups, and their relationships connect, check out the [**Control Center**](https://docs.netbird.io/manage/control-center) feature in NetBird. The Control Center provides an interactive graph view that makes it easy to understand your network's access structure at a glance.
</Note>
## Zero-Trust Principles and NetBird
@@ -88,7 +88,7 @@ When a user signs into NetBird on a device (such as a Windows computer using the
**How peer groups work:**
1. **Manual Creation:** Groups are created explicitly in the NetBird interface
2. **Setup Key Assignment:** The most common method - when creating a setup key, you specify which groups should be [auto-assigned](https://docs.netbird.io/how-to/register-machines-using-setup-keys#peer-auto-grouping) to any peer that registers with that key
2. **Setup Key Assignment:** The most common method - when creating a setup key, you specify which groups should be [auto-assigned](https://docs.netbird.io/manage/peers/register-machines-using-setup-keys#peer-auto-grouping) to any peer that registers with that key
3. **Manual Assignment:** Administrators can also manually assign groups to specific infrastructure peers after they're connected
**What are Setup Keys?**

8
src/pages/manage/access-control/manage-network-access.mdx
View File

@@ -13,7 +13,7 @@ Watch our Access Control video on YouTube:
</div>
<Note>
For a visual overview of your access policies and network topology, check out the [Control Center](/how-to/control-center), which provides an interactive graph view of peers, groups, and their access relationships.
For a visual overview of your access policies and network topology, check out the [Control Center](/manage/control-center), which provides an interactive graph view of peers, groups, and their access relationships.
</Note>
## Introduction
@@ -36,7 +36,7 @@ Here are some key attributes of groups:
- There exists a default group called `All` which cannot be deleted or renamed.
<Note>
You can assign groups automatically with the [peer auto-grouping feature](/how-to/register-machines-using-setup-keys#peer-auto-grouping).
You can assign groups automatically with the [peer auto-grouping feature](/manage/peers/register-machines-using-setup-keys#peer-auto-grouping).
</Note>
### The All Group
@@ -75,7 +75,7 @@ After accessing the `Access Control` > `Policies` tab, click on the `Add policy`
In the popup, specify connection `Source` and `Destination` groups. You can select existing groups or create new ones by entering a name in the input box.
<Note>
We recommend using [identity provider (IdP) integrations](/how-to/idp-sync) to provision your user groups from the IdP.
We recommend using [identity provider (IdP) integrations](/manage/team/idp-sync) to provision your user groups from the IdP.
</Note>
You can limit access to specific protocol and ports by selecting the `Protocol` and providing the port numbers in the `Ports` field.
@@ -109,7 +109,7 @@ You can assign a peer to a group by accessing the `Peers` section. Then, choose
</p>
<Note>
You can assign groups automatically with the [peer auto-grouping feature](/how-to/register-machines-using-setup-keys#peer-auto-grouping).
You can assign groups automatically with the [peer auto-grouping feature](/manage/peers/register-machines-using-setup-keys#peer-auto-grouping).
</Note>
### Updating Policies

4
src/pages/manage/access-control/posture-checks/connecting-from-the-office.mdx
View File

@@ -1,5 +1,5 @@
# Connecting from the office
A typical scenario administrators have is accessing their office networks remotely. With [Network routes](https://docs.netbird.io/how-to/routing-traffic-to-private-networks), NetBird makes this easy. Still, administrators often want to avoid routing their users traffic via NetBird when they are in the office.
A typical scenario administrators have is accessing their office networks remotely. With [Network routes](https://docs.netbird.io/manage/network-routes/routing-traffic-to-private-networks), NetBird makes this easy. Still, administrators often want to avoid routing their users traffic via NetBird when they are in the office.
To solve this, administrators can leverage the power of [Posture Checks](https://docs.netbird.io/manage/access-control/posture-checks) and create policies that allow connection to the routing peers only if they are outside the office by using
a [Peer Network Range](/manage/access-control/posture-checks#peer-network-range) posture check with a block action.
@@ -51,7 +51,7 @@ We are now ready for the final step of creating the office route.
### Create a Network Route
Now, let's create a [Network Route](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) that will expose the local office subnet `192.168.1.0/24`,
Now, let's create a [Network Route](https://docs.netbird.io/manage/network-routes/routing-traffic-to-private-networks) that will expose the local office subnet `192.168.1.0/24`,
which will be distributed to all peers members of the group `route-users`. In this example, we will be using a routing peer named `router-01`,
which is a member of the group `route-nodes`, this way, the policy we just created goes into effect, and all peers from the group `route-users` will be able to reach
`router-01` only if they are not in the office network, due to our posture check.

8
src/pages/how-to/stream-activity-to-amazon-firehose.mdx → src/pages/manage/activity/event-streaming/amazon-firehose.mdx
View File

@@ -51,19 +51,19 @@ If you don't have the required permissions, ask your AWS administrator to grant
## Create an Integration in NetBird
- Navigate to the [Integrations &raquo; Event Streaming](https://preview.netbird.io/integrations) tab in the NetBird dashboard
<p>
<img src="/docs-static/img/how-to-guides/event-streaming-integration.png" alt="event-streaming-integration" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/event-streaming/event-streaming-integration.png" alt="event-streaming-integration" className="imagewrapper-big"/>
</p>
- Enable and configure the `Amazon Data Firehose` integration
- First select the region your Firehose stream is created in
<p>
<img src="/docs-static/img/how-to-guides/firehose-region-select.png" alt="firehose-region-select" className="imagewrapper" />
<img src="/docs-static/img/manage/activity/event-streaming/amazon-firehose/firehose-region-select.png" alt="firehose-region-select" className="imagewrapper" />
</p>
- Then enter the Firehose stream name you created in [Step 1](#step-1-create-a-data-firehose-stream) and click `Next`
<p>
<img src="/docs-static/img/how-to-guides/firehose-stream-name.png" alt="firehose-stream-name" className="imagewrapper" />
<img src="/docs-static/img/manage/activity/event-streaming/amazon-firehose/firehose-stream-name.png" alt="firehose-stream-name" className="imagewrapper" />
</p>
- Enter the `Access key` and `Secret access key` you created in [Step 2](#step-2-create-an-iam-user-2) and click `Connect`
<p>
<img src="/docs-static/img/how-to-guides/firehose-iam-credentials.png" alt="firehose-iam-credentials" className="imagewrapper" />
<img src="/docs-static/img/manage/activity/event-streaming/amazon-firehose/firehose-iam-credentials.png" alt="firehose-iam-credentials" className="imagewrapper" />
</p>

12
src/pages/how-to/stream-activity-to-amazon-s3.mdx → src/pages/manage/activity/event-streaming/amazon-s3.mdx
View File

@@ -7,7 +7,7 @@ NetBird integrates with Amazon S3 and sends activity events to an S3 bucket in r
NetBird creates a new object in the S3 bucket, which you can then analyze, filter, and query using Amazon tools.
Storing one event per object is not the most efficient way to save data in S3, therefore NetBird provides an
[alternative integration](/how-to/stream-activity-to-amazon-firehose) that uses Amazon Data Firehose for a more efficient
[alternative integration](/manage/activity/event-streaming/amazon-firehose) that uses Amazon Data Firehose for a more efficient
data ingestion.
<Note>
@@ -59,21 +59,21 @@ If you don't have the required permissions, ask your AWS administrator to grant
## Create an Integration in NetBird
- Navigate to the [Integrations &raquo; Event Streaming](https://preview.netbird.io/integrations) tab in the NetBird dashboard
<p>
<img src="/docs-static/img/how-to-guides/event-streaming-integration.png" alt="event-streaming-integration" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/event-streaming/event-streaming-integration.png" alt="event-streaming-integration" className="imagewrapper-big"/>
</p>
- Enable and configure the `Amazon S3` integration
- First select the region your S3 bucket is created in
<p>
<img src="/docs-static/img/how-to-guides/s3-region-select.png" alt="s3-region-select" className="imagewrapper" />
<img src="/docs-static/img/manage/activity/event-streaming/amazon-s3/s3-region-select.png" alt="s3-region-select" className="imagewrapper" />
</p>
- Then enter the S3 bucket name you created in [Step 1](#step-1-create-an-s3-bucket) and click `Next`
<p>
<img src="/docs-static/img/how-to-guides/s3-bucket-name.png" alt="s3-bucket-name" className="imagewrapper"/>
<img src="/docs-static/img/manage/activity/event-streaming/amazon-s3/s3-bucket-name.png" alt="s3-bucket-name" className="imagewrapper"/>
</p>
- Enter the `Access key` and `Secret access key` you created in [Step 2](#step-2-create-an-iam-user) and click `Connect`
<p>
<img src="/docs-static/img/how-to-guides/s3-iam-credentials.png" alt="s3-iam-credentials" className="imagewrapper" />
<img src="/docs-static/img/manage/activity/event-streaming/amazon-s3/s3-iam-credentials.png" alt="s3-iam-credentials" className="imagewrapper" />
</p>
## Verify the Integration
@@ -86,7 +86,7 @@ containing the following events:
- `integration created`
<p>
<img src="/docs-static/img/how-to-guides/activity-event-streaming/verify-amazon-s3-integration.png" alt="verify-amazon-s3-integration" className="imagewrapper-big" />
<img src="/docs-static/img/manage/activity/event-streaming/amazon-s3/verify-amazon-s3-integration.png" alt="verify-amazon-s3-integration" className="imagewrapper-big" />
</p>
```json

10
src/pages/how-to/stream-activity-to-datadog.mdx → src/pages/manage/activity/event-streaming/datadog.mdx
View File

@@ -1,7 +1,7 @@
# Stream Network Activity to Datadog Cloud SIEM
Datadog is a monitoring and analytics platform for cloud-scale applications. Datadog Cloud SIEM provides real-time threat
detection and security monitoring for cloud environments. By using the NetBird-Datadog integration, you can stream [network activity](/how-to/monitor-system-and-network-activity) to Datadog Cloud SIEM for real-time monitoring
detection and security monitoring for cloud environments. By using the NetBird-Datadog integration, you can stream [network activity](/manage/activity/traffic-events-logging) to Datadog Cloud SIEM for real-time monitoring
and threat detection across your private network.
NetBird integrates with Datadog using the [Datadog Log Collection HTTP API](https://docs.datadoghq.com/api/latest/logs/#send-logs)
@@ -28,17 +28,17 @@ ask your Datadog administrator to grant them to you.
## Create an Integration in NetBird
- Navigate to the [Integrations &raquo; Event Streaming](https://preview.netbird.io/integrations) tab in the NetBird Dashboard
<p>
<img src="/docs-static/img/how-to-guides/event-streaming-integration.png" alt="event-streaming-integration" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/event-streaming/event-streaming-integration.png" alt="event-streaming-integration" className="imagewrapper-big"/>
</p>
- Enable and configure the Datadog integration
- First select the region of your Datadog account (for more details see [Datadog Documentation](https://docs.datadoghq.com/getting_started/site/))
<p>
<img src="/docs-static/img/how-to-guides/datadog-region-select.png" alt="datadog-region-select" className="imagewrapper" />
<img src="/docs-static/img/manage/activity/event-streaming/datadog/datadog-region-select.png" alt="datadog-region-select" className="imagewrapper" />
</p>
- Then enter the API key you created in [Step 1](#step-1-create-a-datdog-api-key) and click `Connect`
<p>
<img src="/docs-static/img/how-to-guides/datadog-api-key.png" alt="datadog-api-key" className="imagewrapper" />
<img src="/docs-static/img/manage/activity/event-streaming/datadog/datadog-api-key.png" alt="datadog-api-key" className="imagewrapper" />
</p>
## Verify the Integration
@@ -50,7 +50,7 @@ in the Log Explorer:
- `integration created`
<p>
<img src="/docs-static/img/how-to-guides/activity-event-streaming/verify-datadog-integration.png" alt="verify-datadog-integration" className="imagewrapper"/>
<img src="/docs-static/img/manage/activity/event-streaming/datadog/verify-datadog-integration.png" alt="verify-datadog-integration" className="imagewrapper"/>
</p>
The `integration test` event is sent to validate whether the provided credentials are correct and NetBird can stream events.

8
src/pages/how-to/stream-activity-to-generic-http.mdx → src/pages/manage/activity/event-streaming/generic-http.mdx
View File

@@ -23,7 +23,7 @@ Before you start, ensure you have an HTTP/S endpoint that is publicly accessible
This tab is for the essential endpoint details.
<p>
<img src="/docs-static/img/how-to-guides/activity-event-streaming/generic-http/general-config.png" alt="Generic HTTP General Configuration" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/event-streaming/generic-http/general-config.png" alt="Generic HTTP General Configuration" className="imagewrapper-big"/>
</p>
- **Endpoint URL**: Enter the full HTTPS or HTTP URL where NetBird should send the events. This field is mandatory.
@@ -42,7 +42,7 @@ After saving the integration, the configured authentication details will be conv
You can add custom HTTP headers to every outgoing request in the **Headers** tab. This is useful for passing static tokens, setting a custom `Content-Type`, or other API requirements. By default, the `Content-Type` is `application/json`.
<p>
<img src="/docs-static/img/how-to-guides/activity-event-streaming/generic-http/headers-config.png" alt="Generic HTTP Headers Configuration" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/event-streaming/generic-http/headers-config.png" alt="Generic HTTP Headers Configuration" className="imagewrapper-big"/>
</p>
### Custom Body Template (Optional)
@@ -50,7 +50,7 @@ You can add custom HTTP headers to every outgoing request in the **Headers** tab
The **Body Template** tab gives you powerful control over the structure of the JSON payload sent to your endpoint.
<p>
<img src="/docs-static/img/how-to-guides/activity-event-streaming/generic-http/body-template-config.png" alt="Generic HTTP Body Template Configuration" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/event-streaming/generic-http/body-template-config.png" alt="Generic HTTP Body Template Configuration" className="imagewrapper-big"/>
</p>
If this option is disabled, NetBird sends a default JSON object for each event. When enabled, you can define your own payload structure using Go's `text/template` templating engine.
@@ -76,7 +76,7 @@ You can use the following variables from the `StreamEvent` object in your templa
This tab allows you to delete the integration. This action is irreversible and will immediately stop events from being sent to your endpoint.
<p>
<img src="/docs-static/img/how-to-guides/activity-event-streaming/generic-http/danger-zone.png" alt="Generic HTTP Danger Zone" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/event-streaming/generic-http/danger-zone.png" alt="Generic HTTP Danger Zone" className="imagewrapper-big"/>
</p>
After configuring all settings, click **Save Changes**.

14
src/pages/how-to/activity-event-streaming.mdx → src/pages/manage/activity/event-streaming/index.mdx
View File

@@ -1,14 +1,14 @@
# Stream Network Activity to Third-Party SIEM Platforms
<p>
<img src="/docs-static/img/how-to-guides/activity-event-streaming/event-streaming-integration.png" alt="event-streaming-integration" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/event-streaming/event-streaming-integration.png" alt="event-streaming-integration" className="imagewrapper-big"/>
</p>
Security Information and Event Management (SIEM) systems play a critical role in network security by monitoring,
detecting, and responding to security threats in real-time. By aggregating and analyzing activity across the network,
SIEMs help identify anomalous patterns and potential breaches, providing a centralized view of security events.
NetBird provides an event streaming feature that allows you to stream network [activity events](/how-to/monitor-system-and-network-activity)
NetBird provides an event streaming feature that allows you to stream network [activity events](/manage/activity/traffic-events-logging)
to third-party SIEM systems, such as [Datadog](https://www.datadoghq.com/dg/security/siem-solution/), [Amazon S3](https://aws.amazon.com/s3/), [Amazon Data Firehose](https://aws.amazon.com/firehose/), and others through a generic HTTP integration.
<Note>
@@ -18,8 +18,8 @@ to third-party SIEM systems, such as [Datadog](https://www.datadoghq.com/dg/secu
This documentation provides step-by-step guides and best practices for integrating NetBird activity event streaming with
supported third-party platforms. To get started, select one of the following integrations:
- [Datadog](/how-to/stream-activity-to-datadog)
- [Amazon S3](/how-to/stream-activity-to-amazon-s3)
- [Amazon Data Firehose](/how-to/stream-activity-to-amazon-firehose)
- [SentinelOne Data Lake](/how-to/stream-activity-to-sentinelone-data-lake)
- [Generic HTTP](/how-to/stream-activity-to-generic-http)
- [Datadog](/manage/activity/event-streaming/datadog)
- [Amazon S3](/manage/activity/event-streaming/amazon-s3)
- [Amazon Data Firehose](/manage/activity/event-streaming/amazon-firehose)
- [SentinelOne Data Lake](/manage/activity/event-streaming/sentinelone-data-lake)
- [Generic HTTP](/manage/activity/event-streaming/generic-http)

8
src/pages/how-to/stream-activity-to-sentinelone-data-lake.mdx → src/pages/manage/activity/event-streaming/sentinelone-data-lake.mdx
View File

@@ -23,7 +23,7 @@ Before you start creating and configuring a SentinelOne Singularity Data Lake ev
- Click **Copy to Clipboard** and store this token securely. You will need this token when configuring the integration in NetBird.
<p>
<img src="/docs-static/img/how-to-guides/activity-event-streaming/sentinelone-data-lake/api-key-generation.png" alt="API Key Generation" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/event-streaming/sentinelone-data-lake/api-key-generation.png" alt="API Key Generation" className="imagewrapper-big"/>
</p>
## Get the HEC Ingestion URL
@@ -39,7 +39,7 @@ to find and copy the HTTP Event Collector base URL from the documentation page.
- Select **Bearer Token** for authentication and provide the API token you created earlier
<p>
<img src="/docs-static/img/how-to-guides/activity-event-streaming/sentinelone-data-lake/general-settings.png" alt="General Settings Configuration" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/event-streaming/sentinelone-data-lake/general-settings.png" alt="General Settings Configuration" className="imagewrapper-big"/>
</p>
- Enable the custom body template and use the following template optimized for SentinelOne Singularity Data Lake:
@@ -59,7 +59,7 @@ to find and copy the HTTP Event Collector base URL from the documentation page.
```
<p>
<img src="/docs-static/img/how-to-guides/activity-event-streaming/sentinelone-data-lake/custom-template.png" alt="Custom Template Configuration" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/event-streaming/sentinelone-data-lake/custom-template.png" alt="Custom Template Configuration" className="imagewrapper-big"/>
</p>
## Verify the Integration
@@ -71,7 +71,7 @@ After configuring the SentinelOne Singularity Data Lake integration in NetBird,
- Verify the test events appear with the expected structure
<p>
<img src="/docs-static/img/how-to-guides/activity-event-streaming/sentinelone-data-lake/verify-integration.png" alt="Verify Integration" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/event-streaming/sentinelone-data-lake/verify-integration.png" alt="Verify Integration" className="imagewrapper-big"/>
</p>
The integration is now set up and ready to stream network activity events to SentinelOne Singularity Data Lake.

4
src/pages/how-to/audit-events-logging.mdx → src/pages/manage/activity/index.mdx
View File

@@ -15,7 +15,7 @@ To get started with event logging in NetBird, watch this introductory video:
The audit events logging feature is enabled by default for every NetBird network. You can access the activity log in the web UI under the [Audit Events tab](https://app.netbird.io/events/audit). This view provides a centralized log of network events. You can use the search bar to search by activity name, and apply filters for timeframes, event types, and users.
<p>
<img src="/docs-static/img/how-to-guides/activity-monitoring.png" alt="activity-monitoring" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/activity-monitoring.png" alt="activity-monitoring" className="imagewrapper-big"/>
</p>
The current version of NetBird tracks a wide range of network changes that occur in the Management server, such as modifications to peers, groups, system settings, setup keys, and access control policies.
@@ -122,7 +122,7 @@ Future versions will also support connection events that occur in NetBird agents
## Enable Audit Events Streaming to SIEM Systems
NetBird can stream audit events to your Security Information and Event Management (SIEM) system in real-time. With this feature enabled, you can monitor and analyze NetBird network changes within your SIEM infrastructure. Check the [integrations guide](/how-to/activity-event-streaming) for more information about the supported integrations and how to enable them.
NetBird can stream audit events to your Security Information and Event Management (SIEM) system in real-time. With this feature enabled, you can monitor and analyze NetBird network changes within your SIEM infrastructure. Check the [integrations guide](/manage/activity/event-streaming) for more information about the supported integrations and how to enable them.
## Get Started

42
src/pages/how-to/traffic-events-logging.mdx → src/pages/manage/activity/traffic-events-logging.mdx
View File

@@ -19,7 +19,7 @@ you to better manage and secure your environment.
NetBird offers flexibility as a peer-to-peer (p2p) overlay network and a remote network access solution. You can use NetBird to connect
machines directly (p2p) when running the NetBird client on each machine. You can also use NetBird to organize remote employee access
to internal networks like VPCs, office networks, and internal services without running the NetBird client on the remote resources using the [NetBird Networks](/how-to/networks) feature.
to internal networks like VPCs, office networks, and internal services without running the NetBird client on the remote resources using the [NetBird Networks](/manage/networks) feature.
The way you use NetBird influences the way traffic events are captured and logged. Below are the two main scenarios for traffic events logging
that describe how NetBird logs traffic events for different types of connections.
@@ -32,7 +32,7 @@ connection on both the user's machine and the CRM server. If the connection was
NetBird would log the blocked event on the peer that refused the connection.
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/p2p-traffic-events.png" alt="traffic-events-p2p-diagram" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/p2p-traffic-events.png" alt="traffic-events-p2p-diagram" className="imagewrapper-big"/>
</p>
#### Successful P2P Connection Events
@@ -43,7 +43,7 @@ For example, in a successful peer-to-peer connection scenario, a user initiates
This is illustrated in the screenshot below.
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/p2p-successful-connection.png" alt="traffic-events-p2p-successful-connection" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/p2p-successful-connection.png" alt="traffic-events-p2p-successful-connection" className="imagewrapper-big"/>
</p>
You'll see two grouped sets of events, one from each peer (source and destination). The source peer `Alice` initiates the
@@ -65,22 +65,22 @@ The initiating peer `Alice` will still report the connection attempt but won't b
In this scenario, the `IT Admins to Servers` policy is configured to allow only ping requests (`ICMP`),
meaning all `HTTP` requests are intentionally not allowed. The screenshot below illustrates this behavior.
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/p2p-blocked-connection.png" alt="traffic-events-p2p-blocked-connection" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/p2p-blocked-connection.png" alt="traffic-events-p2p-blocked-connection" className="imagewrapper-big"/>
</p>
### Peer-to-Network Resource Connections
When a peer connects to a [network resource](/how-to/networks#resources), NetBird captures and logs the traffic
events for that connection on the peer that initiated the connection, and on the [routing peer](/how-to/networks#routing-peers) that connects the peer to
When a peer connects to a [network resource](/manage/networks#resources), NetBird captures and logs the traffic
events for that connection on the peer that initiated the connection, and on the [routing peer](/manage/networks#routing-peers) that connects the peer to
the internal network resource.
A slightly modified example of the CRM server connection scenario would be if instead of running the NetBird client on the CRM server,
you used the [NetBird Networks feature](/how-to/networks) and created a network resource for the CRM server. In this case, if a user accessed an internal CRM from their laptop via a browser
you used the [NetBird Networks feature](/manage/networks) and created a network resource for the CRM server. In this case, if a user accessed an internal CRM from their laptop via a browser
and port 443, NetBird would log the traffic events for that connection on the user's machine and the routing peer that
routed the connection to the CRM server. If the connection was blocked, NetBird would log the blocked event on the routing peer.
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/routed-traffic-events.png" alt="traffic-events-routed-diagram" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/routed-traffic-events.png" alt="traffic-events-routed-diagram" className="imagewrapper-big"/>
</p>
#### Successful Peer-to-Network Resource Events
@@ -91,7 +91,7 @@ The access is permitted by the policy `IT Admins to AWS Servers`, which allows c
Note the `ROUTER` column in the table, which identifies the routing peer responsible for routing to the internal network resource.
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/network-resource-successful-connection.png" alt="network-resource-succesful-connection" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/network-resource-successful-connection.png" alt="network-resource-succesful-connection" className="imagewrapper-big"/>
</p>
<Note>
@@ -107,7 +107,7 @@ You can see multiple blocked events reported by the routing peer, which indicate
in one TCP session, but the routing peer blocked all attempts.
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/network-resource-blocked-connection.png" alt="network-resource-succesful-connection" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/network-resource-blocked-connection.png" alt="network-resource-succesful-connection" className="imagewrapper-big"/>
</p>
<Note>
@@ -130,7 +130,7 @@ at the kernel level. Be aware that enabling this option may lead to higher CPU u
<p>
<img src="/docs-static/img/how-to-guides/traffic-events-logging-settings.png" alt="traffic-events-logging-settings" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/traffic-events-logging-settings.png" alt="traffic-events-logging-settings" className="imagewrapper-big"/>
</p>
### Limiting Traffic Events to Specific Groups
@@ -143,7 +143,7 @@ You can scope traffic events logging to only the peers that belong to specific g
To configure this setting, navigate to `Settings > Networks` in the Experimental section, open the Group Selector under `Enable Traffic Events`
choose the groups you want to include, and click `Save Groups`.
<p>
<img src="/docs-static/img/how-to-guides/traffic-events-groups-logging-settings.png" alt="traffic-events-groups-logging-settings" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/traffic-events-groups-logging-settings.png" alt="traffic-events-groups-logging-settings" className="imagewrapper-big"/>
</p>
## Log Retention
@@ -161,7 +161,7 @@ NetBird allows you to stream traffic events directly to your Security Informatio
By enabling this feature, you can seamlessly monitor and analyze NetBird network flow events within your existing SIEM infrastructure,
enhancing your ability to detect and respond to security events.
For detailed instructions on supported integrations and how to set them up, refer to the [integrations guide](/how-to/activity-event-streaming).
For detailed instructions on supported integrations and how to set them up, refer to the [integrations guide](/manage/activity/event-streaming).
## Traffic Events Data
@@ -276,7 +276,7 @@ You can use source ports to correlate TCP and UDP. Below we will analyze a few e
The peer Maycons-MacBook-Pro.local initiates a connection to the Web server. The source port is `51997` and the destination port is TCP/80. The connection is successful, and the event is marked as started and stopped. See screenshot below:
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/p2p-tcp-allow.png" alt="P2P TCP Allowed" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/p2p-tcp-allow.png" alt="P2P TCP Allowed" className="imagewrapper-big"/>
</p>
Besides the ports and protocol information, we can review the event description in the screenshot above to understand what happened. For all four events we have the following:
- **Peer `Maycons-MacBook-Pro-2.local` requested P2P connection to Peer `webserver`**: This is the event from the perspective of the peer that initiated the connection. The sources and destination provide the IPs and ports used in the connection.
@@ -288,7 +288,7 @@ In case of the peer receiving the connection, the stopped status might arrive se
The UDP connection is very similar:
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/p2p-udp-allow.png" alt="P2P UDP Allowed" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/p2p-udp-allow.png" alt="P2P UDP Allowed" className="imagewrapper-big"/>
</p>
<Note>
The UDP connection is stateless, so the stopped event will be generated right after a certain period of inactivity.
@@ -298,12 +298,12 @@ When a connection is blocked, you may see similar entries to the following event
**TCP**:
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/p2p-tcp-blocked.png" alt="P2P TCP Blocked" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/p2p-tcp-blocked.png" alt="P2P TCP Blocked" className="imagewrapper-big"/>
</p>
**UDP**:
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/p2p-udp-blocked.png" alt="P2P UDP Blocked" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/p2p-udp-blocked.png" alt="P2P UDP Blocked" className="imagewrapper-big"/>
</p>
Key differences:
- There are no events that have started or stopped on the refusing side. The connection is blocked right after the request.
@@ -316,7 +316,7 @@ Key differences:
### Viewing ICMP connections
ICMP events are similar to TCP and UDP events. The main difference is that ICMP doesn't have ports:
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/p2p-icmp-allowed.png" alt="P2P ICMP Allowed" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/p2p-icmp-allowed.png" alt="P2P ICMP Allowed" className="imagewrapper-big"/>
</p>
<Note>
The ICMP connection is stateless, so the stopped event will be generated right after a certain period of inactivity.
@@ -326,11 +326,11 @@ Routed events follow the same pattern as P2P events. The main difference is that
**ICMP**:
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/routed-icmp-allowed.png" alt="Routed ICMP Allowed" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/routed-icmp-allowed.png" alt="Routed ICMP Allowed" className="imagewrapper-big"/>
</p>
**TCP**:
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/routed-tcp-allowed.png" alt="Routed TCP Allowed" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/routed-tcp-allowed.png" alt="Routed TCP Allowed" className="imagewrapper-big"/>
</p>
Key differences:
- The source or destination is a resource or network route.
@@ -339,7 +339,7 @@ Key differences:
For site-2-site connections, the events will be similar to the above examples, but you will see a routing peer for each event:
<p>
<img src="/docs-static/img/how-to-guides/traffic-events/s2s-tcp-allowed.png" alt="S2S TCP Allowed" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/activity/traffic-events-logging/s2s-tcp-allowed.png" alt="S2S TCP Allowed" className="imagewrapper-big"/>
</p>
## Limitations

12
src/pages/how-to/control-center.mdx → src/pages/manage/control-center/index.mdx
View File

@@ -12,7 +12,7 @@ Control Center is a topological view in the NetBird dashboard that visualizes wh
</Note>
<Note>
**Permissions:** The Admin and Network Admin user roles can edit policies from Control Center. Learn more about
[user roles](/how-to/add-users-to-your-network#manage-user-roles).
[user roles](/manage/team/add-users-to-your-network#manage-user-roles).
</Note>
## How it helps
@@ -28,7 +28,7 @@ Control Center is a topological view in the NetBird dashboard that visualizes wh
Use this to understand what a specific machine can reach.
<p>
<img src="/docs-static/img/how-to-guides/control-center/control-center-peer-view.png" alt="Control Center Peer View"
<img src="/docs-static/img/manage/control-center/control-center-peer-view.png" alt="Control Center Peer View"
className="imagewrapper-big"/>
</p>
@@ -41,7 +41,7 @@ Use this to understand what a specific machine can reach.
Use this to validate team-level access.
<p>
<img src="/docs-static/img/how-to-guides/control-center/control-center-groups-view.png"
<img src="/docs-static/img/manage/control-center/control-center-groups-view.png"
alt="Control Center Groups View" className="imagewrapper-big"/>
</p>
@@ -55,10 +55,10 @@ Common checks:
### Networks view
Use this to see who can access resources in your routed [networks](/how-to/networks).
Use this to see who can access resources in your routed [networks](/manage/networks).
<p>
<img src="/docs-static/img/how-to-guides/control-center/control-center-network-view.png"
<img src="/docs-static/img/manage/control-center/control-center-network-view.png"
alt="Control Center Network View" className="imagewrapper-big"/>
</p>
@@ -90,5 +90,5 @@ Use this to see who can access resources in your routed [networks](/how-to/netwo
- [Manage network access with Groups and Access Policies](/manage/access-control/manage-network-access)
- [Apply posture checks to policies](/manage/access-control/posture-checks)
- [Networks and routing peers](/how-to/networks)
- [Networks and routing peers](/manage/networks)
- [MSP portal overview](/how-to/msp-portal)

14
src/pages/how-to/manage-dns-in-your-network.mdx → src/pages/manage/dns/index.mdx
View File

@@ -67,7 +67,7 @@ A nameserver group defines up to 2 nameservers to resolve DNS to a set of peers
### Creating a nameserver group
Access the `DNS` tab, the `Nameservers` section and click `Add Nameserver`.
<p>
<img src="/docs-static/img/how-to-guides/netbird-nameserver-add-button.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/dns/netbird-nameserver-add-button.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
That will open a nameserver selection configuration screen where you can choose between using three predefined public
nameservers or using a custom setup.
@@ -78,13 +78,13 @@ If you choose a predefined public nameserver option, you can select the followin
- [Cloudflare DNS servers](https://one.one.one.one/dns/)
- [Quad9 DNS servers](https://www.quad9.net/)
<p>
<img src="/docs-static/img/how-to-guides/netbird-nameserver-selection-view-open.png" alt="high-level-dia" className="imagewrapper"/>
<img src="/docs-static/img/manage/dns/netbird-nameserver-selection-view-open.png" alt="high-level-dia" className="imagewrapper"/>
</p>
After selecting one of the three options, you need to assign a peer group for which this nameserver will be effective.
In the example below, we chose the `All` group:
<p>
<img src="/docs-static/img/how-to-guides/netbird-nameserver-all-group.png" alt="high-level-dia" className="imagewrapper"/>
<img src="/docs-static/img/manage/dns/netbird-nameserver-all-group.png" alt="high-level-dia" className="imagewrapper"/>
</p>
### Creating custom nameservers
@@ -97,7 +97,7 @@ In the example below, we are creating a nameserver with the following informatio
- Add at least one nameserver: `192.168.0.32` with port `53`
- Distribution group: `Remote developers`
<p>
<img src="/docs-static/img/how-to-guides/netbird-nameserver-custom.png" alt="high-level-dia" className="imagewrapper"/>
<img src="/docs-static/img/manage/dns/netbird-nameserver-custom.png" alt="high-level-dia" className="imagewrapper"/>
</p>
### Creating a nameserver for specific domains
@@ -105,7 +105,7 @@ Sometimes one may want to forward DNS queries to specific nameservers but only f
Taking the example of custom nameservers above, you could select a match mode for only domains listed there.
Below you can see the same nameserver setup but only for the `berlinoffice.com` domain:
<p>
<img src="/docs-static/img/how-to-guides/netbird-nameserver-remote-resolver.png" alt="high-level-dia" className="imagewrapper"/>
<img src="/docs-static/img/manage/dns/netbird-nameserver-remote-resolver.png" alt="high-level-dia" className="imagewrapper"/>
</p>
<Note>
@@ -120,12 +120,12 @@ To add a private DNS server that is running behind routing peers, you need to cr
In the Berlin office example from previous steps, we have a peer from the `Office network` that can route traffic to the `192.168.0.32` IP,
so we need to ensure that a similar network route exists:
<p>
<img src="/docs-static/img/how-to-guides/netbird-nameserver-remote-route.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/dns/netbird-nameserver-remote-route.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
Then we need to confirm that an access rule exists to connect `Remote developers` to `Office network` group allowing port `UDP 53`:
<p>
<img src="/docs-static/img/how-to-guides/netbird-nameserver-remote-rule.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/dns/netbird-nameserver-remote-rule.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
## Testing configuration

14
src/pages/how-to/configuring-default-routes-for-internet-traffic.mdx → src/pages/manage/network-routes/configuring-default-routes-for-internet-traffic.mdx
View File

@@ -60,14 +60,14 @@ Exit node routes that existed before the Auto Apply feature are treated as if **
Navigate to the NetBird dashboard to begin the configuration process.
<p>
<img src="/docs-static/img/how-to-guides/netbird-peers.png" alt="dashboard-peers-view"
<img src="/docs-static/img/manage/network-routes/configuring-default-routes-for-internet-traffic/netbird-peers.png" alt="dashboard-peers-view"
className="imagewrapper-big"/>
</p>
### Select the designated routing peer
<p>
<img src="/docs-static/img/how-to-guides/netbird-peers-routing-peer.png" alt="routing-peer-view"
<img src="/docs-static/img/manage/network-routes/configuring-default-routes-for-internet-traffic/netbird-peers-routing-peer.png" alt="routing-peer-view"
className="imagewrapper-big"/>
</p>
@@ -79,14 +79,14 @@ In the opened window, specify which peers should use the default route by assign
These peers will automatically route their internet traffic through the routing peer upon its connection.
<p>
<img src="/docs-static/img/how-to-guides/netbird-peers-add-exit-node.png" alt="add-exit-node-view"
<img src="/docs-static/img/manage/network-routes/configuring-default-routes-for-internet-traffic/netbird-peers-add-exit-node.png" alt="add-exit-node-view"
className="imagewrapper-big"/>
</p>
If you want exit nodes to be available without being automatically enabled on clients, enable the **Auto Apply** option. When Auto Apply is on, clients will auto-apply the exit node, but users can manually disable it from the client.
<p>
<img src="/docs-static/img/how-to-guides/exit-node-auto-apply.png" alt="exit-node-auto-apply" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/configuring-default-routes-for-internet-traffic/exit-node-auto-apply.png" alt="exit-node-auto-apply" className="imagewrapper-big"/>
</p>
Then hit the `Add Exit Node` button to complete the configuration.
@@ -99,7 +99,7 @@ remains enabled by default to mask the original source IP addresses.
Verify the configuration in the peer view. The routing peer should now be marked as an exit node.
<p>
<img src="/docs-static/img/how-to-guides/netbird-peers-routing-peer-exit-node.png" alt="routing-peer-exit-node-view"
<img src="/docs-static/img/manage/network-routes/configuring-default-routes-for-internet-traffic/netbird-peers-routing-peer-exit-node.png" alt="routing-peer-exit-node-view"
className="imagewrapper-big"/>
</p>
@@ -109,13 +109,13 @@ Add a DNS server with the match domain set to `ALL`.
This is important, as locally configured DNS servers might not be accessible from the routing peer.
This also helps to avoid leaking the client's location.
See [Manage DNS in your network](manage-dns-in-your-network).
See [Manage DNS in your network](/manage/dns).
## High Availability
Like for other network routes, high availability configurations are supported for default
routes. Refer to
the [Creating Highly Available Routes](routing-traffic-to-private-networks#creating-highly-available-routes)
the [Creating Highly Available Routes](/manage/network-routes/routing-traffic-to-private-networks#creating-highly-available-routes)
section for more information.
## Get started

14
src/pages/how-to/configuring-routes-with-access-control.mdx → src/pages/manage/network-routes/configuring-routes-with-access-control.mdx
View File

@@ -36,7 +36,7 @@ Since release `0.30.0`, the management service and dashboard support access cont
To add a Network Route with access control groups, access the `Network Routes` tab and click the `Add Route` button to create a new route.
In the example below, we are creating a route with the following information
(see [Concepts](routing-traffic-to-private-networks#concepts) to learn more about the fields):
(see [Concepts](/manage/network-routes/routing-traffic-to-private-networks#concepts) to learn more about the fields):
- Network identifier: `aws-eu-central-1-vpc`
- Description: `Production VPC in Frankfurt`
@@ -46,23 +46,23 @@ In the example below, we are creating a route with the following information
- Access Control Groups: `servers`
<p>
<img src="/docs-static/img/how-to-guides/network-route-acl.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/configuring-routes-with-access-control/network-route-acl.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
Click on `Continue` to proceed.
<p>
<img src="/docs-static/img/how-to-guides/network-route-acl-group-settings.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/configuring-routes-with-access-control/network-route-acl-group-settings.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
Once you fill in the route information, you can click on the `Add Route` button to save your new route.
<p>
<img src="/docs-static/img/how-to-guides/network-route-acl-saved.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/configuring-routes-with-access-control/network-route-acl-saved.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
Because you used an access control group, you will be prompted to create a new policy.
<p>
<img src="/docs-static/img/how-to-guides/network-route-acl-prompt.png" alt="high-level-dia" className="imagewrapper"/>
<img src="/docs-static/img/manage/network-routes/configuring-routes-with-access-control/network-route-acl-prompt.png" alt="high-level-dia" className="imagewrapper"/>
</p>
Click on the `Create Policy` button to proceed.
@@ -82,7 +82,7 @@ In the example below, we are creating a unidirectional policy with the following
- Destination Groups: `servers`
<p>
<img src="/docs-static/img/how-to-guides/network-acl-create-policy.png" alt="high-level-dia" className="imagewrapper"/>
<img src="/docs-static/img/manage/network-routes/configuring-routes-with-access-control/network-acl-create-policy.png" alt="high-level-dia" className="imagewrapper"/>
</p>
@@ -90,7 +90,7 @@ If necessary, you can create new groups by entering new names in the input box f
Once you have finished configuring the policy, click `Add Policy` to save it. You will then see your new policy in the table.
<p>
<img src="/docs-static/img/how-to-guides/network-acl-new-policy.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/configuring-routes-with-access-control/network-acl-new-policy.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
The route has been created successfully. Now, every peer connected to your routing peer can only access port 80 services on the routed network,

4
src/pages/how-to/resolve-overlapping-routes.mdx → src/pages/manage/network-routes/resolve-overlapping-routes.mdx
View File

@@ -1,7 +1,7 @@
# Resolve overlapping routes with the route selection feature
NetBird [Network Routes](/how-to/routing-traffic-to-private-networks) feature enables peers to access external networks such as VPCs, LANs,
NetBird [Network Routes](/manage/network-routes/routing-traffic-to-private-networks) feature enables peers to access external networks such as VPCs, LANs,
or office networks seamlessly.
In most scenarios, network administrators connect their NetBird peers to these external networks by defining a network route,
@@ -67,7 +67,7 @@ To select routes using the GUI, you can open the NetBird system tray application
You can select or deselect routes by clicking on the checkbox next to the route name.
<p>
<img src="/docs-static/img/how-to-guides/select-network-routes.png" alt="select-network-routes" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/resolve-overlapping-routes/select-network-routes.png" alt="select-network-routes" className="imagewrapper-big"/>
</p>
### Enabling All Routes

38
src/pages/how-to/routing-traffic-to-private-networks.mdx → src/pages/manage/network-routes/routing-traffic-to-private-networks.mdx
View File

@@ -9,7 +9,7 @@
<Note>
**WARNING:** `Network Routes` will allow any traffic to pass through to the routed networks without regard for
the Access Control rules, unless you [configure those explicitly](./configuring-routes-with-access-control).
the Access Control rules, unless you [configure those explicitly](/manage/network-routes/configuring-routes-with-access-control).
See [Network Routes caveats](#caveats) below for a more detailed explanation.
</Note>
@@ -23,7 +23,7 @@ NetBird provides fast and reliable end-to-end encryption between peers in your n
In these cases, you can configure network routes assigning routing peers to connect existing infrastructure. Routing peers will forward packets between your NetBird peers and your other networks; they can masquerade traffic going to your data centers or embedded devices, reducing the need for external route configuration and agent installation.
<p>
<img src="/docs-static/img/how-to-guides/netbird-network-routes.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/netbird-network-routes.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
<Note>
@@ -64,7 +64,7 @@ netbird up --dns-router-interval 30s
Additionally, the keep routes switch is enabled by default.
<p>
<img src="/docs-static/img/how-to-guides/netbird-network-routes-dns-routes.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/netbird-network-routes-dns-routes.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
When the keep routes switch is on, and a domain no longer resolves to an IP address, the corresponding route will still be maintained (and any new resolved IP addresses will be added).
@@ -115,7 +115,7 @@ A network route describes a network you want to connect with your NetBird peers.
Access the `Network Routes` tab and click the `Add Route` button to create a new route.
This will open a route configuration screen where you can add the information about the network you want to route:
<p>
<img src="/docs-static/img/how-to-guides/netbird-network-routes-add-button.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/netbird-network-routes-add-button.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
Now you can enter the details of your route.
@@ -128,13 +128,13 @@ In the example below, we are creating a route with the following information:
- Distribution Groups: `All`
<p>
<img src="/docs-static/img/how-to-guides/netbird-network-routes-create.png" alt="high-level-dia" className="imagewrapper" width="70%"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/netbird-network-routes-create.png" alt="high-level-dia" className="imagewrapper" width="70%"/>
</p>
Once you fill in the route information, you can click on the `Add Route` button to save your new route.
<p>
<img src="/docs-static/img/how-to-guides/netbird-network-routes-saved-new.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/netbird-network-routes-saved-new.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
The route has been created successfully. Now every peer connected to your routing peer will be able to send traffic to your external network.
@@ -144,13 +144,13 @@ Ensure that the peer groups have Linux peers, as traffic routing is only support
Groups with multiple peers automatically provide [high availability routing](#high-availability-routes).
<p>
<img src="/docs-static/img/how-to-guides/netbird-network-routes-groups-create.png" alt="high-level-dia" className="imagewrapper" width="70%"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/netbird-network-routes-groups-create.png" alt="high-level-dia" className="imagewrapper" width="70%"/>
</p>
Once you fill in the route information, you can click on the `Add Route` button to save your new route.
<p>
<img src="/docs-static/img/how-to-guides/netbird-network-routes-groups-saved-new.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/netbird-network-routes-groups-saved-new.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
The route has been created successfully. Now every peer connected to the peer members of the groups will be able to send traffic to your external network.
@@ -171,13 +171,13 @@ routing configuration will be distributed to machines in the selected groups `Di
In the following example, we are adding the peer `aws-nb-europe-router-az-b` to the `aws-eu-central-1-vpc` route:
<p>
<img src="/docs-static/img/how-to-guides/netbird-network-routes-create-ha.png" alt="high-level-dia" className="imagewrapper" width="70%"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/netbird-network-routes-create-ha.png" alt="high-level-dia" className="imagewrapper" width="70%"/>
</p>
This way, peers connected to `aws-nb-europe-router-az-a` and `aws-nb-europe-router-az-b` will have highly available access to the `172.31.0.0/16` network.
<p>
<img src="/docs-static/img/how-to-guides/netbird-network-routes-saved-new-ha.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/netbird-network-routes-saved-new-ha.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
<Note>
@@ -198,7 +198,7 @@ the `aws-nb-europe-router-az-a` routing peer to access the `aws-eu-central-1-vpc
Peers that belong to the `london-office` group will use the `aws-nb-europe-router-az-b` routing peer.
<p>
<img src="/docs-static/img/how-to-guides/netbird-network-routes-groups-attribution.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/netbird-network-routes-groups-attribution.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
### Routes without masquerading
@@ -209,12 +209,12 @@ This will require a routing configuration on your external network router pointi
This way, devices that do not have the agent installed can communicate with your NetBird peers.
<p>
<img src="/docs-static/img/how-to-guides/netbird-network-routes-masquerading.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/netbird-network-routes-masquerading.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
## Network Routes caveats
Unless [configured explicitly](./configuring-routes-with-access-control), the **Network Routes** feature will not take into
Unless [configured explicitly](/manage/network-routes/configuring-routes-with-access-control), the **Network Routes** feature will not take into
consideration any of the Access Control rules. This might lead to surprising outcomes, which may initially appear to be security vulnerabilities.
**Important:** Understanding these caveats is essential for properly securing your network routes.
@@ -228,13 +228,13 @@ until it has access to its **Group**.
Let's assume a **Network Route** is distributed through `Group R` (Routing Peer) to `Group A` (intended client):
<p>
<img src="/docs-static/img/how-to-guides/routing-traffic-to-private-networks/route-ip-address.png" alt="route-ip-address" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/route-ip-address.png" alt="route-ip-address" className="imagewrapper-big"/>
</p>
After creating an **Access Policy** granting `ICMP` access from `Group A` to `Group R`:
<p>
<img src="/docs-static/img/how-to-guides/routing-traffic-to-private-networks/policy-icmp-group-r.png" alt="ICMP policy from group A to R" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/policy-icmp-group-r.png" alt="ICMP policy from group A to R" className="imagewrapper-big"/>
</p>
You will be able to access everything on the routed network without any restrictions.
@@ -264,13 +264,13 @@ In the following example, we set up a **Network Resource** for a `*.nb.test` wil
using ACL group `manual:srvs`:
<p>
<img src="/docs-static/img/how-to-guides/routing-traffic-to-private-networks/resource-domain.png" alt="*.nb.test domain Resource" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/resource-domain.png" alt="*.nb.test domain Resource" className="imagewrapper-big"/>
</p>
Granting HTTP-only access to that resource from group `manual:client`:
<p>
<img src="/docs-static/img/how-to-guides/routing-traffic-to-private-networks/policy-http.png" alt="a HTTP-only policy from manual:client group" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/policy-http.png" alt="a HTTP-only policy from manual:client group" className="imagewrapper-big"/>
</p>
Everything appears to be set up correctly. We have HTTP access and can confirm the domain was resolved:
@@ -335,13 +335,13 @@ Unrestricted access to the `srv.nb.test` domain was granted, because we have use
for both **Network Route** and the newly created **Network**:
<p>
<img src="/docs-static/img/how-to-guides/routing-traffic-to-private-networks/network-routers.png" alt="Network's `manual:router:srvs` router" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/network-routers.png" alt="Network's `manual:router:srvs` router" className="imagewrapper-big"/>
</p>
Here are this specific **Routing Peer**'s details:
<p>
<img src="/docs-static/img/how-to-guides/routing-traffic-to-private-networks/routing-peer-groups.png" alt="Routing Peer's detail page with Network Route handling" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/network-routes/routing-traffic-to-private-networks/routing-peer-groups.png" alt="Routing Peer's detail page with Network Route handling" className="imagewrapper-big"/>
</p>
It is a member of both routing groups:

46
src/pages/how-to/accessing-entire-domains-within-networks.mdx → src/pages/manage/networks/accessing-entire-domains-within-networks.mdx
View File

@@ -2,7 +2,7 @@
Companies often operate internal environments using assigned domains that remain inaccessible to the public for security and compliance reasons. Creating routing resources for these environments can quickly become a problem for DevOps and Platform teams, especially as different stakeholders frequently request new resources. Moreover, when these resources span across different networks, managing them becomes even more challenging.
NetBird's [Networks](https://docs.netbird.io/how-to/networks-concept) streamlines this process, allowing organizations to configure secure access to internal resources efficiently using [Wildcard domain resources](https://docs.netbird.io/how-to/networks-concept#resources). This reduces the administrative burden on IT teams and enhances overall productivity.
NetBird's [Networks](https://docs.netbird.io/manage/networks) streamlines this process, allowing organizations to configure secure access to internal resources efficiently using [Wildcard domain resources](https://docs.netbird.io/manage/networks#resources). This reduces the administrative burden on IT teams and enhances overall productivity.
## Example Use Case Scenario
@@ -29,8 +29,8 @@ In this scenario, an AI software company needs secure access to its internal dom
To effectively access entire domains within your internal networks using NetBird, ensure the following pre-requisites are met:
- **NetBird Clients**: Install [NetBird clients](https://docs.netbird.io/get-started) on all devices used by developers and data scientists. This is essential to establish secure connectivity to your internal resources.
- **Routing Peers**: Configure [NetBird routing peers](https://docs.netbird.io/how-to/networks-concept#routing-peers) within your network infrastructure using [setup keys](https://docs.netbird.io/how-to/setup-keys-add-servers-to-network). Routing peers facilitate traffic routing across different network segments, ensuring seamless access to both internal domains.
- **Nameserver Configuration**: Ensure that your Nameservers are properly configured within your NetBird account to resolve all domain queries. This step is critical for enabling seamless domain name resolution across your network, facilitating efficient connectivity to both your development and AI model training environments. For detailed instructions, refer to the [Manage DNS in Your Network](https://docs.netbird.io/how-to/manage-dns-in-your-network).
- **Routing Peers**: Configure [NetBird routing peers](https://docs.netbird.io/manage/networks#routing-peers) within your network infrastructure using [setup keys](https://docs.netbird.io/manage/peers/access-infrastructure/setup-keys-add-servers-to-network). Routing peers facilitate traffic routing across different network segments, ensuring seamless access to both internal domains.
- **Nameserver Configuration**: Ensure that your Nameservers are properly configured within your NetBird account to resolve all domain queries. This step is critical for enabling seamless domain name resolution across your network, facilitating efficient connectivity to both your development and AI model training environments. For detailed instructions, refer to the [Manage DNS in Your Network](https://docs.netbird.io/manage/dns).
## Enabling DNS Wildcard Routing
@@ -47,7 +47,7 @@ To enable DNS wildcard routing in your NetBird account, follow these steps:
* Navigate to `Settings` > `Networks` within your NetBird account.
* `Enable DNS wildcard routing` by toggling the appropriate setting. This will allow your network to resolve all subdomains under a specified domain.
![Enabling DNS wildcard routing](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/01-domains-within-networks.png)
![Enabling DNS wildcard routing](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/01-domains-within-networks.png)
<Note>
The `Enable DNS wildcard routing` is supported by routing peers and routing clients running version `0.35.0` or later.
@@ -67,13 +67,13 @@ To create a network for the developer environment:
* Give a descriptive name to the network, e.g., `Development Network`. Optionally, add a description.
* Click `Add Network` to continue.
![Creating Developers Domain Network](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/02-domains-within-networks.png)
![Creating Developers Domain Network](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/02-domains-within-networks.png)
### Adding Routing Peers
Click `Add Routing Peer` to make accessible the resources within this network to the developers.
![Add Routing Peers Window](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/03-domains-within-networks.png)
![Add Routing Peers Window](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/03-domains-within-networks.png)
You will see two tabs: `Routing Peers` and `Peer Group`.
@@ -81,7 +81,7 @@ You will see two tabs: `Routing Peers` and `Peer Group`.
* Select `Peer Group` to enable high availability by adding multiple peers to the network.
* Click `Continue` once ready.
![Local Routing Peers](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/04-domains-within-networks.png)
![Local Routing Peers](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/04-domains-within-networks.png)
In the `Advanced Settings` tab:
@@ -89,38 +89,38 @@ In the `Advanced Settings` tab:
* Set the `Metric` to prioritize routers, using lower values for higher priority peers.
* When ready, click `Add Routing Peer`.
![Masquerade and Metric](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/05-domains-within-networks.png)
![Masquerade and Metric](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/05-domains-within-networks.png)
### Adding a Wildcard Domain Resource
Click `Add Resource` to create the wildcard domain resource.
![Add Domain Resource](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/06-domains-within-networks.png)
![Add Domain Resource](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/06-domains-within-networks.png)
* Give the resource a descriptive name, e.g., `Development Wildcard Domain`
* Enter the wildcard domain for this environment, e.g., `*.dev.example.com`.
* Under `Assigned Groups`, select or create a group, e.g., `Development Domain`. This group will be used to create an access policy to allow developers access to all subdomains ending with `.dev.example.com`.
* Click `Add Resource` when ready.
![Add Accounting Website Restricted Subdomain Resource](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/07-domains-within-networks.png)
![Add Accounting Website Restricted Subdomain Resource](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/07-domains-within-networks.png)
### Creating an Access Policy
Click `Create Policy` to grant developers access to `*.dev.example.com`.
![Add Policy](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/08-domains-within-networks.png)
![Add Policy](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/08-domains-within-networks.png)
* Under `Protocol`, leave `ALL`.
* Under `Source` choose the group corresponding to developers, e.g., `Developers`.
* The `Destination` is automatically set to the group you used when creating the resource, e.g., `Development Domain`.
![Developers Policy](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/09-domains-within-networks.png)
![Developers Policy](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/09-domains-within-networks.png)
* Click `Continue` to set `Posture Checks`. This step is optional, meaning you can click `Continue` for this example.
* Provide a descriptive name for the policy, e.g., `Development Wildcard Domain Policy`.
* Click `Add Policy` to finish.
![Developers Policy Name](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/10-domains-within-networks.png)
![Developers Policy Name](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/10-domains-within-networks.png)
Now that the development environment is set up, you can streamline the process of creating new resources using NetBird.
@@ -132,18 +132,18 @@ Suppose you want to create the regular domain `dev.example.com`.
* Navigate to `Networks` > `Development Network` and click `Add Resource`.
![Development Network](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/11-domains-within-networks.png)
![Development Network](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/11-domains-within-networks.png)
* Provide an appropriate name for the resource, such as `Development Regular Domain`.
* In the `Address` field, enter the regular domain `dev.example.com`.
* Under `Assigned Groups` select the same group used for the wildcard domain, e.g., `Development Domain`.
* Click `Add Resource` to continue.
![Regular Domain Resource](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/12-domains-within-networks.png)
![Regular Domain Resource](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/12-domains-within-networks.png)
That's it! Since you used the group `Development Domain`, NetBird will automatically configure for you routing peers and access policies, granting your developers the necessary access permissions.
![Development Network Resources](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/13-domains-within-networks.png)
![Development Network Resources](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/13-domains-within-networks.png)
You can confirm the configuration by listing the available networks using the command `netbird networks ls` from any developer workstation. The output should resemble the following:
@@ -169,31 +169,31 @@ For our use case, data scientists operate from different network segments or div
From the `Networks` screen, click `Add Network` to set up an appropriate network for your data scientists:
![AI Network](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/14-domains-within-networks.png)
![AI Network](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/14-domains-within-networks.png)
As with developers, you can configure a single routing peer or a group of routing peers for high availability:
![AI Routing Peers](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/15-domains-within-networks.png)
![AI Routing Peers](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/15-domains-within-networks.png)
You can also set up a wildcard domain resource for this environment:
![AI Wildcard Domain Resource](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/16-domains-within-networks.png)
![AI Wildcard Domain Resource](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/16-domains-within-networks.png)
And establish an access policy tailored to your data scientists:
![AI Team Access Policy](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/17-domains-within-networks.png)
![AI Team Access Policy](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/17-domains-within-networks.png)
You will need a regular domain, too; simply create the corresponding resource. The overview of your new network might resemble the following:
![AI Network](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/18-domains-within-networks.png)
![AI Network](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/18-domains-within-networks.png)
Need a new subdomain for testing the latest model? From NetBird's Networks screen, just click `Add Resource`, name it, enter the desired subdomain, and assign it to the appropriate group for this environment:
![New AI Model Resource](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/19-domains-within-networks.png)
![New AI Model Resource](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/19-domains-within-networks.png)
In summary, you can easily add, remove, and edit network resources from the Networks dashboard.
![AI Training Model Network](/docs-static/img/how-to-guides/accessing-entire-domains-within-networks/20-domains-within-networks.png)
![AI Training Model Network](/docs-static/img/manage/networks/accessing-entire-domains-within-networks/20-domains-within-networks.png)
With this setup, all members of the `Data Scientists` group have access to `ai.example.com` and its subdomains:

30
src/pages/how-to/accessing-restricted-domain-resources.mdx → src/pages/manage/networks/accessing-restricted-domain-resources.mdx
View File

@@ -1,12 +1,12 @@
# Accessing restricted website domain resources
It is very common to find scenarios where you need to access restricted websites or services. This can be due to company policies, geographical restrictions, or even to avoid tracking. These resources are often located behind a cloud load balancer, which changes IP addresses frequently, making it hard to whitelist them. NetBird can help you access these resources by routing your traffic through a [routing peer](https://docs.netbird.io/how-to/routing-traffic-to-private-networks#routing-peer) configured with [Networks](https://docs.netbird.io/how-to/networks-concept) using [Domain resources](https://docs.netbird.io/how-to/networks-concept#resources).
It is very common to find scenarios where you need to access restricted websites or services. This can be due to company policies, geographical restrictions, or even to avoid tracking. These resources are often located behind a cloud load balancer, which changes IP addresses frequently, making it hard to whitelist them. NetBird can help you access these resources by routing your traffic through a [routing peer](https://docs.netbird.io/manage/network-routes/routing-traffic-to-private-networks#routing-peer) configured with [Networks](https://docs.netbird.io/manage/networks) using [Domain resources](https://docs.netbird.io/manage/networks#resources).
## Example Use Case Scenario
Imagine a company that runs its accounting application at the subdomain `accounting.example.com`. The website is behind a load balancer and hosted on an EC2 instance within the company's AWS infrastructure in the EU Central region. To enhance security, the company decided to follow zero-trust principles by giving differentiated access to the finance and support teams tailored to their specific responsibilities and operational needs.
To this end, the company deployed [NetBird clients](https://docs.netbird.io/get-started) on the devices used by both the finance and support teams. Complementing this, [NetBird routing peers](https://docs.netbird.io/how-to/networks-concept#routing-peers) were configured within the AWS VPC using [setup keys](https://docs.netbird.io/how-to/setup-keys-add-servers-to-network). This configuration guarantees a solid foundation for streamlined and secure connectivity.
To this end, the company deployed [NetBird clients](https://docs.netbird.io/get-started) on the devices used by both the finance and support teams. Complementing this, [NetBird routing peers](https://docs.netbird.io/manage/networks#routing-peers) were configured within the AWS VPC using [setup keys](https://docs.netbird.io/manage/peers/access-infrastructure/setup-keys-add-servers-to-network). This configuration guarantees a solid foundation for streamlined and secure connectivity.
More importantly, this setup allows the company to use NetBird's Networks and [Access Policies](https://docs.netbird.io/manage/access-control/manage-network-access), to ensure that only authorized finance and support team members access the restricted website domain as follows:
@@ -24,13 +24,13 @@ To create a new network for the accounting website subdomain:
* Give a memorable name to the network, such as `AWS EU Network`. Optionally, add a description.
* Click `Add Network` to proceed.
![Create Restricted Website Domain Network](/docs-static/img/how-to-guides/accessing-restricted-domain-resources/01-restricted-domain.png)
![Create Restricted Website Domain Network](/docs-static/img/manage/networks/accessing-restricted-domain-resources/01-restricted-domain.png)
### Adding Routing Peers
Continue the process by clicking `Add Routing Peer`. This step is necessary to enable the network's resources to be accessible to other peers.
![Add Routing Peers Window](/docs-static/img/how-to-guides/accessing-restricted-domain-resources/02-restricted-domain.png)
![Add Routing Peers Window](/docs-static/img/manage/networks/accessing-restricted-domain-resources/02-restricted-domain.png)
In the next window, you will see two tabs: `Routing Peers` and `Peer Group`.
@@ -38,7 +38,7 @@ In the next window, you will see two tabs: `Routing Peers` and `Peer Group`.
* Alternatively, you can select `Peer Group` to add multiple peers simultaneously for high availability.
* Click `Continue` once ready.
![Local Routing Peers](/docs-static/img/how-to-guides/accessing-restricted-domain-resources/03-restricted-domain.png)
![Local Routing Peers](/docs-static/img/manage/networks/accessing-restricted-domain-resources/03-restricted-domain.png)
In the `Advanced Settings` tab:
@@ -46,26 +46,26 @@ In the `Advanced Settings` tab:
* Set the `Metric` to prioritize routers. Lower values indicate higher priority.
* Click `Add Routing Peer`.
![Masquerade and Metric](/docs-static/img/how-to-guides/accessing-restricted-domain-resources/04-restricted-domain.png)
![Masquerade and Metric](/docs-static/img/manage/networks/accessing-restricted-domain-resources/04-restricted-domain.png)
### Adding Network Resources
Next, click `Add Resource` to add the accounting website resource.
![Add Network Resource](/docs-static/img/how-to-guides/accessing-restricted-domain-resources/05-restricted-domain.png)
![Add Network Resource](/docs-static/img/manage/networks/accessing-restricted-domain-resources/05-restricted-domain.png)
* Give the network resource an appropriate name, e.g., `Accounting restricted subdomain`
* Enter the restricted website domain for the accounting website, in this example, `accounting.example.com`.
* Under `Assigned Groups`, select or create a group, like `Accounting Subdomain`. This group will be used to create an access policy to allow the finance team access to the restricted subdomain.
* Click `Add Resource` when done.
![Add Accounting Website Restricted Subdomain Resource](/docs-static/img/how-to-guides/accessing-restricted-domain-resources/06-restricted-domain.png)
![Add Accounting Website Restricted Subdomain Resource](/docs-static/img/manage/networks/accessing-restricted-domain-resources/06-restricted-domain.png)
### Creating Access Policies
The last step consists of creating an access control policy. Click `Create Policy` to create a new policy for the finance team.
![Add Policy](/docs-static/img/how-to-guides/accessing-restricted-domain-resources/07-restricted-domain.png)
![Add Policy](/docs-static/img/manage/networks/accessing-restricted-domain-resources/07-restricted-domain.png)
Since the finance team only needs access to the web-based app at `accounting.example.com`, this policy will restrict access to ports: `TCP/80` for `HTTP` traffic and `TCP/443` for encrypted `HTTPS` traffic.
@@ -74,13 +74,13 @@ Since the finance team only needs access to the web-based app at `accounting.exa
* The `Destination` is automatically set to the group of the newly created resource, e.g., `Accounting Subdomain`.
* Under `Ports`, enter `80` and `443`, the default ports for `HTTP` and `HTTPS` traffic.
![Finance Policy](/docs-static/img/how-to-guides/accessing-restricted-domain-resources/08-restricted-domain.png)
![Finance Policy](/docs-static/img/manage/networks/accessing-restricted-domain-resources/08-restricted-domain.png)
* Click `Continue` to move to the `Posture Checks` tab, where you can optionally create or select posture checks for this policy.
* Click `Continue` again, and provide a descriptive name for the policy, e.g., `Accounting subdomain Policy`.
* Click `Add Policy` to finish.
![Finance Policy Name](/docs-static/img/how-to-guides/accessing-restricted-domain-resources/09-restricted-domain.png)
![Finance Policy Name](/docs-static/img/manage/networks/accessing-restricted-domain-resources/09-restricted-domain.png)
### Setting Up Additional Resources and Access Policies
@@ -93,7 +93,7 @@ To set up a new network resource:
* Enter the domain, in our case, `example.com`.
* Under `Assigned Groups`, select or create the appropriate group such as `Webserver`. This group will be used to create a policy allowing the support team to access the TLD `example.com`.
![Add TLD Resource](/docs-static/img/how-to-guides/accessing-restricted-domain-resources/10-restricted-domain.png)
![Add TLD Resource](/docs-static/img/manage/networks/accessing-restricted-domain-resources/10-restricted-domain.png)
Next, create an access policy for the support team. Usually, support teams only need SSH access to the website backend, meaning that they only need access to the `TCP/22` port:
@@ -103,16 +103,16 @@ Next, create an access policy for the support team. Usually, support teams only
* Under `Ports`, enter `22`, the default port for SSH.
* Click `Continue`.
![Add Support Team Policy](/docs-static/img/how-to-guides/accessing-restricted-domain-resources/11-restricted-domain.png)
![Add Support Team Policy](/docs-static/img/manage/networks/accessing-restricted-domain-resources/11-restricted-domain.png)
* Optionally, select or create posture checks for this policy. Click `Continue`.
* Give a name to the policy on the final tab, such as `Restricted Website TLD Policy`.
![Name Support Team Policy](/docs-static/img/how-to-guides/accessing-restricted-domain-resources/12-restricted-domain.png)
![Name Support Team Policy](/docs-static/img/manage/networks/accessing-restricted-domain-resources/12-restricted-domain.png)
This completes the network setup. You have configured two network resources, their respective access policies, and routing peers.
![AWS EU Network](/docs-static/img/how-to-guides/accessing-restricted-domain-resources/13-restricted-domain.png)
![AWS EU Network](/docs-static/img/manage/networks/accessing-restricted-domain-resources/13-restricted-domain.png)
Now, you can review, select, or deselect available networks using NetBird's CLI.

18
src/pages/how-to/access-home-network.mdx → src/pages/manage/networks/homelab/access-home-network.mdx
View File

@@ -4,7 +4,7 @@ import {Note} from "@/components/mdx";
This step-by-step guide describes how to quickly get started with NetBird and access your home network remotely.
You will achieve a secure connection between your entire home network and NetBird, enabling remote devices to access
local network resources through a routing peer using the [NetBird Networks feature](/how-to/access-home-network).
local network resources through a routing peer using the [NetBird Networks feature](/manage/networks/homelab/access-home-network).
## Download and Install NetBird
<br/>
@@ -26,7 +26,7 @@ NetBird comes with a Desktop UI application that can be found in the systray. If
At this point a browser window pops up starting an interactive SSO login session that will register your laptop. You will be prompt to sign up and confirm your device registration:
<p>
<img src="/docs-static/img/how-to-guides/access-home-network/login-screen-dark.png" alt="login-to-netbird" className="imagewrapper"/>
<img src="/docs-static/img/manage/networks/homelab/access-home-network/login-screen-dark.png" alt="login-to-netbird" className="imagewrapper"/>
</p>
After the registration is complete, proceed to the [**NetBird dashboard**](https://app.netbird.io/) to confirm that your laptop is in the network. You will see it in the `Peers` view.
@@ -36,7 +36,7 @@ After the registration is complete, proceed to the [**NetBird dashboard**](https
2. Click **Add Network** and give it a name such as “Home LAN", and optionally add a description.
<p>
<img src="/docs-static/img/how-to-guides/access-home-network/add-network-home-lan.png" alt="add-network-home-lan" className="imagewrapper"/>
<img src="/docs-static/img/manage/networks/homelab/access-home-network/add-network-home-lan.png" alt="add-network-home-lan" className="imagewrapper"/>
</p>
## Identify Your Local Subnet
@@ -97,7 +97,7 @@ Use the steps below to quickly identify your local subnet for use as a Network R
4. Click **Add Resource**.
<p>
<img src="/docs-static/img/how-to-guides/access-home-network/add-resource-home-network.png" alt="add-resource-home-network" className="imagewrapper"/>
<img src="/docs-static/img/manage/networks/homelab/access-home-network/add-resource-home-network.png" alt="add-resource-home-network" className="imagewrapper"/>
</p>
<Note>
@@ -118,7 +118,7 @@ peers can access the network.
5. Name it "Home LAN Access" and click **Add Policy**.
<p>
<img src="/docs-static/img/how-to-guides/access-home-network/add-policy-home-lan.png" alt="add-policy-home-lan" className="imagewrapper"/>
<img src="/docs-static/img/manage/networks/homelab/access-home-network/add-policy-home-lan.png" alt="add-policy-home-lan" className="imagewrapper"/>
</p>
## Add Your User to the Home User Group
@@ -131,24 +131,24 @@ you've previously created.
3. Add "Home Users" by typing it in the input box and pressing Enter.
<p>
<img src="/docs-static/img/how-to-guides/access-home-network/add-user-group.png" alt="add-network-home-lan" className="imagewrapper"/>
<img src="/docs-static/img/manage/networks/homelab/access-home-network/add-user-group.png" alt="add-network-home-lan" className="imagewrapper"/>
</p>
## Choose or Add a Routing Peer in Your LAN
1. Click **Add Routing Peer**.
2. Pick any always-on machine on your home network (Windows, Linux, Mac, Docker, Raspberry Pi).
3. Install the NetBird agent on it using a [one-off setup key](/how-to/register-machines-using-setup-keys#types-of-setup-keys) using the CLI installer.
3. Install the NetBird agent on it using a [one-off setup key](/manage/peers/register-machines-using-setup-keys#types-of-setup-keys) using the CLI installer.
4. Ensure this machine has access to both the internet and your LAN subnet.
5. Choose this machine as your routing peer and click **Continue** and **Add Routing Peer**.
<p>
<img src="/docs-static/img/how-to-guides/access-home-network/add-routing-peer-home-network.png" alt="add-routing-peer-home-network"
<img src="/docs-static/img/manage/networks/homelab/access-home-network/add-routing-peer-home-network.png" alt="add-routing-peer-home-network"
className="imagewrapper"/>
</p>
<p>
<img src="/docs-static/img/how-to-guides/access-home-network/add-routing-peer.png" alt="add-routing-peer-home-network"
<img src="/docs-static/img/manage/networks/homelab/access-home-network/add-routing-peer.png" alt="add-routing-peer-home-network"
className="imagewrapper"/>
</p>

24
src/pages/how-to/networks.mdx → src/pages/manage/networks/index.mdx
View File

@@ -10,11 +10,11 @@ Starting from version `0.35.0`, NetBird introduces Networks, a new concept that
such as LANs, VPCs, or office networks, and manage access to internal resources without installing NetBird agent.
<p>
<img src="/docs-static/img/how-to-guides/netbird-network-routes.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/networks/netbird-network-routes.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
<Note>
Networks replace the old [Network Routes](/how-to/routing-traffic-to-private-networks) concept, which is now deprecated.
Networks replace the old [Network Routes](/manage/network-routes/routing-traffic-to-private-networks) concept, which is now deprecated.
Existing Network routes will continue to work as before, but we recommend migrating to Networks for better access
management to your resources.
</Note>
@@ -26,7 +26,7 @@ making it easier to visualise and manage access to your internal resources. You
different environments, such as office networks, cloud VPCs, or on-premise LANs.
<p>
<img src="/docs-static/img/how-to-guides/networks/new-network-2.png" alt="high-level-dia" className="imagewrapper"/>
<img src="/docs-static/img/manage/networks/index/new-network-2.png" alt="high-level-dia" className="imagewrapper"/>
</p>
### Routing peers
@@ -36,7 +36,7 @@ You can add as many routing peers as you need using single peers or groups to en
You can define masquerading and priority for each routing peer.
<p>
<img src="/docs-static/img/how-to-guides/networks/add-routing-peer-1.png" alt="high-level-dia" className="imagewrapper"/>
<img src="/docs-static/img/manage/networks/index/add-routing-peer-1.png" alt="high-level-dia" className="imagewrapper"/>
</p>
@@ -45,10 +45,10 @@ Resources are individual machines, services, or subnets within your internal net
IP addresses, IP ranges, domain names, or wildcard domains (e.g., *.company.internal) when enabling [DNS wildcard routing](#enable-dns-wildcard-routing).
<p>
<img src="/docs-static/img/how-to-guides/networks/resources-1.png" alt="resources" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/networks/index/resources-1.png" alt="resources" className="imagewrapper-big"/>
</p>
<Note>
Support to exit nodes and site-2-site VPNs may become available in future releases. In the meantime you can use [Network routes](/how-to/routing-traffic-to-private-networks) add your exit-node routes and site-2-site routes.
Support to exit nodes and site-2-site VPNs may become available in future releases. In the meantime you can use [Network routes](/manage/network-routes/routing-traffic-to-private-networks) add your exit-node routes and site-2-site routes.
</Note>
### Domain Resources
@@ -107,7 +107,7 @@ On a technical level the feature works as follows:
To manage access to resources, you can assign them to groups and create [access control policies](/manage/access-control/manage-network-access#creating-policies) to define which peers can access them.
See the image below with an example resource `CRM`:
<p>
<img src="/docs-static/img/how-to-guides/networks/resources-2.png" alt="resource-group" className="imagewrapper"/>
<img src="/docs-static/img/manage/networks/index/resources-2.png" alt="resource-group" className="imagewrapper"/>
</p>
Access control policies are rules that define which peers can access the resources in your network. You can create policies based on the source and destination groups, and the type of traffic allowed (e.g., TCP, UDP, ICMP).
@@ -116,7 +116,7 @@ The peers belonging to the source groups will receive the resources linked to th
See the example below with a policy that allows the group `Berlin Office` to access the internal CRM system:
<p>
<img src="/docs-static/img/how-to-guides/networks/resource-acl-1.png" alt="resource-acl" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/networks/index/resource-acl-1.png" alt="resource-acl" className="imagewrapper-big"/>
</p>
<Note>
@@ -131,7 +131,7 @@ This is also useful for regular DNS routes when you want to resolve the domain n
</Note>
You can enable DNS resolution on the routing peer by accessing your account `Settings` > `Networks` > Enable DNS wildcard routing. See example below:
<p>
<img src="/docs-static/img/how-to-guides/networks/settings-1.png" alt="settings-acl" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/networks/index/settings-1.png" alt="settings-acl" className="imagewrapper-big"/>
</p>
<Note>
@@ -158,9 +158,9 @@ You can enable DNS resolution on the routing peer by accessing your account `Set
## Use cases
- [Routing traffic to multiple IP resources](/how-to/routing-traffic-to-multiple-resources)
- [Accessing restricted website domain resources](/how-to/accessing-restricted-domain-resources)
- [Accessing entire domains within networks](/how-to/accessing-entire-domains-within-networks)
- [Routing traffic to multiple IP resources](/manage/networks/routing-traffic-to-multiple-resources)
- [Accessing restricted website domain resources](/manage/networks/accessing-restricted-domain-resources)
- [Accessing entire domains within networks](/manage/networks/accessing-entire-domains-within-networks)
## Get started
<p float="center" >

30
src/pages/how-to/routing-traffic-to-multiple-resources.mdx → src/pages/manage/networks/routing-traffic-to-multiple-resources.mdx
View File

@@ -1,16 +1,16 @@
# Routing traffic to multiple IP resources
Adding routes to resources within on-premises or cloud is a common scenario for DevOps and Platform teams. In this guide, we will show you how to route traffic to multiple IP resources using NetBird's [Networks](/how-to/networks-concept) using [IP resources](/how-to/networks-concept#resources).
Adding routes to resources within on-premises or cloud is a common scenario for DevOps and Platform teams. In this guide, we will show you how to route traffic to multiple IP resources using NetBird's [Networks](/manage/networks) using [IP resources](/manage/networks#resources).
## Example
In the following scenario, we will cover the case where all users have restricted access to internal DNS servers in the internal network, and the DevOps team has full access to the entire network.
The network address is `172.16.0.0/15` and DNS servers has the IPs `172.16.30.2` and `172.17.100.2`.
These IP ranges will be routed using [Routing peers](/how-to/networks-concept#routing-peers) running in the network.
These IP ranges will be routed using [Routing peers](/manage/networks#routing-peers) running in the network.
### Create a Network
To create a Network, navigate to the `Networks` > `Networks` section in the NetBird dashboard:
<p>
<img src="/docs-static/img/how-to-guides/networks/view-wild-network-1.png" alt="new-net-1" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/networks/routing-traffic-to-multiple-resources/view-wild-network-1.png" alt="new-net-1" className="imagewrapper-big"/>
</p>
Click on `Add Network` to follow a Wizard that will guide you through the steps to create a network and add resources to it.
@@ -18,18 +18,18 @@ Click on `Add Network` to follow a Wizard that will guide you through the steps
First, we fill out the network Name and Description as shown in the image below and click `Continue`:
<p>
<img src="/docs-static/img/how-to-guides/networks/new-example-network-2.png" alt="new-net2" className="imagewrapper"/>
<img src="/docs-static/img/manage/networks/routing-traffic-to-multiple-resources/new-example-network-2.png" alt="new-net2" className="imagewrapper"/>
</p>
### Add a routing peer
Next we are asked to add a routing peer to the network. Let's click on `Add routing peer` and select a node from that VPC:
<p>
<img src="/docs-static/img/how-to-guides/networks/add-example-routing-peer-1.png" alt="new-example-routing-peer-1" className="imagewrapper"/>
<img src="/docs-static/img/manage/networks/routing-traffic-to-multiple-resources/add-example-routing-peer-1.png" alt="new-example-routing-peer-1" className="imagewrapper"/>
</p>
Click on `Continue` and then accept the defaults to add a routing peer by clicking on `Add Routing Peer`:
<p>
<img src="/docs-static/img/how-to-guides/networks/add-example-routing-peer-2.png" alt="new-routing-peer-2" className="imagewrapper"/>
<img src="/docs-static/img/manage/networks/routing-traffic-to-multiple-resources/add-example-routing-peer-2.png" alt="new-routing-peer-2" className="imagewrapper"/>
</p>
### Add the network resource
@@ -37,7 +37,7 @@ Following the guide, we are asked to add a new resource.
Click on `Add Resource` and enter the `Office network` name and use the IP range `172.16.0.0/15` as the address:
<p>
<img src="/docs-static/img/how-to-guides/networks/add-example-resource-1.png" alt="new-example-resource-1" className="imagewrapper"/>
<img src="/docs-static/img/manage/networks/routing-traffic-to-multiple-resources/add-example-resource-1.png" alt="new-example-resource-1" className="imagewrapper"/>
</p>
We can also assign a group to this resource; in this example, we will assign the group `office-network` to it. This way, we can create a policy that allows the DevOps team to access the entire IP range.
@@ -48,18 +48,18 @@ resource to peers in the `DevOps` group.
Click on `Create Policy` and fill out the fields as shown in the image below:
<p>
<img src="/docs-static/img/how-to-guides/networks/add-example-resource-acl-1.png" alt="new-resource-acl-1" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/networks/routing-traffic-to-multiple-resources/add-example-resource-acl-1.png" alt="new-resource-acl-1" className="imagewrapper-big"/>
</p>
Click on `Continue` 2 times and then click on `Add Policy` to save the policy:
<p>
<img src="/docs-static/img/how-to-guides/networks/add-example-resource-acl-2.png" alt="new-resource-acl-2" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/networks/routing-traffic-to-multiple-resources/add-example-resource-acl-2.png" alt="new-resource-acl-2" className="imagewrapper-big"/>
</p>
### Add the DNS server resources
Now, let's add the DNS servers resources to the network. Click on `Add Resource` and enter the IP address of the first DNS server:
<p>
<img src="/docs-static/img/how-to-guides/networks/add-example-resource-2.png" alt="new-example-resource-2" className="imagewrapper"/>
<img src="/docs-static/img/manage/networks/routing-traffic-to-multiple-resources/add-example-resource-2.png" alt="new-example-resource-2" className="imagewrapper"/>
</p>
We will use the same group, `office-dns-servers`, for both resources, allowing all users to access the DNS servers.
@@ -67,7 +67,7 @@ This time, when asked to create a policy, we will click on Later to skip it sinc
Now, let's add another resource for the second DNS server:
<p>
<img src="/docs-static/img/how-to-guides/networks/add-example-resource-3.png" alt="new-example-resource-3" className="imagewrapper"/>
<img src="/docs-static/img/manage/networks/routing-traffic-to-multiple-resources/add-example-resource-3.png" alt="new-example-resource-3" className="imagewrapper"/>
</p>
### Add an access control policy for the DNS server resource
@@ -76,24 +76,24 @@ the `All users` group. They will be granted access only to the `UDP` port `53` o
Click on `Create Policy` and fill out the fields as shown in the image below:
<p>
<img src="/docs-static/img/how-to-guides/networks/add-example-resource-acl-3.png" alt="new-resource-acl-3" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/networks/routing-traffic-to-multiple-resources/add-example-resource-acl-3.png" alt="new-resource-acl-3" className="imagewrapper-big"/>
</p>
Click on `Continue` 2 times and then click on `Add Policy` to save the policy:
<p>
<img src="/docs-static/img/how-to-guides/networks/add-example-resource-acl-4.png" alt="new-resource-acl-4" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/networks/routing-traffic-to-multiple-resources/add-example-resource-acl-4.png" alt="new-resource-acl-4" className="imagewrapper-big"/>
</p>
This time, we made the Policy name a bit more generic to cover both DNS server addresses.
### View the network
After completing the wizard, you will be able to see the network you just created in the Networks list:
<p>
<img src="/docs-static/img/how-to-guides/networks/view-example-network-1.png" alt="view-example-network-1" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/networks/routing-traffic-to-multiple-resources/view-example-network-1.png" alt="view-example-network-1" className="imagewrapper-big"/>
</p>
To access a detailed view of the network, click on the network name:
<p>
<img src="/docs-static/img/how-to-guides/networks/view-example-network-2.png" alt="view-example-network-2" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/networks/routing-traffic-to-multiple-resources/view-example-network-2.png" alt="view-example-network-2" className="imagewrapper-big"/>
</p>
You can edit or add more resources or routing peers to the network by clicking on the `Edit` buttons of each section in the detailed view.

28
src/pages/how-to/access-internal-resources-from-autoscaled-environments.mdx → src/pages/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments.mdx
View File

@@ -40,7 +40,7 @@ This process will demonstrate how NetBird simplifies secure network access in au
## 1. Creating a NetBird Setup Key for Kubernetes
The first step in this process is [creating a NetBird setup key](/how-to/register-machines-using-setup-keys) for your Kubernetes cluster. This setup key serves as a secure authentication token, allowing your cluster's pods to join your NetBird network seamlessly.
The first step in this process is [creating a NetBird setup key](/manage/peers/register-machines-using-setup-keys) for your Kubernetes cluster. This setup key serves as a secure authentication token, allowing your cluster's pods to join your NetBird network seamlessly.
To create an appropriate setup key for this use case:
@@ -55,7 +55,7 @@ To create an appropriate setup key for this use case:
Here's an example:
![NetBird Setup Keys](/docs-static/img/how-to-guides/setup-keys-access-internal-resources-autoscaled-env/autoscaled-01.png)
![NetBird Setup Keys](/docs-static/img/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments/autoscaled-01.png)
This configuration allows for dynamic management of your Kubernetes pods within the NetBird network. As your cluster scales up, new pods will seamlessly join the network. When pods are terminated or remain offline, they'll be automatically removed, maintaining a clean and efficient network topology.
@@ -67,7 +67,7 @@ Follow these steps to configure the network route:
In the NetBird dashboard, navigate to the `Network Routes` section and click on `Add Route` to create a new network route.
![NetBird Add Route](/docs-static/img/how-to-guides/setup-keys-access-internal-resources-autoscaled-env/autoscaled-02.png)
![NetBird Add Route](/docs-static/img/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments/autoscaled-02.png)
* In the `Network Range` field, enter the private IP range of your Kubernetes Pods. This is typically something like `10.0.0.0/16` for many Kubernetes clusters, but it may vary depending on your specific setup. If you're unsure, you can check this range in your Kubernetes configuration or consult your cluster administrator.
* Navigate to the `Peer Group` tab and select your Kubernetes cluster's group as the routing peer. This group should contain all your cluster's nodes and will automatically include all the Pods running on these nodes.
@@ -75,15 +75,15 @@ In the NetBird dashboard, navigate to the `Network Routes` section and click on
* Review your settings to ensure everything is correct. The route you're creating will allow traffic from your local machine (in the distribution group) to reach the Kubernetes Pods (in the peer group) via the specified network range.
* Once you're satisfied with the configuration, click the `Continue` button.
![NetBird Create a New Route](/docs-static/img/how-to-guides/setup-keys-access-internal-resources-autoscaled-env/autoscaled-03.png)
![NetBird Create a New Route](/docs-static/img/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments/autoscaled-03.png)
Provide a descriptive name for your route, such as `NetBird K8s Demo`.
![NetBird Route Name](/docs-static/img/how-to-guides/setup-keys-access-internal-resources-autoscaled-env/autoscaled-04.png)
![NetBird Route Name](/docs-static/img/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments/autoscaled-04.png)
This setup creates a secure pathway for your local machine to communicate with the Pods in your Kubernetes cluster through the NetBird network. As new Pods are created or removed due to autoscaling, they'll automatically be included in or excluded from this route, maintaining seamless access without manual intervention.
![NetBird Network Route Created](/docs-static/img/how-to-guides/setup-keys-access-internal-resources-autoscaled-env/autoscaled-06.png)
![NetBird Network Route Created](/docs-static/img/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments/autoscaled-06.png)
## 3. Setting Up Access Policies for Secure Communication
@@ -100,16 +100,16 @@ To create a new access policy:
Your access policy must look similar to this:
![NetBird Access Policy](/docs-static/img/how-to-guides/setup-keys-access-internal-resources-autoscaled-env/autoscaled-07.png)
![NetBird Access Policy](/docs-static/img/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments/autoscaled-07.png)
Click `Continue` and name your policy:
![NetBird Access Policy Name](/docs-static/img/how-to-guides/setup-keys-access-internal-resources-autoscaled-env/autoscaled-08.png)
![NetBird Access Policy Name](/docs-static/img/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments/autoscaled-08.png)
Once you save your policy, it is a good practice to disable or modify the default `All` group policy to prevent unrestricted access.
![NetBird Access Policies](/docs-static/img/how-to-guides/setup-keys-access-internal-resources-autoscaled-env/autoscaled-09.png)
![NetBird Access Policies](/docs-static/img/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments/autoscaled-09.png)
This tailored access policy ensures that only authorized devices (your local machine) can communicate with the Kubernetes cluster, significantly improving your network's security posture. As your environment scales, this policy will automatically apply to new pods, maintaining consistent access control.
@@ -216,7 +216,7 @@ kubectl apply -f quote-app.yaml
After a few seconds, the app will appear in NetBird's `Peers` dashboard. If you hover over the `Assigned Groups`, you'll notice the app automatically joined the group `Kubernetes Cluster` as expected.
![NetBird App Joined NetBird](/docs-static/img/how-to-guides/setup-keys-access-internal-resources-autoscaled-env/autoscaled-10.png)
![NetBird App Joined NetBird](/docs-static/img/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments/autoscaled-10.png)
## 5. Configuring Horizontal Pod Autoscaler (HPA)
@@ -315,19 +315,19 @@ quote-hpa Deployment/quote cpu: 1%/20% 1 3 1 32m
If you go to NetBird `Peers` dashboard, you will see new peers automatically joining the network as pods scale up.
![NetBird Two Peers](/docs-static/img/how-to-guides/setup-keys-access-internal-resources-autoscaled-env/autoscaled-11.png)
![NetBird Two Peers](/docs-static/img/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments/autoscaled-11.png)
As you can see, all peers join the same group, meaning all share the same access policy you defined.
![NetBird Three Peers](/docs-static/img/how-to-guides/setup-keys-access-internal-resources-autoscaled-env/autoscaled-12.png)
![NetBird Three Peers](/docs-static/img/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments/autoscaled-12.png)
Conversely, when scaling down, peers are removed from the group and then terminated.
![NetBird Scaling Down Peers](/docs-static/img/how-to-guides/setup-keys-access-internal-resources-autoscaled-env/autoscaled-13.png)
![NetBird Scaling Down Peers](/docs-static/img/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments/autoscaled-13.png)
When ready, stop the load generator by pressing `Ctrl+C` in its terminal window; eventually, you will see only one app peer in the dashboard.
![NetBird Initial State](/docs-static/img/how-to-guides/setup-keys-access-internal-resources-autoscaled-env/autoscaled-14.png)
![NetBird Initial State](/docs-static/img/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments/autoscaled-14.png)
This demonstration showcases NetBird's powerful capabilities in seamlessly managing network connections within a dynamic, autoscaling Kubernetes environment. NetBird automatically adapts to your cluster's changing topology without any manual intervention, ensuring secure and efficient connectivity as pods scale up or down. This automation saves significant time and effort in network management and enhances your environment's security posture. By integrating NetBird, you're implementing a robust, scalable networking solution that keeps pace with your application's demands while maintaining strict access controls.

38
src/pages/how-to/peer-approval-for-remote-worker-access.mdx → src/pages/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access.mdx
View File

@@ -16,7 +16,7 @@ This guide introduces NetBird's Peer Approval as a robust solution for secure re
* **Enhancing Access Control**: Offering granular control over network resources, allowing organizations to tailor access based on user roles and device status.
* **Improving Scalability**: Facilitating easy onboarding and offboarding of remote workers, including freelancers, without compromising network security.
Let's explore the step-by-step process of implementing [Peer Approval with NetBird](/how-to/approve-peers) to ensure that only trusted devices can access your network.
Let's explore the step-by-step process of implementing [Peer Approval with NetBird](/manage/peers/approve-peers) to ensure that only trusted devices can access your network.
## Prerequisites
@@ -41,15 +41,15 @@ Before onboarding remote workers, ensure your organization has appropriate [acce
Navigate to `Access Control > Policies` in the NetBird admin console, then click `Add Policy` or edit an existing one to define these restrictions. Here's a sample policy that grant any member of the `Freelancers` group access to the resources in the group `On-Premise-DB`.
![NetBird Freelancer Access Control Policy](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-0-01.png)
![NetBird Freelancer Access Control Policy](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-0-01.png)
If necessary, you can also set [posture checks](/manage/access-control/posture-checks) for this policy.
![NetBird Freelancer Posture Check](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-0-02.png)
![NetBird Freelancer Posture Check](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-0-02.png)
Moreover, it is a best practice to disable the `Default` policy to enforce only restrictive, custom-defined access controls.
![NetBird Access Policy View](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-0-03.png)
![NetBird Access Policy View](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-0-03.png)
With appropriate access policies in place, you're ready to enable NetBird's Peer Approval feature.
@@ -57,7 +57,7 @@ With appropriate access policies in place, you're ready to enable NetBird's Peer
To enable peer approval, go to `Settings > Authentication` and activate the `Peer approval` toggle, then click `Save Changes`.
![NetBird Freelancer Device Dashboard](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-02.png)
![NetBird Freelancer Device Dashboard](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-a-02.png)
With `Peer Approval` activated, new members will see an `Approval required` message when joining. Administrators must grant access, ensuring only vetted users enter the NetBird network, thus enhancing overall security.
@@ -65,47 +65,47 @@ With `Peer Approval` activated, new members will see an `Approval required` mess
To invite a new user to join your NetBird network, go to `Team > Users` and click the `Invite User` button.
![NetBird Invite Users](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-03.png)
![NetBird Invite Users](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-a-03.png)
A pop-up window appears for new user registration. Enter the user's name, email address, and select the `Freelancers` group from the dropdown menu. NetBird's auto-assignment feature instantly links the new user to the `Freelancers` group upon network entry, automatically applying the associated access policy you just created.
![NetBird Invite User Pop Up](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-04.png)
![NetBird Invite User Pop Up](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-a-04.png)
After clicking `Send Invitation`, you'll return to the `Users` dashboard. Here, the new user appears with a `Pending` status, awaiting their acceptance of the invitation and any required approvals.
![NetBird New User Pending](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-05.png)
![NetBird New User Pending](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-a-05.png)
## 4. Installing NetBird On The Remote Worker Device
Access the secondary email account used to mimic the freelancer. In the inbox, locate the invitation email from NetBird. This email contains a secure link to join your organization's NetBird network, initiating the freelancer's onboarding process.
![Email NetBird Invitation](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-06.png)
![Email NetBird Invitation](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-a-06.png)
After clicking the invitation link, you'll be directed to NetBird's secure account creation page. Follow the on-screen instructions to create a new password.
![NetBird Login](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-07.png)
![NetBird Login](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-a-07.png)
Upon logging in, you'll arrive at NetBird's Peers dashboard. Locate and click the `Add Peer` button to initiate the [Getting Started](/get-started) Wizard, which guides you through the process of adding a new device to the network.
![NetBird Freelancer Peers Dashboard](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-08.png)
![NetBird Freelancer Peers Dashboard](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-a-08.png)
The wizard will detect your operating system and provide detailed step-by-step instructions on how to [install NetBird](/get-started/install).
![NetBird Freelancer Install Client](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-09.png)
![NetBird Freelancer Install Client](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-a-09.png)
During your initial connection to NetBird, a system dialog will appear requesting authorization. This prompt asks for permission to access your profile and email information, which is necessary for NetBird to establish your account and network access.
![NetBird Authorize App](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-10.png)
![NetBird Authorize App](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-a-10.png)
After completing the installation, your device will appear in the Peers dashboard. Hover over the `+1` in the `Assigned Groups` column to confirm the device has automaticaclly assigned to the `Freelancers` group as expected.
![NetBird Freelancer Peers Listed](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-11.png)
![NetBird Freelancer Peers Listed](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-a-11.png)
## 5. Approving Peers
Back to your primary account, you'll notice the newly added user's status is now displayed as `Active` in the `Users` dashboard. This status update confirms that the device has successfully added to the NetBird network and is ready for secure communication.
![NetBird Peers Dashboard](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-12.png)
![NetBird Peers Dashboard](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-a-12.png)
However, your approval is required before the user's device can fully connect to the NetBird network. To grant network access:
@@ -114,15 +114,15 @@ However, your approval is required before the user's device can fully connect to
* Click the `Approve` button next to the device
* Confirm the action when prompted
![NetBird Approve New Peer](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-13.png)
![NetBird Approve New Peer](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-a-13.png)
After approval, the device is granted full access to network resources allocated to the `Freelancers` group. The freelancer can now view all accessible network resources in their `Peers` dashboard:
![NetBird Freelancer Peers View](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-16.png)
![NetBird Freelancer Peers View](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-a-16.png)
Likewise, as an administrator, you can click on the user's device to see which resources and peers the freelancer has access to.
![NetBird Main Account Peers View](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-17.png)
![NetBird Main Account Peers View](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-a-17.png)
## 6. Automating Peer Approval with EDR Integration (optional)
@@ -137,7 +137,7 @@ Key aspects of NetBird's EDR integration:
To activate this feature, navigate to `Integrations > EDR` and activate the CrowdStrike integration toggle.
![NetBird EDR Integration](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-18.png)
![NetBird EDR Integration](/docs-static/img/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access/peer-a-18.png)
For more information regarding NetBird's EDR integration, refer to the [documentation](/manage/access-control/endpoint-detection-and-response)

22
src/pages/how-to/secure-remote-webserver-access.mdx → src/pages/manage/peers/access-infrastructure/secure-remote-webserver-access.mdx
View File

@@ -37,16 +37,16 @@ With prerequisites in place, you'll be prepared to establish an encrypted point-
Login to NetBird and navigate to `Peers`. Ensure you see your local peer connected.
![NetBird Local Peer](/docs-static/img/how-to-guides/peers/owyUeUn.png)
![NetBird Local Peer](/docs-static/img/manage/peers/access-infrastructure/secure-remote-webserver-access/owyUeUn.png)
To add your remote web server to NetBird's peer network, first you need to generate a setup key:
* Navigate to `Setup Keys` in the left menu
* Click `Create Setup Key`
* Configure the key by assigning it a descriptive name (e.g., "Remote Web Server"), setting an expiration date, and defining auto-assigned groups (if required). Read the documentation for [detailed setup key configuration](/how-to/register-machines-using-setup-keys).
* Configure the key by assigning it a descriptive name (e.g., "Remote Web Server"), setting an expiration date, and defining auto-assigned groups (if required). Read the documentation for [detailed setup key configuration](/manage/peers/register-machines-using-setup-keys).
* Copy the generated key to a secure location as you'll need it shortly
![NetBird Creating Setup Key](/docs-static/img/how-to-guides/peers/jQ5rhEb.png)
![NetBird Creating Setup Key](/docs-static/img/manage/peers/access-infrastructure/secure-remote-webserver-access/jQ5rhEb.png)
Next, install the NetBird agent on the VM.
@@ -98,7 +98,7 @@ Peers count: 0/0 Connected
Now, go back to NetBird's `Peers` dashboard and ensure your remote web server is connected.
![NetBird Peers Network](/docs-static/img/how-to-guides/peers/8I1WVEx.png)
![NetBird Peers Network](/docs-static/img/manage/peers/access-infrastructure/secure-remote-webserver-access/8I1WVEx.png)
## 2. Configuring NetBird Access Control Policies
With both peers now connected to NetBird, the next step is to configure access control rules. This step is essential to define and restrict who can access the remote server, enhancing security by limiting connections to authorized users or devices only.
@@ -118,7 +118,7 @@ For this specific use case, we've implemented a simple access policy:
This policy restricts SSH access to the `Testing Environment`, permitting only authorized members from the group `Freelancers` to connect.
![NetBird Access Policy](/docs-static/img/how-to-guides/peers/AgB9Asr.png)
![NetBird Access Policy](/docs-static/img/manage/peers/access-infrastructure/secure-remote-webserver-access/AgB9Asr.png)
After establishing the policy, assign peers to their respective groups. To add the remote web server to the `Testing Environment` group:
@@ -126,18 +126,18 @@ After establishing the policy, assign peers to their respective groups. To add t
* Click on the name of the peer you want to edit, in this case, `webserver`
* Find the `Assigned Groups` field and select `Testing Environment` from the dropdown list.
![NetBird Web Server Peer](/docs-static/img/how-to-guides/peers/QXb6lLs.png)
![NetBird Web Server Peer](/docs-static/img/manage/peers/access-infrastructure/secure-remote-webserver-access/QXb6lLs.png)
While you're there, take note of the IP addresses listed on the left. Use the quick copy buttons to get `NetBird IP-Address` and `Domain Name`. Alternatively, you can hover over the peer in the peers' list and copy the IP addresses as shown below:
![NetBird IP Addresses](/docs-static/img/how-to-guides/peers/EVZssES.png)
![NetBird IP Addresses](/docs-static/img/manage/peers/access-infrastructure/secure-remote-webserver-access/EVZssES.png)
With your remote server configured and the corresponding access policy enabled, the final step is to assign users to the appropriate group:
* Locate your user in the peers' list and click on it
* Find the `Assigned Groups` field and select `Freelancers` from the dropdown list.
![NetBird Local User Peer](/docs-static/img/how-to-guides/peers/LoNxwd4.png)
![NetBird Local User Peer](/docs-static/img/manage/peers/access-infrastructure/secure-remote-webserver-access/LoNxwd4.png)
## 3. Establishing a Secure SSH Connection to Access the Internal Web Service
@@ -145,11 +145,11 @@ NetBird streamlines secure connections without traditional firewall complexities
To verify your setup, simply ping the web server from a third-party device outside of the NetBird network using the web server's NetBird-assigned IP:
![Terminal No Access to Web Server](/docs-static/img/how-to-guides/peers/iHiFujr.png)
![Terminal No Access to Web Server](/docs-static/img/manage/peers/access-infrastructure/secure-remote-webserver-access/iHiFujr.png)
There is no response from the host. Now, ping the web server from your configured local machine:
![Terminal Access to Web Server](/docs-static/img/how-to-guides/peers/HKsAcFE.png)
![Terminal Access to Web Server](/docs-static/img/manage/peers/access-infrastructure/secure-remote-webserver-access/HKsAcFE.png)
As expected, all packets were transmitted. Now, you can securely SSH into your remote web server from your local peer, either using the NetBird-assigned domain name or IP address:
@@ -157,7 +157,7 @@ As expected, all packets were transmitted. Now, you can securely SSH into your r
This straightforward test confirms your successful implementation of a secure, firewall-free connection to your remote web server via NetBird, demonstrating its power in simplifying robust network security.
![Terminal Fastfetch from Web Server](/docs-static/img/how-to-guides/peers/YoECY8k.png)
![Terminal Fastfetch from Web Server](/docs-static/img/manage/peers/access-infrastructure/secure-remote-webserver-access/YoECY8k.png)
## Get Started

14
src/pages/how-to/setup-keys-add-servers-to-network.mdx → src/pages/manage/peers/access-infrastructure/setup-keys-add-servers-to-network.mdx
View File

@@ -8,7 +8,7 @@ The problem with conventional server and container network integration methods i
* **Scalability Limitations**: As infrastructure grows, the complexity of managing network access for numerous servers and containers increases exponentially.
* **Security Risks**: Manual processes can lead to human errors, potentially exposing servers to unauthorized access or creating security loopholes in the network.
This guide introduces [NetBird's Setup Keys](/how-to/register-machines-using-setup-keys) as an elegant solution for seamlessly and securely adding servers and containers to your network by:
This guide introduces [NetBird's Setup Keys](/manage/peers/register-machines-using-setup-keys) as an elegant solution for seamlessly and securely adding servers and containers to your network by:
* **Streamlining Deployment**: Providing a simple, automated way to connect new servers and containers to your NetBird network with minimal manual intervention.
* **Facilitating Scalability**: Enabling rapid expansion of your network infrastructure without compromising on security or operational efficiency.
@@ -16,7 +16,7 @@ This guide introduces [NetBird's Setup Keys](/how-to/register-machines-using-set
This approach significantly reduces deployment time, ensures consistent and secure network configurations, and supports seamless scalability.
Let's dive into the step-by-step process of using [NetBird's Setup Keys](/how-to/register-machines-using-setup-keys) to securely add a server with a Docker container to your network.
Let's dive into the step-by-step process of using [NetBird's Setup Keys](/manage/peers/register-machines-using-setup-keys) to securely add a server with a Docker container to your network.
## Prerequisites
@@ -38,7 +38,7 @@ This process will demonstrate how Setup Keys simplify and secure the addition of
## Creating a Setup Key in Your NetBird Account
To seamlessly integrate virtual machines or Docker containers into your NetBird network, you'll start by creating a setup key. While [NetBird's documentation offers comprehensive guidance on this process](https://docs.netbird.io/how-to/register-machines-using-setup-keys), let's quickly review the essential steps:
To seamlessly integrate virtual machines or Docker containers into your NetBird network, you'll start by creating a setup key. While [NetBird's documentation offers comprehensive guidance on this process](https://docs.netbird.io/manage/peers/register-machines-using-setup-keys), let's quickly review the essential steps:
* Access your NetBird dashboard
* Navigate to the `Setup Keys` section
@@ -51,7 +51,7 @@ To seamlessly integrate virtual machines or Docker containers into your NetBird
Here's an example:
![NetBird Generating Setup Key](/docs-static/img/how-to-guides/setup-keys-add-servers-to-network/setup-keys-add-server-01.png)
![NetBird Generating Setup Key](/docs-static/img/manage/peers/access-infrastructure/setup-keys-add-servers-to-network/setup-keys-add-server-01.png)
This setup key will serve as your secure passport for adding both your VM and Docker container to the NetBird network,
ensuring a consistent integration process.
@@ -130,7 +130,7 @@ sudo systemctl enable netbird
Finally, log into your NetBird dashboard and navigate to the `Peers` section to confirm your VM is listed and connected.
![NetBird Peers View](/docs-static/img/how-to-guides/setup-keys-add-servers-to-network/setup-keys-add-server-02.png)
![NetBird Peers View](/docs-static/img/manage/peers/access-infrastructure/setup-keys-add-servers-to-network/setup-keys-add-server-02.png)
By using the setup key, you've securely added your VM to the NetBird network with minimal manual configuration, demonstrating the efficiency and security benefits of this approach.
@@ -174,7 +174,7 @@ Now that your VM is connected to the NetBird secure network, you can verify the
To locate the NetBird-assigned IP or domain, go to the `Peers` page in your NetBird dashboard and hover your cursor over the VM's name.
![NetBird Peers IP Address or Domain](/docs-static/img/how-to-guides/setup-keys-add-servers-to-network/setup-keys-add-server-03.png)
![NetBird Peers IP Address or Domain](/docs-static/img/manage/peers/access-infrastructure/setup-keys-add-servers-to-network/setup-keys-add-server-03.png)
Verify connectivity to the VM from any NetBird-connected device using:
@@ -191,7 +191,7 @@ $ curl 100.85.148.249:8080
Alternatively, you can go to `http://VM_NETBIRD_DOMAIN:8080` using your browser:
![NetBird Welcome Page](/docs-static/img/how-to-guides/setup-keys-add-servers-to-network/setup-keys-add-server-04.png)
![NetBird Welcome Page](/docs-static/img/manage/peers/access-infrastructure/setup-keys-add-servers-to-network/setup-keys-add-server-04.png)
Keep in mind that this tutorial used the default `All` group for simplicity. However, implementing [NetBird's Access Policy](https://docs.netbird.io/manage/access-control/manage-network-access) to restrict peer-to-peer connections to specific user groups is a best practice for gaining granular control over resource access, thus improving your network's overall security posture in various scenarios.

12
src/pages/how-to/add-machines-to-your-network.mdx → src/pages/manage/peers/add-machines-to-your-network.mdx
View File

@@ -19,29 +19,29 @@ To add a new peer to your network follow these steps:
2. Hit `Add Peer` button
<p>
<img src="/docs-static/img/how-to-guides/add-new-peer-empty.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/peers/add-machines-to-your-network/add-new-peer-empty.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
3. Follow the instructions
<p>
<img src="/docs-static/img/how-to-guides/add-new-peer-popup.png" alt="high-level-dia" width="700" className="imagewrapper"/>
<img src="/docs-static/img/manage/peers/add-machines-to-your-network/add-new-peer-popup.png" alt="high-level-dia" width="700" className="imagewrapper"/>
</p>
4. Refresh the Peers tab, and it will display new machines
<p>
<img src="/docs-static/img/how-to-guides/peer-list.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/peers/add-machines-to-your-network/peer-list.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
## What's next?
Here are a few links that might be handy as you venture further into NetBird:
- [Add users to your network](/how-to/add-users-to-your-network)
- [Require a peer approval from the administrator](/how-to/approve-peers)
- [Add users to your network](/manage/team/add-users-to-your-network)
- [Require a peer approval from the administrator](/manage/peers/approve-peers)
- [Allow only managed devices in the network](/manage/access-control/endpoint-detection-and-response)
- [Use setup keys to automate NetBird deployments](/how-to/register-machines-using-setup-keys)
- [Use setup keys to automate NetBird deployments](/manage/peers/register-machines-using-setup-keys)
<p float="center" >
<Button name="button" className="button-5" onClick={() => window.open("https://netbird.io/pricing")}>Try NetBird</Button>

4
src/pages/how-to/approve-peers.mdx → src/pages/manage/peers/approve-peers.mdx
View File

@@ -20,7 +20,7 @@ For details on the peer approval feature, part of our "Getting started with NetB
To enable peer approval, navigate to [Settings &raquo; Authentication](https://app.netbird.io/settings) and enable 'Peer approval'.
<p>
<img src="/docs-static/img/how-to-guides/peer-approval-settings.png" alt="peer-approval-settings" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/peers/approve-peers/peer-approval-settings.png" alt="peer-approval-settings" className="imagewrapper-big"/>
</p>
<Note>
@@ -31,7 +31,7 @@ To enable peer approval, navigate to [Settings &raquo; Authentication](https://a
To approve a peer, navigate to the [peers tab](https://app.netbird.io/peers) and click the `Approve` button on the right side of the peers table.
<p>
<img src="/docs-static/img/how-to-guides/peer-needs-approval.png" alt="peer-needs-approval" className="imagewrapper"/>
<img src="/docs-static/img/manage/peers/approve-peers/peer-needs-approval.png" alt="peer-needs-approval" className="imagewrapper"/>
</p>
## Automate peer approval with EDR integrations

16
src/pages/how-to/browser-client.mdx → src/pages/manage/peers/browser-client.mdx
View File

@@ -21,7 +21,7 @@ Before using the Browser Client, ensure:
1. **Admin privileges** - You must be logged into the NetBird dashboard with an admin account (required for temporary ACL creation)
2. **Protocol requirements**:
- **For SSH**: The NetBird SSH server must be enabled on the target peer. Learn more about [enabling SSH access](/how-to/ssh).
- **For SSH**: The NetBird SSH server must be enabled on the target peer. Learn more about [enabling SSH access](/manage/peers/ssh).
- **For RDP**: The RDP server must be enabled on the target machine
3. **Modern browser** - You're using an up-to-date version of Chrome, Firefox, Edge, or Safari with WebAssembly support
@@ -36,7 +36,7 @@ The easiest way to connect is directly from the Peers dashboard:
3. In the **Remote Access** section, click the **SSH** or **RDP** button
<p>
<img src="/docs-static/img/how-to-guides/browser-client/peer-list-view.png" alt="peer-list-view" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/peers/browser-client/peer-list-view.png" alt="peer-list-view" className="imagewrapper-big"/>
</p>
### SSH Connection
@@ -47,11 +47,11 @@ When connecting via SSH:
2. A credentials modal will appear
<Note>
Before connecting via SSH, make sure that SSH Access is enabled both on the target peer and in the NetBird Dashboard. Learn more about [enabling SSH access](/how-to/ssh).
Before connecting via SSH, make sure that SSH Access is enabled both on the target peer and in the NetBird Dashboard. Learn more about [enabling SSH access](/manage/peers/ssh).
</Note>
<p>
<img src="/docs-static/img/how-to-guides/browser-client/ssh-credentials-modal.png" alt="ssh-credentials-modal" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/peers/browser-client/ssh-credentials-modal.png" alt="ssh-credentials-modal" className="imagewrapper-big"/>
</p>
3. Adjust the SSH username in the credentials modal if required
@@ -59,7 +59,7 @@ When connecting via SSH:
5. A terminal window will open in your browser with your SSH session
<p>
<img src="/docs-static/img/how-to-guides/browser-client/ssh-terminal-connected.png" alt="ssh-terminal-connected" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/peers/browser-client/ssh-terminal-connected.png" alt="ssh-terminal-connected" className="imagewrapper-big"/>
</p>
### RDP Connection
@@ -70,7 +70,7 @@ For RDP access:
2. A new window will open with a credentials modal - enter your RDP server credentials:
<p>
<img src="/docs-static/img/how-to-guides/browser-client/rdp-credentials-modal.png" alt="rdp-credentials-modal" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/peers/browser-client/rdp-credentials-modal.png" alt="rdp-credentials-modal" className="imagewrapper-big"/>
</p>
- **Username**: Your username (can include domain: `DOMAIN\username`)
@@ -80,7 +80,7 @@ For RDP access:
4. In the same window, a certificate warning dialog will appear - review the certificate details
<p>
<img src="/docs-static/img/how-to-guides/browser-client/rdp-certificate-modal.png" alt="rdp-certificate-modal" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/peers/browser-client/rdp-certificate-modal.png" alt="rdp-certificate-modal" className="imagewrapper-big"/>
</p>
<Note>
@@ -91,7 +91,7 @@ For RDP access:
6. The remote desktop will load in the window
<p>
<img src="/docs-static/img/how-to-guides/browser-client/rdp-connected-session.png" alt="rdp-connected-session" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/peers/browser-client/rdp-connected-session.png" alt="rdp-connected-session" className="imagewrapper-big"/>
</p>
## Connection Management

0
src/pages/how-to/lazy-connection.mdx → src/pages/manage/peers/lazy-connection.mdx
View File

8
src/pages/how-to/register-machines-using-setup-keys.mdx → src/pages/manage/peers/register-machines-using-setup-keys.mdx
View File

@@ -34,7 +34,7 @@ Setup keys are available in the NetBird Management Dashboard under the `Setup Ke
You can easily add new or revoke keys.
<p>
<img src="/docs-static/img/how-to-guides/setup-keys.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/peers/register-machines-using-setup-keys/setup-keys.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
<Note>
@@ -72,7 +72,7 @@ To add `Auto-assign groups`, open the `Setup Keys` tab and create or update any
Then use this key to enroll new machine.
<p>
<img src="/docs-static/img/architecture/netbird-peer-auto-tagging-newkey.png" alt="high-level-dia" className="imagewrapper"/>
<img src="/docs-static/img/manage/peers/register-machines-using-setup-keys/netbird-peer-auto-tagging-newkey.png" alt="high-level-dia" className="imagewrapper"/>
</p>
<Note>
@@ -86,11 +86,11 @@ In the opened popup, give your new key an easily identifiable name, choose type,
The defaults should be suitable for most of the cases. We recommend using one-off keys for security reasons.
<p>
<img src="/docs-static/img/how-to-guides/add-setup-key.png" alt="high-level-dia" className="imagewrapper"/>
<img src="/docs-static/img/manage/peers/register-machines-using-setup-keys/add-setup-key.png" alt="high-level-dia" className="imagewrapper"/>
</p>
After your key has been successfully created, copy and store it in a secure location.
<p>
<img src="/docs-static/img/how-to-guides/setup-key-created.png" alt="high-level-dia" className="imagewrapper"/>
<img src="/docs-static/img/manage/peers/register-machines-using-setup-keys/setup-key-created.png" alt="high-level-dia" className="imagewrapper"/>
</p>

16
src/pages/how-to/db-workload-migration.mdx → src/pages/manage/peers/site-to-site/db-workload-migration.mdx
View File

@@ -166,16 +166,16 @@ With the on-premise environment ready, you can install NetBird on the destinatio
Login to NetBird and navigate to `Peers`. Ensure the source instance, the one hosting the database, is connected.
![NetBird Local Peer](/docs-static/img/how-to-guides/db-workload-migration/workload-migration-01.png)
![NetBird Local Peer](/docs-static/img/manage/peers/site-to-site/db-workload-migration/workload-migration-01.png)
Next, generate a setup key for enhanced security when connecting your remote workload to the NetBird network:
* Go to `Setup Keys` in the left menu
* Click `Create Setup Key`
* Enter a descriptive name for the setup key (e.g., "Remote Workload 01"). Also, set an expiration date and define auto-assigned groups (if required). You can find [more information regarding setup key options in the documentation](https://docs.netbird.io/how-to/register-machines-using-setup-keys).
* Enter a descriptive name for the setup key (e.g., "Remote Workload 01"). Also, set an expiration date and define auto-assigned groups (if required). You can find [more information regarding setup key options in the documentation](https://docs.netbird.io/manage/peers/register-machines-using-setup-keys).
* Copy the generated key since you'll need it shortly
![NetBird Creating Setup Key](/docs-static/img/how-to-guides/db-workload-migration/workload-migration-02.png)
![NetBird Creating Setup Key](/docs-static/img/manage/peers/site-to-site/db-workload-migration/workload-migration-02.png)
To install the NetBird agent on the remote instance, run the following command:
@@ -241,7 +241,7 @@ Peers count: 0/0 Connected
If everything goes as expected, you will see your remote workload in NetBird's `Peers` dashboard.
![NetBird Peers Network](/docs-static/img/how-to-guides/db-workload-migration/workload-migration-03.png)
![NetBird Peers Network](/docs-static/img/manage/peers/site-to-site/db-workload-migration/workload-migration-03.png)
## 3. Setting Up NetBird's Access Control for Secure Data Transfer
@@ -262,7 +262,7 @@ For this use case, we disabled the `Default` policy and created the following on
This policy restricts access to the local environment where the database is running by only allowing the members of the group `Remote Workloads` to connect.
![NetBird Access Policy](/docs-static/img/how-to-guides/db-workload-migration/workload-migration-04.png)
![NetBird Access Policy](/docs-static/img/manage/peers/site-to-site/db-workload-migration/workload-migration-04.png)
The next step is to assign peers to their respective groups. To add the remote instance to the `Remote Workloads` group:
@@ -270,14 +270,14 @@ The next step is to assign peers to their respective groups. To add the remote i
* Click on `remote-workload` (or any name you gave to the remote instance)
* Find the `Assigned Groups` field and select `Remote Workloads` from the dropdown list.
![NetBird Remote Peer](/docs-static/img/how-to-guides/db-workload-migration/workload-migration-05.png)
![NetBird Remote Peer](/docs-static/img/manage/peers/site-to-site/db-workload-migration/workload-migration-05.png)
Follow a similar procedure to assign your local machine to the `On-Premise-DB` group:
* Locate and click on the local peer
* Find the `Assigned Groups` field and select `On-Premise-DB` from the dropdown list.
![NetBird Local User Peer](/docs-static/img/how-to-guides/db-workload-migration/workload-migration-06.png)
![NetBird Local User Peer](/docs-static/img/manage/peers/site-to-site/db-workload-migration/workload-migration-06.png)
Your network configuration is complete, enabling secure communication between the remote instance and your local machine via an encrypted WireGuard tunnel. However, additional adjustments are necessary to finalize the workload migration process.
@@ -328,7 +328,7 @@ These changes allow PostgreSQL to listen on all interfaces and accept connection
To complete the migration, deploy your workload to the remote instance by recreating the local setup: establish a Python virtual environment, install the `psycopg2-binary` library, and create `employee_workload.py`. However, in the Python code, you must update the `host` parameter, replacing `localhost` with the NetBird-assigned IP address of the remote instance. You can find this IP address in your peers' list on your NetBird dashboard.
![NetBird IP Addresses](/docs-static/img/how-to-guides/db-workload-migration/workload-migration-07.png)
![NetBird IP Addresses](/docs-static/img/manage/peers/site-to-site/db-workload-migration/workload-migration-07.png)
Optionally, you can change the label `(On-Premise)` with `(Remote)` as mentioned earlier. The Python code should look similar to this:

2
src/pages/how-to/ssh.mdx → src/pages/manage/peers/ssh.mdx
View File

@@ -196,7 +196,7 @@ When you run `ssh user@<netbird-peer>`:
### Browser Client
For SSH access directly from your web browser without installing any software, refer to the [Browser Client documentation](/how-to/browser-client#ssh-connection).
For SSH access directly from your web browser without installing any software, refer to the [Browser Client documentation](/manage/peers/browser-client#ssh-connection).
## Authentication

10
src/pages/how-to/add-users-to-your-network.mdx → src/pages/manage/team/add-users-to-your-network.mdx
View File

@@ -39,7 +39,7 @@ The invited users will receive an email invitation that they have to confirm.
After logging in to the system, they will join your network automatically.
<p>
<img src="/docs-static/img/how-to-guides/user-invites.png" alt="high-level-dia" className="imagewrapper"/>
<img src="/docs-static/img/manage/team/user-invites.png" alt="high-level-dia" className="imagewrapper"/>
</p>
<Note>
@@ -54,10 +54,10 @@ provisioning users and groups. You can enable this feature from the `Users` tab
button.
<p>
<img src="/docs-static/img/how-to-guides/idp-sync-reference.png" alt="idp-sync-reference" className="imagewrapper"/>
<img src="/docs-static/img/manage/team/idp-sync-reference.png" alt="idp-sync-reference" className="imagewrapper"/>
</p>
See the [Provision Users and Groups From Your Identity Provider](/how-to/idp-sync) section for more details.
See the [Provision Users and Groups From Your Identity Provider](/manage/team/idp-sync) section for more details.
## Manage user roles
NetBird has five user roles - `Owner`, `Admin`, `Network Admin`, `Auditor` and `User`. The roles allow you to control the level of access to the management API of your account.
@@ -87,11 +87,11 @@ NetBird has five user roles - `Owner`, `Admin`, `Network Admin`, `Auditor` and `
To manage user roles, proceed to the `Users` tab and click on the user you want to update:
<p>
<img src="/docs-static/img/how-to-guides/user-tab-list.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/user-tab-list.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
After that, select the desired role from the dropdown:
<p>
<img src="/docs-static/img/how-to-guides/user-update-role.png" alt="high-level-dia" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/user-update-role.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
Click the `Save` button to save the changes.
<Note>

4
src/pages/how-to/approve-users.mdx → src/pages/manage/team/approve-users.mdx
View File

@@ -10,14 +10,14 @@ Navigate to the Dashboard's `Settings` page and the `Authentication` tab and ena
- **Disabled**: Manual approval for new users is not required. Users joining via domain matching will be automatically added to the organization.
<p>
<img src="/docs-static/img/approval/netbird-authentication-settings-approval.png" alt="netbird-authentication-settings-approval" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/approve-users/netbird-authentication-settings-approval.png" alt="netbird-authentication-settings-approval" className="imagewrapper-big"/>
</p>
## Approve or reject user
To approve a user, navigate to the [Users Page](https://app.netbird.io/team/users) and click the `Approve` or `Reject` button on the right side of the users table.
<p>
<img src="/docs-static/img/approval/netbird-user-approval.png" alt="netbird-user-approval" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/approve-users/netbird-user-approval.png" alt="netbird-user-approval" className="imagewrapper-big"/>
</p>
## Get started

20
src/pages/how-to/auto-offboard-users.mdx → src/pages/manage/team/auto-offboard-users.mdx
View File

@@ -1,6 +1,6 @@
# Automatically Offboard Team Members from NetBird
[NetBird's IdP-Sync integration](https://docs.netbird.io/how-to/idp-sync) simplifies offboarding team members, enhancing
[NetBird's IdP-Sync integration](https://docs.netbird.io/manage/team/idp-sync) simplifies offboarding team members, enhancing
security and efficiency. With this integration, you can automatically revoke access when users leave the company, when
temporary access for a freelancer ends after project completion, or when a seasonal employee's contract concludes.
Likewise, you can use this integration to restrict access to specific resources or environments when a project finishes.
@@ -12,39 +12,39 @@ is deleted from your Identity Provider.
In this tutorial, we will focus on `user_01`, `user_02`, and `user_03`. From NetBird's `Users` dashboard, you can see
that `user_01` is part of the `IT Administrators` group, while `user_02` and `user_03` belong to the `Staging` group.
![NetBird Users](/docs-static/img/how-to-guides/auto-offboard-users/GT3eAeU.png)
![NetBird Users](/docs-static/img/manage/team/auto-offboard-users/GT3eAeU.png)
To get started, access your Identity Provider (IdP) dashboard. For this example, well use [Microsoft Entra ID (Azure AD)](https://docs.netbird.io/how-to/microsoft-entra-id-sync).
To get started, access your Identity Provider (IdP) dashboard. For this example, we'll use [Microsoft Entra ID (Azure AD)](https://docs.netbird.io/manage/team/idp-sync/microsoft-entra-id-sync).
Next, locate the user you want to offboard in your IdP's user management section. Lets say you want to revoke access to
`user_01`, in that case, you will need to select it and click the `Delete` button as shown below.
![IdP Delete User](/docs-static/img/how-to-guides/auto-offboard-users/TJWLvXL.png)
![IdP Delete User](/docs-static/img/manage/team/auto-offboard-users/TJWLvXL.png)
After deletion, click the `Refresh` button to confirm that the user is no longer active.
![IdP Confirm Deletion](/docs-static/img/how-to-guides/auto-offboard-users/LJ6QHRV.png)
![IdP Confirm Deletion](/docs-static/img/manage/team/auto-offboard-users/LJ6QHRV.png)
Wait for the NetBird integration to complete its next synchronization cycle, which usually takes 300 seconds. Alternatively, go to the `Integrations` screen in the NetBird admin console and click the corresponding integration button to manually trigger the synchronization.
![NetBird Integrations Force Sync](/docs-static/img/how-to-guides/auto-offboard-users/ogiiUeT.png)
![NetBird Integrations Force Sync](/docs-static/img/manage/team/auto-offboard-users/ogiiUeT.png)
Now, go to NetBird's `Users` dashboard to verify that the user is no longer listed.
![NetBird Users Verification](/docs-static/img/how-to-guides/auto-offboard-users/MQ2yh6B.png)
![NetBird Users Verification](/docs-static/img/manage/team/auto-offboard-users/MQ2yh6B.png)
## Revoking Group Access
Imagine a scenario where you have an access policy that grants all members of the `Staging` group access to resources in the `Servers` group.
![NetBird Access Control](/docs-static/img/how-to-guides/auto-offboard-users/sATMbbP.png)
![NetBird Access Control](/docs-static/img/manage/team/auto-offboard-users/sATMbbP.png)
Let's say the current project is finished, and you no longer want members of the `Staging` group to have access to the
`Servers` group. One way to do this is to remove the `Staging` group from your IdP.
![IdP Delete Group](/docs-static/img/how-to-guides/auto-offboard-users/TOZjFKC.png)
![IdP Delete Group](/docs-static/img/manage/team/auto-offboard-users/TOZjFKC.png)
Once the changes synchronize in NetBird, users and their group memberships will be updated; therefore,
[network access associated with that group](https://docs.netbird.io/manage/access-control/manage-network-access) will automatically be revoked.
![NetBird No Group](/docs-static/img/how-to-guides/auto-offboard-users/NKabmN6.png)
![NetBird No Group](/docs-static/img/manage/team/auto-offboard-users/NKabmN6.png)

72
src/pages/how-to/google-workspace-sync.mdx → src/pages/manage/team/idp-sync/google-workspace-sync.mdx
View File

@@ -18,7 +18,7 @@ data via the Admin SDK API. This service account uses OAuth 2.0 for secure, auth
Go to the `Integrations` section in the left menu to access the `Identity Provider integration`. Click the `Google Workspace` button. This will open a pop-up window featuring an intuitive wizard to guide you through the synchronization process between NetBird and Google Workspace.
![NetBird Connect NetBird with Google Workspace](/docs-static/img/how-to-guides/google-workspace-sync/q1aq98X.png)
![NetBird Connect NetBird with Google Workspace](/docs-static/img/manage/team/idp-sync/google-workspace-sync/q1aq98X.png)
## Prerequisites
@@ -44,7 +44,7 @@ To [check your user permissions](https://support.google.com/a/answer/7519580?hl=
Confirm that you have one of the required roles before proceeding with the integration:
![Google Workspaces User Permissions](/docs-static/img/how-to-guides/google-workspace-sync/Ky8bguM.png)
![Google Workspaces User Permissions](/docs-static/img/manage/team/idp-sync/google-workspace-sync/Ky8bguM.png)
If you lack the required permissions, please contact your workspace administrator to request them.
@@ -62,7 +62,7 @@ To [check your organization-level permissions](https://cloud.google.com/resource
> NOTE: Verifying your GCP permissions is mandatory before proceeding with the integration since you might need to disable the `iam.disableServiceAccountKeyCreation` constraint temporarily during the process.
![Google Workspace IAM & Admin](/docs-static/img/how-to-guides/google-workspace-sync/9ECRJqC.png)
![Google Workspace IAM & Admin](/docs-static/img/manage/team/idp-sync/google-workspace-sync/9ECRJqC.png)
If you lack the required role, contact your organization's IT department or the person who set up your Google Cloud account.
@@ -70,7 +70,7 @@ If you lack the required role, contact your organization's IT department or the
Once you have the necessary permissions, you can create the NetBird project in GCP.
![NetBird Create NetBird Project](/docs-static/img/how-to-guides/google-workspace-sync/GBbcnt3.png)
![NetBird Create NetBird Project](/docs-static/img/manage/team/idp-sync/google-workspace-sync/GBbcnt3.png)
Let's go through the required steps:
@@ -81,7 +81,7 @@ Let's go through the required steps:
* Ensure the proper organization is selected in the `Organization` field.
* Click `CREATE`.
![Google Workspace New Project](/docs-static/img/how-to-guides/google-workspace-sync/sGLG0tX.png)
![Google Workspace New Project](/docs-static/img/manage/team/idp-sync/google-workspace-sync/sGLG0tX.png)
To let `NetBird` authenticate and access Google Workspace, you must enable the `Admin SDK API`. Heres how to do it:
@@ -89,19 +89,19 @@ To let `NetBird` authenticate and access Google Workspace, you must enable the `
* Navigate to [https://console.cloud.google.com/apis/library/admin.googleapis.com](https://console.cloud.google.com/apis/library/admin.googleapis.com)
* Click the `Enable` button.
![Google Workspace Admin SDK API](/docs-static/img/how-to-guides/google-workspace-sync/ij3niha.png)
![Google Workspace Admin SDK API](/docs-static/img/manage/team/idp-sync/google-workspace-sync/ij3niha.png)
## Creating the NetBird Service Account
Once you create the project, you can set up the `NetBird` service account. On NetBird, click `Continue →`. That will show you a summary of the required steps.
![NetBird Create Service Account](/docs-static/img/how-to-guides/google-workspace-sync/tRbBQsR.png)
![NetBird Create Service Account](/docs-static/img/manage/team/idp-sync/google-workspace-sync/tRbBQsR.png)
Here are the step-by-step instructions:
Navigate to [https://console.cloud.google.com/apis/credentials](https://console.cloud.google.com/apis/credentials), click `CREATE CREDENTIALS` at the top menu and select `Service account` from the dropdown list.
![Google Workspace Service Account](/docs-static/img/how-to-guides/google-workspace-sync/rDU0Puv.png)
![Google Workspace Service Account](/docs-static/img/manage/team/idp-sync/google-workspace-sync/rDU0Puv.png)
Complete the form with the supplied values:
* `NerBird` for the service account name
@@ -109,43 +109,43 @@ Complete the form with the supplied values:
Click `DONE` when ready.
![Google Workspace Service Account Details](/docs-static/img/how-to-guides/google-workspace-sync/WzqMsmW.png)
![Google Workspace Service Account Details](/docs-static/img/manage/team/idp-sync/google-workspace-sync/WzqMsmW.png)
## Getting Your Service Account Email
On NetBird, click `Continue →`. Youll need to provide the email of the service account.
![NetBird Get Service Account Email](/docs-static/img/how-to-guides/google-workspace-sync/IBEGQD8.png)
![NetBird Get Service Account Email](/docs-static/img/manage/team/idp-sync/google-workspace-sync/IBEGQD8.png)
You can copy the email from the `Credentials` page.
![Google Workspace Service Account Email](/docs-static/img/how-to-guides/google-workspace-sync/Z4CQd9O.png)
![Google Workspace Service Account Email](/docs-static/img/manage/team/idp-sync/google-workspace-sync/Z4CQd9O.png)
## Creating a New Service Account Key
Back on NetBird, click `Continue →`. Youll see a summary of how to create a service account key.
![NetBird Create Service Account Key](/docs-static/img/how-to-guides/google-workspace-sync/MGgCzky.png)
![NetBird Create Service Account Key](/docs-static/img/manage/team/idp-sync/google-workspace-sync/MGgCzky.png)
First, click on the service account email to show its details.
![Google Workspace Service Account Details](/docs-static/img/how-to-guides/google-workspace-sync/JWdAg4R.png)
![Google Workspace Service Account Details](/docs-static/img/manage/team/idp-sync/google-workspace-sync/JWdAg4R.png)
Next, click the `Keys` tab. Open the `ADD KEY` drop-down menu and select `Create new key` from the list.
![Google Workspace Create New Key](/docs-static/img/how-to-guides/google-workspace-sync/gUQ4XAd.png)
![Google Workspace Create New Key](/docs-static/img/manage/team/idp-sync/google-workspace-sync/gUQ4XAd.png)
A new pop-up window will open, select `JSON` as indicated below:
![Google Workspace New Key Format](/docs-static/img/how-to-guides/google-workspace-sync/WZWFp1Z.png)
![Google Workspace New Key Format](/docs-static/img/manage/team/idp-sync/google-workspace-sync/WZWFp1Z.png)
The key will automatically download to your local device. The new key will also appear as `active` in the `KEYS` tab.
![Google Workspace Copy New Key](/docs-static/img/how-to-guides/google-workspace-sync/bSakeRS.png)
![Google Workspace Copy New Key](/docs-static/img/manage/team/idp-sync/google-workspace-sync/bSakeRS.png)
During service account key creation, you may encounter the following error:
![Google Workspace Key Creation Error](/docs-static/img/how-to-guides/google-workspace-sync/mU2qAwe.png)
![Google Workspace Key Creation Error](/docs-static/img/manage/team/idp-sync/google-workspace-sync/mU2qAwe.png)
If thats the case, activate Google Cloud Shell on the top menu (shell icon) and enter the following command:
@@ -157,21 +157,21 @@ Remember to replace `ORGANIZATION_ID` with your organization ID.
Now, you can upload the service account key to NetBird. After a successful upload, you'll see the key listed in the NetBird interface.
![NetBird Paste New Key](/docs-static/img/how-to-guides/google-workspace-sync/g8omqCt.png)
![NetBird Paste New Key](/docs-static/img/manage/team/idp-sync/google-workspace-sync/g8omqCt.png)
## Creating a New Admin Role in Google Workspace
After creating the service account in GCP and uploading its secret key, return to NetBird and click 'Continue →'. The next steps will guide you through creating a role in Google Workspace for this service account
![NetBird Create Admin Role](/docs-static/img/how-to-guides/google-workspace-sync/F80lm4H.png)
![NetBird Create Admin Role](/docs-static/img/manage/team/idp-sync/google-workspace-sync/F80lm4H.png)
Navigate to Google Workspace [Admin Console](https://admin.google.com/ac/home). Select `Account` on the left menu and then click `Admin Roles`
![Google Workspace Admin Roles](/docs-static/img/how-to-guides/google-workspace-sync/X1CYEHq.png)
![Google Workspace Admin Roles](/docs-static/img/manage/team/idp-sync/google-workspace-sync/X1CYEHq.png)
Click `Create new role`
![Google Workspace Create New Role](/docs-static/img/how-to-guides/google-workspace-sync/pmeCOd4.png)
![Google Workspace Create New Role](/docs-static/img/manage/team/idp-sync/google-workspace-sync/pmeCOd4.png)
Fill in the form with the values provided in NetBird:
* Name: `User and Group Management ReadOnly`
@@ -179,13 +179,13 @@ Fill in the form with the values provided in NetBird:
When done, click `CONTINUE`
![Google Workspace Create Role](/docs-static/img/how-to-guides/google-workspace-sync/HLddKPh.png)
![Google Workspace Create Role](/docs-static/img/manage/team/idp-sync/google-workspace-sync/HLddKPh.png)
## Granting Role Privileges
Return to NetBird and click `Continue →`. The next screen shows the privileges needed for the Admin API.
![NetBird Add Role Privileges](/docs-static/img/how-to-guides/google-workspace-sync/IZn8XWY.png)
![NetBird Add Role Privileges](/docs-static/img/manage/team/idp-sync/google-workspace-sync/IZn8XWY.png)
Back to Google Workspace, enter `admin api` in the search bar and enable the following privileges for the Admin API:
* Users: `Read`
@@ -193,58 +193,58 @@ Back to Google Workspace, enter `admin api` in the search bar and enable the fol
Then, click `CONTINUE`
![Google Workspace Select Privileges](/docs-static/img/how-to-guides/google-workspace-sync/nKLJX2H.png)
![Google Workspace Select Privileges](/docs-static/img/manage/team/idp-sync/google-workspace-sync/nKLJX2H.png)
Review the Admin API privileges to verify they are correct and click `CREATE ROLE` when ready.
![Google Workspace Review Privileges](/docs-static/img/how-to-guides/google-workspace-sync/METhl2T.png)
![Google Workspace Review Privileges](/docs-static/img/manage/team/idp-sync/google-workspace-sync/METhl2T.png)
## Assigning Admin API Privileges to Google Cloud Service Account
In NetBird, click `Continue →`. For convenience, you can copy the service account Email from this screen and use it to grant it the necessary permissions in Google Workspace.
![NetBird Assign Service Account](/docs-static/img/how-to-guides/google-workspace-sync/jhgTfsk.png)
![NetBird Assign Service Account](/docs-static/img/manage/team/idp-sync/google-workspace-sync/jhgTfsk.png)
Then, in Google Workspace, click on `Assign service accounts` as shown below:
![Google Workspace Assign Service Account](/docs-static/img/how-to-guides/google-workspace-sync/HHzmRAL.png)
![Google Workspace Assign Service Account](/docs-static/img/manage/team/idp-sync/google-workspace-sync/HHzmRAL.png)
Paste the service account Email address and click the `ADD` button.
![Google Workspace Add Service Account](/docs-static/img/how-to-guides/google-workspace-sync/ZYSw3KZ.png)
![Google Workspace Add Service Account](/docs-static/img/manage/team/idp-sync/google-workspace-sync/ZYSw3KZ.png)
Verify the Email and click `ASSIGN ROLE` to grant the role `User and Group Management ReadOnly` to the `NetBird` service account.
![Google Workspace Assign Role](/docs-static/img/how-to-guides/google-workspace-sync/rPYNLz1.png)
![Google Workspace Assign Role](/docs-static/img/manage/team/idp-sync/google-workspace-sync/rPYNLz1.png)
## Entering Customer ID
Go back to NetBird and click `Continue →`. The next screen will prompt you to enter your Google Workspace Customer ID.
![NetBird Enter Customer ID](/docs-static/img/how-to-guides/google-workspace-sync/q6tuStz.png)
![NetBird Enter Customer ID](/docs-static/img/manage/team/idp-sync/google-workspace-sync/q6tuStz.png)
To get your customer ID, navigate to [Account Settings](https://admin.google.com/ac/accountsettings/profile?hl=en_US) and copy the corresponding ID.
![Google Workspace Customer ID](/docs-static/img/how-to-guides/google-workspace-sync/443kaDt.png)
![Google Workspace Customer ID](/docs-static/img/manage/team/idp-sync/google-workspace-sync/443kaDt.png)
## Synchronizing Google Workspace Groups and Users
Return to NetBird. The next two screens allow you to select which Google Workspace groups and users you want to synchronize. By default, NetBird synchronizes all groups and users. If you're okay with syncing everything, click `Continue` on both screens.
![NetBird Groups Sync](/docs-static/img/how-to-guides/google-workspace-sync/gAgKeL0.png)
![NetBird Groups Sync](/docs-static/img/manage/team/idp-sync/google-workspace-sync/gAgKeL0.png)
You can also click on `+ Add group (or user group) filter` to change this settings as you see fit. To finish the integration process, click the `Connect` button.
![NetBird Users Sync](/docs-static/img/how-to-guides/google-workspace-sync/6Huo7vW.png)
![NetBird Users Sync](/docs-static/img/manage/team/idp-sync/google-workspace-sync/6Huo7vW.png)
The next screen, should be similar the following one, verifying that the integration was successful:
![NetBird Google Workspace Enabled](/docs-static/img/how-to-guides/google-workspace-sync/EkPJqpJ.png)
![NetBird Google Workspace Enabled](/docs-static/img/manage/team/idp-sync/google-workspace-sync/EkPJqpJ.png)
To verify the integration is working correctly, you can also navigate to `Team` > `Users`. Here, you should see your synchronized Google Workspace users listed.
![NetBird Users](/docs-static/img/how-to-guides/google-workspace-sync/5AcaIqW.png)
![NetBird Users](/docs-static/img/manage/team/idp-sync/google-workspace-sync/5AcaIqW.png)
The users should be the same listed in Google Workspace Admin console:
![Google Workspace Users](/docs-static/img/how-to-guides/google-workspace-sync/BPfboem.png)
![Google Workspace Users](/docs-static/img/manage/team/idp-sync/google-workspace-sync/BPfboem.png)

16
src/pages/how-to/idp-sync.mdx → src/pages/manage/team/idp-sync/index.mdx
View File

@@ -1,7 +1,7 @@
# Provision Users and Groups From Your Identity Provider
<p>
<img src="/docs-static/img/how-to-guides/supported-identity-providers.png" alt="supported-identity-providers"
<img src="/docs-static/img/manage/team/idp-sync/supported-identity-providers.png" alt="supported-identity-providers"
className="imagewrapper-big"/>
</p>
@@ -16,7 +16,7 @@ synchronized from your identity provider to NetBird, granting appropriate networ
revoking access for departing employees.
NetBird allows you to use synchronized groups to create [access control policies](/manage/access-control/manage-network-access#creating-policies),
or update network configurations like [DNS](/how-to/manage-dns-in-your-network#distribution-groups),
or update network configurations like [DNS](/manage/dns#distribution-groups),
eliminating the need for manual grouping.
<Note>
@@ -35,11 +35,11 @@ offboarding scenarios:
NetBird provides native support for syncing with the most popular identify providers.
For detailed setup and configuration steps, select an IdP from the section below:
* [Entra ID (Azure AD)](/how-to/microsoft-entra-id-sync)
* [Okta](/how-to/okta-sync)
* [Google Workspace](/how-to/google-workspace-sync)
* [JumpCloud](/how-to/jumpcloud-sync)
* [Keycloak](/how-to/keycloak-sync)
* [Entra ID (Azure AD)](/manage/team/idp-sync/microsoft-entra-id-sync)
* [Okta](/manage/team/idp-sync/okta-sync)
* [Google Workspace](/manage/team/idp-sync/google-workspace-sync)
* [JumpCloud](/manage/team/idp-sync/jumpcloud-sync)
* [Keycloak](/manage/team/idp-sync/keycloak-sync)
### Generic SCIM
@@ -49,6 +49,6 @@ SCIM is a standardized protocol that works with most modern identity providers,
If your provider is not listed above, contact us at support@netbird.io for assistance with your specific IdP setup.
<p>
<img src="/docs-static/img/how-to-guides/generic-scim.png" alt="generic-scim"
<img src="/docs-static/img/manage/team/idp-sync/generic-scim.png" alt="generic-scim"
className="imagewrapper-big"/>
</p>

22
src/pages/how-to/jumpcloud-sync.mdx → src/pages/manage/team/idp-sync/jumpcloud-sync.mdx
View File

@@ -19,7 +19,7 @@ These roles have the required permissions to configure SSO applications and mana
## Setting Up SSO with JumpCloud
Before configuring SCIM provisioning, you must first set up Single Sign-On (SSO) with JumpCloud. Please follow the detailed setup instructions in our [Single Sign-On guide for JumpCloud](/how-to/single-sign-on#jump-cloud).
Before configuring SCIM provisioning, you must first set up Single Sign-On (SSO) with JumpCloud. Please follow the detailed setup instructions in our [Single Sign-On guide for JumpCloud](/manage/team/single-sign-on#jump-cloud).
Once SSO is configured, and you can successfully log in to NetBird using your JumpCloud credentials, you can proceed with the SCIM setup below.
@@ -27,11 +27,11 @@ Once SSO is configured, and you can successfully log in to NetBird using your Ju
To enable SCIM synchronization in NetBird, navigate to `Integrations > Identity Provider Sync` in your NetBird dashboard.
![NetBird Jumpcloud Integration](/docs-static/img/how-to-guides/jumpcloud-sync/jumpcloud-connect.png)
![NetBird Jumpcloud Integration](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-connect.png)
Click the `Connect Jumpcloud` button to begin the configuration process.
![NetBird Jumpcloud Getting Started](/docs-static/img/how-to-guides/jumpcloud-sync/jumpcloud-scim-getting-started.png)
![NetBird Jumpcloud Getting Started](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-scim-getting-started.png)
Click `Get Started` to launch the configuration wizard. You will be guided through several configuration options:
@@ -39,7 +39,7 @@ Click `Get Started` to launch the configuration wizard. You will be guided throu
By default, all groups assigned to the NetBird application in JumpCloud will be synchronized. If you want to synchronize only assigned groups that start with a specific prefix, you can specify them in the filter. Keep in mind that the prefix matching is case-sensitive.
![NetBird Jumpcloud Group Filter](/docs-static/img/how-to-guides/jumpcloud-sync/jumpcloud-scim-group-filter.png)
![NetBird Jumpcloud Group Filter](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-scim-group-filter.png)
Click `Continue` to proceed to the next step.
@@ -47,7 +47,7 @@ Click `Continue` to proceed to the next step.
By default, all users from the groups assigned to the NetBird application will be synchronized. If you want to further filter and synchronize only users from specific assigned groups, you can specify those group names in the filter. The group name matching is case-sensitive.
![NetBird Jumpcloud User Group Filter](/docs-static/img/how-to-guides/jumpcloud-sync/jumpcloud-scim-user-group-filter.png)
![NetBird Jumpcloud User Group Filter](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-scim-user-group-filter.png)
Click `Continue` to generate your SCIM credentials.
@@ -55,11 +55,11 @@ Click `Continue` to generate your SCIM credentials.
NetBird will generate the SCIM credentials required to configure JumpCloud. Make note of both the **Base URL** and **Token Key** as you will need them in the next section to complete the JumpCloud configuration.
![NetBird Jumpcloud SCIM Credentials](/docs-static/img/how-to-guides/jumpcloud-sync/jumpcloud-scim-credentials.png)
![NetBird Jumpcloud SCIM Credentials](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-scim-credentials.png)
Click `Finish Setup` to complete the NetBird SCIM configuration.
![NetBird Jumpcloud SCIM Enabled](/docs-static/img/how-to-guides/jumpcloud-sync/jumpcloud-scim-enabled.png)
![NetBird Jumpcloud SCIM Enabled](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-scim-enabled.png)
You can now proceed to configure the SCIM application in JumpCloud using the credentials generated above.
@@ -76,13 +76,13 @@ In the **Configuration Settings** section, enter the following SCIM Service Prov
* **Token Key**: Paste the Bearer token you copied from NetBird
* **Test User Email**: Provide a new, unused email address for testing (e.g., `test@yourdomain.com`)
![JumpCloud SCIM Configuration](/docs-static/img/how-to-guides/jumpcloud-sync/jumpcloud-scim-config.png)
![JumpCloud SCIM Configuration](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-scim-config.png)
* Click `Test Connection` to verify the SCIM connection
If the connection is successful, you'll see a success message. Click `Activate` to enable SCIM provisioning.
![JumpCloud SCIM Test Success](/docs-static/img/how-to-guides/jumpcloud-sync/jumpcloud-scim-activated.png)
![JumpCloud SCIM Test Success](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-scim-activated.png)
## Assigning Groups for SCIM Synchronization
@@ -95,7 +95,7 @@ In your [JumpCloud admin console](https://console.jumpcloud.com/):
* Select the groups whose members you want to synchronize to NetBird
* Click `Save` to apply the changes
![JumpCloud Assign Groups](/docs-static/img/how-to-guides/jumpcloud-sync/jumpcloud-assign-groups.png)
![JumpCloud Assign Groups](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/jumpcloud-assign-groups.png)
Once saved, JumpCloud will automatically synchronize the selected groups and their user memberships to NetBird.
@@ -104,7 +104,7 @@ Once saved, JumpCloud will automatically synchronize the selected groups and the
After assigning groups in JumpCloud, the synchronization will begin automatically. You can verify that users and groups
have been successfully synchronized by navigating to `Team > Users` in your NetBird dashboard.
![NetBird Verify Users](/docs-static/img/how-to-guides/jumpcloud-sync/netbird-verify-users.png)
![NetBird Verify Users](/docs-static/img/manage/team/idp-sync/jumpcloud-sync/netbird-verify-users.png)
<Note>
SCIM provisioning will manage only resources that are created through Jumpcloud. Any resources created directly in NetBird will not be managed by SCIM.

36
src/pages/how-to/keycloak-sync.mdx → src/pages/manage/team/idp-sync/keycloak-sync.mdx
View File

@@ -17,11 +17,11 @@ Before you begin the integration process, ensure you have the necessary permissi
Once the SCIM plugin is installed, you should see the SCIM section available in your Keycloak admin console.
![Keycloak SCIM Installed](/docs-static/img/how-to-guides/keycloak-sync/keycloak-scim-installed.png)
![Keycloak SCIM Installed](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-installed.png)
## Setting Up SSO with Keycloak
Before configuring SCIM provisioning, you must first set up Single Sign-On (SSO) with Keycloak. Please follow the detailed setup instructions in our [Single Sign-On guide for Keycloak](/how-to/single-sign-on#keycloak).
Before configuring SCIM provisioning, you must first set up Single Sign-On (SSO) with Keycloak. Please follow the detailed setup instructions in our [Single Sign-On guide for Keycloak](/manage/team/single-sign-on#keycloak).
Once SSO is configured, and you can successfully log in to NetBird using your Keycloak credentials, you can proceed with the SCIM setup below.
@@ -29,11 +29,11 @@ Once SSO is configured, and you can successfully log in to NetBird using your Ke
To enable SCIM synchronization in NetBird, navigate to `Integrations > Identity Provider Sync` in your NetBird dashboard.
![NetBird Keycloak Integration](/docs-static/img/how-to-guides/keycloak-sync/keycloak-connect.png)
![NetBird Keycloak Integration](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-connect.png)
Click the `Connect Generic SCIM` button to begin the configuration process.
![NetBird Keycloak Getting Started](/docs-static/img/how-to-guides/keycloak-sync/keycloak-scim-getting-started.png)
![NetBird Keycloak Getting Started](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-getting-started.png)
Click `Get Started` to launch the configuration wizard. You will be guided through several configuration options:
@@ -41,7 +41,7 @@ Click `Get Started` to launch the configuration wizard. You will be guided throu
By default, all groups mapped in the Keycloak SCIM client will be synchronized. If you want to synchronize only groups that start with a specific prefix, you can specify them in the filter. Keep in mind that the prefix matching is case-sensitive.
![NetBird Keycloak Group Filter](/docs-static/img/how-to-guides/keycloak-sync/keycloak-scim-group-filter.png)
![NetBird Keycloak Group Filter](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-group-filter.png)
Click `Continue` to proceed to the next step.
@@ -49,7 +49,7 @@ Click `Continue` to proceed to the next step.
By default, all users from the mapped groups will be synchronized. If you want to further filter and synchronize only users from specific groups, you can specify those group names in the filter. The group name matching is case-sensitive.
![NetBird Keycloak User Group Filter](/docs-static/img/how-to-guides/keycloak-sync/keycloak-scim-user-group-filter.png)
![NetBird Keycloak User Group Filter](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-user-group-filter.png)
Click `Continue` to generate your SCIM credentials.
@@ -57,11 +57,11 @@ Click `Continue` to generate your SCIM credentials.
NetBird will generate the SCIM credentials required to configure Keycloak. Make note of both the **Base URL** and **Token Key** as you will need them in the next section to complete the Keycloak configuration.
![NetBird Keycloak SCIM Credentials](/docs-static/img/how-to-guides/keycloak-sync/keycloak-scim-credentials.png)
![NetBird Keycloak SCIM Credentials](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-credentials.png)
Click `Finish Setup` to complete the NetBird SCIM configuration.
![NetBird Keycloak SCIM Enabled](/docs-static/img/how-to-guides/keycloak-sync/keycloak-scim-enabled.png)
![NetBird Keycloak SCIM Enabled](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-enabled.png)
You can now proceed to configure the SCIM client in Keycloak using the credentials generated above.
@@ -71,11 +71,11 @@ To configure SCIM in Keycloak, you need to access the SCIM Administration Consol
Navigate to the SCIM Administration Console. On the first login screen, enter your realm name (e.g., `netbird`) and click `Start Login`.
![Keycloak SCIM Login](/docs-static/img/how-to-guides/keycloak-sync/keycloak-scim-login.png)
![Keycloak SCIM Login](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-login.png)
Once logged in, navigate to the `SCIM Client` menu and click on `Remote SCIM Provider`. Then click the `+` button to add a new service provider configuration.
![Keycloak SCIM Remote Provider](/docs-static/img/how-to-guides/keycloak-sync/keycloak-scim-remote-provider.png)
![Keycloak SCIM Remote Provider](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-remote-provider.png)
In the SCIM Remote Provider Configuration form, fill out the following sections:
@@ -89,7 +89,7 @@ In the SCIM Remote Provider Configuration form, fill out the following sections:
* **Base URL**: Paste the Base URL you copied from NetBird (e.g., `https://api.netbird.io/api/scim/v2`)
* **Hostname-Verifier Enabled**: Enable this checkbox
![Keycloak SCIM Configuration](/docs-static/img/how-to-guides/keycloak-sync/keycloak-scim-config.png)
![Keycloak SCIM Configuration](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-config.png)
**Authentication:**
* **Authentication Type**: Select `Long Life Bearer Token Authentication`
@@ -97,20 +97,20 @@ In the SCIM Remote Provider Configuration form, fill out the following sections:
Click `Add` to save the configuration.
![Keycloak SCIM Authentication](/docs-static/img/how-to-guides/keycloak-sync/keycloak-scim-authentication.png)
![Keycloak SCIM Authentication](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-authentication.png)
After adding the configuration, click `Save Configuration` and then click `Use default Configuration` to apply the settings.
The default schema for the SCIM provider will be created automatically.
![Keycloak SCIM Default Schema](/docs-static/img/how-to-guides/keycloak-sync/keycloak-scim-default-schema.png)
![Keycloak SCIM Default Schema](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-default-schema.png)
Next, assign the SCIM provider to your realm. Click the `Realm Assignment` tab to view all available realms.
![Keycloak SCIM Realm Assignment](/docs-static/img/how-to-guides/keycloak-sync/keycloak-scim-realm-assignment.png)
![Keycloak SCIM Realm Assignment](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-realm-assignment.png)
Find your realm (e.g., `netbird`) and click `Assign to Realm` to enable SCIM synchronization for that realm.
![Keycloak SCIM Realm Assigned](/docs-static/img/how-to-guides/keycloak-sync/keycloak-scim-realm-assigned.png)
![Keycloak SCIM Realm Assigned](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-realm-assigned.png)
## Configure Resource Filtering
@@ -120,7 +120,7 @@ To control which specific groups and users should be synchronized, you need to c
Under the `SCIM Client` menu section, click on `Remote SCIM Provider`, then click `Edit` in the NetBird provider row.
Select the `Resource Filtering Rules` tab.
![Keycloak SCIM Resource Filtering](/docs-static/img/how-to-guides/keycloak-sync/keycloak-scim-resource-filtering.png)
![Keycloak SCIM Resource Filtering](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-resource-filtering.png)
**User Filtering**
@@ -140,7 +140,7 @@ To synchronize only groups that match specific criteria, configure the group fil
* **Comparator**: Select `Contains`
* **Comparison Value**: Enter the text that should be contained in the group name
![Keycloak SCIM Filtering Configuration](/docs-static/img/how-to-guides/keycloak-sync/keycloak-scim-filtering-config.png)
![Keycloak SCIM Filtering Configuration](/docs-static/img/manage/team/idp-sync/keycloak-sync/keycloak-scim-filtering-config.png)
<Note>
By default, Keycloak SCIM will not automatically push existing users and groups after the initial configuration.
@@ -153,7 +153,7 @@ Groups where you can manually trigger the initial sync.
After configuring mappings in Keycloak, the synchronization will begin based on your schedule settings. You can verify that users and groups
have been successfully synchronized by navigating to `Team > Users` in your NetBird dashboard.
![NetBird Verify Users](/docs-static/img/how-to-guides/keycloak-sync/netbird-verify-users.png)
![NetBird Verify Users](/docs-static/img/manage/team/idp-sync/keycloak-sync/netbird-verify-users.png)
<Note>
SCIM provisioning will manage only resources that are created through Keycloak. Any resources created directly in

46
src/pages/how-to/microsoft-entra-id-sync.mdx → src/pages/manage/team/idp-sync/microsoft-entra-id-sync.mdx
View File

@@ -15,7 +15,7 @@ To get started, navigate to [Integrations](https://app.netbird.io/integrations)
`Identity Provider` integration. Click the `Entra ID (Azure AD)` button. This action will trigger a pop-up window that will
present you with a user-friendly wizard, guiding you through the synchronization process between NetBird and Azure AD.
![NetBird Get Started IdP](/docs-static/img/how-to-guides/microsoft-entra-id-sync/FkdC8BV.png)
![NetBird Get Started IdP](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/FkdC8BV.png)
## Prerequisites
@@ -33,7 +33,7 @@ To check your permissions:
* Expand the `Manage` tab and click on `Roles and administrators` in the left menu.
* Look for your username and verify if you're assigned any of the above roles.
![EntraID Roles](/docs-static/img/how-to-guides/microsoft-entra-id-sync/lDyaAeV.png)
![EntraID Roles](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/lDyaAeV.png)
If you don't have the required permissions, contact your Azure AD administrator to grant you the appropriate role before proceeding with the NetBird integration.
@@ -48,21 +48,21 @@ A new wizard screen will appear, offering step-by-step instructions for creating
* Redirect Type
* Redirect URI
![NetBird Create Application](/docs-static/img/how-to-guides/microsoft-entra-id-sync/oI0Pjai.png)
![NetBird Create Application](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/oI0Pjai.png)
For convenience, click on [Azure Active Directory](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview) (step 1). That will open the Azure dashboard. Navigate to `App registrations` in the left menu and then click `+New registration` as indicated below:
![EntraID App Registration](/docs-static/img/how-to-guides/microsoft-entra-id-sync/Yxxktk6.png)
![EntraID App Registration](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/Yxxktk6.png)
Fill in the required information:
![EntraID Register an App](/docs-static/img/how-to-guides/microsoft-entra-id-sync/1t8qbfK.png)
![EntraID Register an App](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/1t8qbfK.png)
After entering all required information, click the `Register` button at the bottom of the form to finalize the application registration process.
Upon successful registration, you'll be redirected to a confirmation screen similar to the following:
![EntraID App Registered](/docs-static/img/how-to-guides/microsoft-entra-id-sync/7WYZMW6.png)
![EntraID App Registered](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/7WYZMW6.png)
Copy and securely store the generated `Application (client) ID` and `Directory (tenant) ID` as you will need them shortly.
@@ -70,23 +70,23 @@ Copy and securely store the generated `Application (client) ID` and `Directory (
On the NetBird dashboard click the `Continue →` button. A new wizard screen will appear, this time, offering step-by-step instructions for setting up API permissions.
![NetBird Add API Permissions](/docs-static/img/how-to-guides/microsoft-entra-id-sync/0A98Xm9.png)
![NetBird Add API Permissions](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/0A98Xm9.png)
Back to Azure, in the `App registrations` screen, click on `Manage` in the left menu to expand it and then click on `API permissions`:
![EntraID API Permissions](/docs-static/img/how-to-guides/microsoft-entra-id-sync/V0aRf7f.png)
![EntraID API Permissions](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/V0aRf7f.png)
Look for the `+ Add a permission` button, located near the top of the permissions list and click on it.
![EntraID API Permissions Screen](/docs-static/img/how-to-guides/microsoft-entra-id-sync/Qy9lDMF.png)
![EntraID API Permissions Screen](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/Qy9lDMF.png)
A new pop-up window will appear, asking you to select an API. Click on `Microsoft Graph`.
![EntraID Microsoft Graph](/docs-static/img/how-to-guides/microsoft-entra-id-sync/tP7WqXO.png)
![EntraID Microsoft Graph](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/tP7WqXO.png)
On the next screen, click on the `Application permissions` button, which will let you select the appropriate permissions for NetBird to function correctly with your Microsoft Entra ID environment.
![EntraID Request API Permissions](/docs-static/img/how-to-guides/microsoft-entra-id-sync/zSkSGAm.png)
![EntraID Request API Permissions](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/zSkSGAm.png)
To assign user permissions:
@@ -94,17 +94,17 @@ To assign user permissions:
* In the search results, click on the `User` tab to expand it and view the available permissions.
* Click on the checkbox to select and enable the `User.Read.All` permission.
![EntraID UserReadAll](/docs-static/img/how-to-guides/microsoft-entra-id-sync/KHGbhqe.png)
![EntraID UserReadAll](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/KHGbhqe.png)
The `User.Read.All` permission allows NetBird to read the full set of profile properties, group memberships, and reports of the signed-in user and other users in your organization.
Next, repeat the procedure. This time, search for `Group.Read.All` and click on the checkbox to enable it as shown below:
![EntraID GroupReadAll](/docs-static/img/how-to-guides/microsoft-entra-id-sync/XDl3b7u.png)
![EntraID GroupReadAll](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/XDl3b7u.png)
Once done, click the `Add permissions` button. You will see a few warnings:
![EntraID API Permissions Warnings](/docs-static/img/how-to-guides/microsoft-entra-id-sync/OGWQWVH.png)
![EntraID API Permissions Warnings](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/OGWQWVH.png)
Locate the `Grant admin consent for [Your Organization Name]` button (youll find it next to `+Add a permission` button). Click on it to grant the required permissions.
@@ -112,21 +112,21 @@ A confirmation dialog will appear, asking you to verify this action. Review the
Once finished, the status of the permissions should change to `Granted for [Your Organization Name]`. Verify that all selected permissions now show a green checkmark, indicating they've been successfully granted:
![EntraID API Permissions Granted](/docs-static/img/how-to-guides/microsoft-entra-id-sync/bHb8HVZ.png)
![EntraID API Permissions Granted](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/bHb8HVZ.png)
## Create a Client Secret for Secure NetBird-Entra ID Authentication
Back to the NetBird dashboard, click the `Continue →` button. A new wizard screen will appear, showing instructions for generating a client secret in Entra ID.
![NetBird Generate Client Secret](/docs-static/img/how-to-guides/microsoft-entra-id-sync/xvLskEg.png)
![NetBird Generate Client Secret](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/xvLskEg.png)
On Azure, click on the `Certificates & secrets` button in the left menu to open the management page. Click on `+New client secret` as shown below. Choose an expiration time that suits your security needs and click the `Add` button.
![EntraID Add a Client Secret](/docs-static/img/how-to-guides/microsoft-entra-id-sync/WIercn5.png)
![EntraID Add a Client Secret](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/WIercn5.png)
A new client secret will be generated and displayed on the screen. Copy and securely store the `Value` field immediately, as you will needed in the next step.
![EntraID Client Secret Value](/docs-static/img/how-to-guides/microsoft-entra-id-sync/LimVmGI.png)
![EntraID Client Secret Value](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/LimVmGI.png)
## Enter Application ID and Directory ID in NetBird
@@ -134,7 +134,7 @@ Paste the secret `Value` from the previous step into NetBird and click the `Cont
Paste the values and click the `Continue →` button.
![NetBird Application ID and Directory](/docs-static/img/how-to-guides/microsoft-entra-id-sync/6yiGCtY.png)
![NetBird Application ID and Directory](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/6yiGCtY.png)
## Choose Groups to Synchronize from Entra ID
At this stage, NetBird is set to synchronize all groups from your Microsoft Entra ID by default. You have two options:
@@ -142,7 +142,7 @@ At this stage, NetBird is set to synchronize all groups from your Microsoft Entr
* If you want to synchronize all groups, simply click the `Continue →` button.
* To synchronize only specific groups, click the `+ Add group filter` button, which will open a new panel where you can set criteria to include or exclude groups.
![NetBird Group Sync](/docs-static/img/how-to-guides/microsoft-entra-id-sync/xyLPzxH.png)
![NetBird Group Sync](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/xyLPzxH.png)
## Choose Users to Synchronize from Entra ID
After configuring group synchronization, you'll now set up user synchronization. Similar than before, NetBird is configured to synchronize all users from your Microsoft Entra ID by default.
@@ -154,7 +154,7 @@ After configuring group synchronization, you'll now set up user synchronization.
You can modify these synchronization settings later if necessary.
</Note>
![NetBird Users Sync](/docs-static/img/how-to-guides/microsoft-entra-id-sync/bpwW1Bn.png)
![NetBird Users Sync](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/bpwW1Bn.png)
After configuring user and group synchronization, the setup wizard will finalize the process and you'll automatically return to the main Identity Provider screen.
@@ -173,14 +173,14 @@ These indicators confirm that:
You can manually trigger a sync or adjust settings by clicking on the Microsoft Entra ID section in the Identity Provider screen
</Note>
![NetBird Identity Provider Synchronized](/docs-static/img/how-to-guides/microsoft-entra-id-sync/DH5hxFK.png)
![NetBird Identity Provider Synchronized](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/DH5hxFK.png)
## Verify the Integration
To verify the synchronization, navigate to `Teams > Users` in the left menu.
You should see all the users and groups from your Microsoft Entra ID environment listed in the NetBird dashboard.
![NetBird Checking Integration](/docs-static/img/how-to-guides/microsoft-entra-id-sync/qlNlfgV.png)
![NetBird Checking Integration](/docs-static/img/manage/team/idp-sync/microsoft-entra-id-sync/qlNlfgV.png)
You can now proceed to configure [access control policies](/manage/access-control/manage-network-access#creating-policies) using the synchronized groups to allow or deny access to the
synchronized users.

56
src/pages/how-to/okta-sync.mdx → src/pages/manage/team/idp-sync/okta-sync.mdx
View File

@@ -21,7 +21,7 @@ to synchronize users and groups smoothly.
To set up SSO, go to `Integrations` in the NetBird admin console's left menu to access the Identity Provider integration page. Click the `Connect Okta` button to get started with the Okta-NetBird integration. This will open a pop-up window with detailed instructions on synchronizing NetBird and Okta.
![NetBird Okta Integration](/docs-static/img/how-to-guides/okta-sync/nwutb3Z.png)
![NetBird Okta Integration](/docs-static/img/manage/team/idp-sync/okta-sync/nwutb3Z.png)
## Prerequisites
@@ -41,14 +41,14 @@ To check your user permissions in Okta:
Confirm that you have one of the required roles before proceeding with the integration.
![Okta Check User Permissions](/docs-static/img/how-to-guides/okta-sync/AGPXpZN.png)
![Okta Check User Permissions](/docs-static/img/manage/team/idp-sync/okta-sync/AGPXpZN.png)
## Installing the NetBird Integration
Once you have the necessary permissions, you can set up the NetBird application. First, on NetBird, click `Continue →` to show a summary of the necessary steps.
![NetBird Connect NetBird with Okta](/docs-static/img/how-to-guides/okta-sync/dlgCUXo.png)
![NetBird Connect NetBird with Okta](/docs-static/img/manage/team/idp-sync/okta-sync/dlgCUXo.png)
Let's go through them one by one:
@@ -57,27 +57,27 @@ Let's go through them one by one:
* Click the `Browse App Catalog` button.
![Okta Browse App Catalog](/docs-static/img/how-to-guides/okta-sync/fkSaYnn.png)
![Okta Browse App Catalog](/docs-static/img/manage/team/idp-sync/okta-sync/fkSaYnn.png)
In the app catalog, enter "NetBird" in the search bar. Then, click the `Add Integration` button.
![Okta NetBird App](/docs-static/img/how-to-guides/okta-sync/dgxJ916.png)
![Okta NetBird App](/docs-static/img/manage/team/idp-sync/okta-sync/dgxJ916.png)
Accept the default application name and click the `Done` button. On the next screen, click the `Assign` dropdown and select `Assign to People`.
![Okta Assign People To NetBird App](/docs-static/img/how-to-guides/okta-sync/WQ8O1l7.png)
![Okta Assign People To NetBird App](/docs-static/img/manage/team/idp-sync/okta-sync/WQ8O1l7.png)
You will see a list of users. Find your user account, click `Assign`, and save the changes. Verify your user is assigned to the NetBird app and click `Done`.
![Okta Verify User Added To NetBird](/docs-static/img/how-to-guides/okta-sync/bteoM6j.png)
![Okta Verify User Added To NetBird](/docs-static/img/manage/team/idp-sync/okta-sync/bteoM6j.png)
After that, you will see your user listed in the NetBird application.
![Okta User Added To NetBird App](/docs-static/img/how-to-guides/okta-sync/IwaqFvj.png)
![Okta User Added To NetBird App](/docs-static/img/manage/team/idp-sync/okta-sync/IwaqFvj.png)
## Configuring SSO in Okta
@@ -86,7 +86,7 @@ The next step is to configure Okta-NetBird SSO integration.
In NetBird, click the `Continue →` button. A new wizard screen will appear, offering the instructions for retrieving Oktas OpenID Connect credentials. You can click `Close` and navigate to Okta.
![NetBird Connect NetBird with Okta Sharing Credentials](/docs-static/img/how-to-guides/okta-sync/AYVAbEy.png)
![NetBird Connect NetBird with Okta Sharing Credentials](/docs-static/img/manage/team/idp-sync/okta-sync/AYVAbEy.png)
* Click on the `Sign On` tab on Okta. Look for `OpenID Connect` under `Sign on methods` in the `Settings` section.
* Copy the `Client ID` value.
@@ -95,18 +95,18 @@ In NetBird, click the `Continue →` button. A new wizard screen will appear, of
Store these credentials securely, as you will need them soon.
![Okta Copy Credentials](/docs-static/img/how-to-guides/okta-sync/rl5Gelc.png)
![Okta Copy Credentials](/docs-static/img/manage/team/idp-sync/okta-sync/rl5Gelc.png)
* Click `Edit` in the `Settings` section.
* In `Credential Details`, change the `Application username format` from `Okta username` to `Email`.
* Click the `Save` button
![Okta OpenID Credential Details](/docs-static/img/how-to-guides/okta-sync/FWPf0Cu.png)
![Okta OpenID Credential Details](/docs-static/img/manage/team/idp-sync/okta-sync/FWPf0Cu.png)
* On the top right, click on your username
* Copy your [Okta account domain](https://developer.okta.com/docs/guides/find-your-domain/main/) as shown below:
![Okta Copy Domain](/docs-static/img/how-to-guides/okta-sync/eITyobI.png)
![Okta Copy Domain](/docs-static/img/manage/team/idp-sync/okta-sync/eITyobI.png)
The final step is to [send an email to the NetBird team](support@netbird.io) with the authentication information you just retrieved:
@@ -123,23 +123,23 @@ This completes the first stage, enabling Single Sign-On (SSO) from NetBird's log
In NetBird, go to `Integrations > Identity Provider` and click on the `Connect to Okta` button.
![NetBird Connect to Okta](/docs-static/img/how-to-guides/okta-sync/QbzudIU.png)
![NetBird Connect to Okta](/docs-static/img/manage/team/idp-sync/okta-sync/QbzudIU.png)
You will see a reminder of the permissions your user will require in Okta. Click the `Get Started →` button to continue.
![NetBird User Permissions](/docs-static/img/how-to-guides/okta-sync/RBsJlzu.png)
![NetBird User Permissions](/docs-static/img/manage/team/idp-sync/okta-sync/RBsJlzu.png)
If you haven't already, you'll need to set up SSO in Okta. If you've completed the previous section, skip this step and click the `Continue →` button.
![NetBird SSO in Okta](/docs-static/img/how-to-guides/okta-sync/XYpJYW3.png)
![NetBird SSO in Okta](/docs-static/img/manage/team/idp-sync/okta-sync/XYpJYW3.png)
The next screen will show you how to enable NetBird API credentials in Okta. Copy the value of the `Authorization (Bearer)` token.
![NetBird Enable Okta SCIM](/docs-static/img/how-to-guides/okta-sync/aoPqKJR.png)
![NetBird Enable Okta SCIM](/docs-static/img/manage/team/idp-sync/okta-sync/aoPqKJR.png)
Navigate to the NetBird app in your Okta admin dashboard. Click the `Provisioning` tab, then select `Configure API Integration`.
![Okta Provisioning](/docs-static/img/how-to-guides/okta-sync/m27djab.png)
![Okta Provisioning](/docs-static/img/manage/team/idp-sync/okta-sync/m27djab.png)
Follow these steps:
@@ -147,11 +147,11 @@ Follow these steps:
* Enter your NetBird API Token.
* Click `Test API Credentials` to verify the SCIM connection.
![Okta Entering NetBird Bearer Token](/docs-static/img/how-to-guides/okta-sync/Wn6f9Pj.png)
![Okta Entering NetBird Bearer Token](/docs-static/img/manage/team/idp-sync/okta-sync/Wn6f9Pj.png)
If everything works as expected, you'll see the message: "NetBird was verified successfully!" as shown below. Click `Save` to continue.
![Okta Token Accepted](/docs-static/img/how-to-guides/okta-sync/7ELQBIA.png)
![Okta Token Accepted](/docs-static/img/manage/team/idp-sync/okta-sync/7ELQBIA.png)
## Configuring SCIM Provisioning to NetBird
@@ -161,7 +161,7 @@ On NetBird, click `Continue →`. You'll see instructions for configuring SCIM p
Back to Okta, click `Edit` as shown below.
![Okta Edit NetBird App](/docs-static/img/how-to-guides/okta-sync/AcuWP2G.png)
![Okta Edit NetBird App](/docs-static/img/manage/team/idp-sync/okta-sync/AcuWP2G.png)
Enable Okta to create, update, and deactivate NetBird users by checking the corresponding boxes:
@@ -171,45 +171,45 @@ Enable Okta to create, update, and deactivate NetBird users by checking the corr
When done, click `Save`.
![Okta Enable Create Users and More](/docs-static/img/how-to-guides/okta-sync/JD0EHVI.png)
![Okta Enable Create Users and More](/docs-static/img/manage/team/idp-sync/okta-sync/JD0EHVI.png)
## Assigning NetBird Application to Okta Groups
In NetBird, click `Continue →`, you'll see the steps for assigning the NetBird integration to Okta groups.
![NetBird Sync Groups to NetBird](/docs-static/img/how-to-guides/okta-sync/fLHSNsd.png)
![NetBird Sync Groups to NetBird](/docs-static/img/manage/team/idp-sync/okta-sync/fLHSNsd.png)
* Navigate to the `Assignments` tab.
* Similar than before when you assigned your user to NetBird app, click the `Assign` button
* This time, select `Assign to Groups`.
* Select Okta groups that you want to assign to the NetBird app.
![Okta Assign NetBird to Groups](/docs-static/img/how-to-guides/okta-sync/yGV0u5Y.png)
![Okta Assign NetBird to Groups](/docs-static/img/manage/team/idp-sync/okta-sync/yGV0u5Y.png)
Once you assign the desired groups, click `Done`. You'll see the selected groups listed in Okta.
![Okta NetBird Groups](/docs-static/img/how-to-guides/okta-sync/mxkdWc0.png)
![Okta NetBird Groups](/docs-static/img/manage/team/idp-sync/okta-sync/mxkdWc0.png)
## Push Okta Groups to NetBird
One more time, go to NetBird and click `Continue →`. You'll see the final instructions to push Okta groups to NetBird.
![NetBird Sync Groups to NetBird](/docs-static/img/how-to-guides/okta-sync/8TAvguS.png)
![NetBird Sync Groups to NetBird](/docs-static/img/manage/team/idp-sync/okta-sync/8TAvguS.png)
* In Okta, navigate to `Push Groups` tab
* Click the `Push Groups` button
* Select `Find groups by name`
* Search for specific groups to push to NetBird.
![XX](/docs-static/img/how-to-guides/okta-sync/uqUiTtg.png)
![XX](/docs-static/img/manage/team/idp-sync/okta-sync/uqUiTtg.png)
Once you finish, go back to NetBird and click `Finish Setup`. You can verify the synchronization by navigating to `Team > Users`
![XX](/docs-static/img/how-to-guides/okta-sync/GPTzvut.png)
![XX](/docs-static/img/manage/team/idp-sync/okta-sync/GPTzvut.png)
The users listed in NetBird should match those you created in Okta.
![XX](/docs-static/img/how-to-guides/okta-sync/O1aoILr.png)
![XX](/docs-static/img/manage/team/idp-sync/okta-sync/O1aoILr.png)
<Note>
SCIM provisioning will manage only resources that are created through Okta. Any resources created directly in NetBird will not be managed by SCIM.

42
src/pages/how-to/single-sign-on.mdx → src/pages/manage/team/single-sign-on.mdx
View File

@@ -21,13 +21,13 @@ If you're using Google Workspace, Microsoft Entra ID, or a supported social logi
setup—just click the appropriate button on the [login page](https://app.netbird.io/):
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/netbird-login.png" alt="netbird-login" className="imagewrapper"/>
<img src="/docs-static/img/manage/team/single-sign-on/netbird-login.png" alt="netbird-login" className="imagewrapper"/>
</p>
## Okta
If you are using Okta as your Identity Provider, sign up with any email address and then follow the steps described
in [this guide](/how-to/okta-sync#get-started-with-net-bird-okta-integration)
in [this guide](/manage/team/idp-sync/okta-sync#get-started-with-net-bird-okta-integration)
## OIDC-compliant IdPs
@@ -45,53 +45,53 @@ to integrate with NetBird. Below are the steps to set up different OIDC-complian
- Browse to the Applications Administration menu, click on Application, and then click on Create with Provider:
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/authentik-idp/1-create-with-provider.png" alt="create-with-provider" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/1-create-with-provider.png" alt="create-with-provider" className="imagewrapper-big"/>
</p>
- Name the Application and select a suitable explicit user flow. In the example below, we used NetBird:
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/authentik-idp/2-new-application.png" alt="new-application" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/2-new-application.png" alt="new-application" className="imagewrapper-big"/>
</p>
- Click Next and select the OAuth2/OpenID Provider Type:
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/authentik-idp/3-new-application-type.png" alt="new-application" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/3-new-application-type.png" alt="new-application" className="imagewrapper-big"/>
</p>
- Click Next and select an explicit user authorization flow, then take note of the Client ID and Client Secret:
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/authentik-idp/4-new-application-client-id.png" alt="new-application" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/4-new-application-client-id.png" alt="new-application" className="imagewrapper-big"/>
</p>
- Add the following redirect URL and select a signing key: <br/>
URL: `https://login.netbird.io/login/callback`
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/authentik-idp/5-new-application-sign.png" alt="new-application" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/5-new-application-sign.png" alt="new-application" className="imagewrapper-big"/>
</p>
- Click on Advanced protocol settings and ensure that the email, opened, and profile scopes are selected and that Based on the Users Hash ID is selected for Subject mode:
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/authentik-idp/6-new-application-scopes.png" alt="new-application" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/6-new-application-scopes.png" alt="new-application" className="imagewrapper-big"/>
</p>
- Click Next on the following two screens and Submit to create the provider and application:
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/authentik-idp/7-new-application-submit.png" alt="new-application" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/7-new-application-submit.png" alt="new-application" className="imagewrapper-big"/>
</p>
- You should see an application listed as follow:
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/authentik-idp/8-list-applications.png" alt="list-applications" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/8-list-applications.png" alt="list-applications" className="imagewrapper-big"/>
</p>
2. We need to copy the OpenID Configuration URL for the new provider. You can do that by navigating to Providers in the left menu and then selecting the newly created provider. There you should see a windows similar to the following:
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/authentik-idp/9-list-providers.png" alt="list-providers" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/9-list-providers.png" alt="list-providers" className="imagewrapper-big"/>
</p>
- Copy the OpenID Configuration URL.
@@ -117,19 +117,19 @@ https://password.link/en
- Browse to the clients Administration menu and then click in Create client:
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/keycloak-idp/1-new-client.png" alt="new-client" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/keycloak-idp/1-new-client.png" alt="new-client" className="imagewrapper-big"/>
</p>
2. Create a client with the type OpenID Connect and add any client ID and name for the client:
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/keycloak-idp/2-new-client-type.png" alt="new-client" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/keycloak-idp/2-new-client-type.png" alt="new-client" className="imagewrapper-big"/>
</p>
3. Click Next and enable the following options for Capability config:
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/keycloak-idp/3-new-client-capability.png" alt="new-client" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/keycloak-idp/3-new-client-capability.png" alt="new-client" className="imagewrapper-big"/>
</p>
4. Click Next and fill the following fields:
@@ -138,7 +138,7 @@ https://password.link/en
Web origins: `+`
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/keycloak-idp/4-new-client-callback.png" alt="new-client" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/keycloak-idp/4-new-client-callback.png" alt="new-client" className="imagewrapper-big"/>
</p>
5. Click Save.
@@ -146,7 +146,7 @@ https://password.link/en
6. Next we need to retrieve the secret for the client, you can get that in the Credentials tab for the client:
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/keycloak-idp/5-new-client-credentials.png" alt="new-client" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/keycloak-idp/5-new-client-credentials.png" alt="new-client" className="imagewrapper-big"/>
</p>
7. Then, share the following information with the NetBird support team at support@netbird.io:
@@ -172,7 +172,7 @@ https://password.link/en
3. Enable Manage Single Sign-On (SSO), select Configure SSO with OIDC and click Next
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/jumpcloud-idp/jumpcloud-sso.png" alt="jumpcloud" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/jumpcloud-idp/jumpcloud-sso.png" alt="jumpcloud" className="imagewrapper-big"/>
</p>
4. Add NetBird as Display Label and click Next. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.
@@ -180,7 +180,7 @@ https://password.link/en
5. Review the application setting and click Configure Application to proceed
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/jumpcloud-idp/jumpcloud-sso-config.png" alt="jumpcloud-idp" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/jumpcloud-idp/jumpcloud-sso-config.png" alt="jumpcloud-idp" className="imagewrapper-big"/>
</p>
6. On the New Application screen, go to the SSO tab and under Endpoint Configuration set the following values:
@@ -216,7 +216,7 @@ We recommend using a secure channel to share the Clients secret. You can send
3. Enter **NetBird** as the name, select **Single Page Web Applications** as the application type and click **Create**
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/auth0-idp/application-create.png" alt="auth0-application-create" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/auth0-idp/application-create.png" alt="auth0-application-create" className="imagewrapper-big"/>
</p>
4. On the New Application screen, go to the Settings tab and under Application URIs set the following values:
@@ -226,7 +226,7 @@ We recommend using a secure channel to share the Clients secret. You can send
- Allowed Web Origins: https://app.netbird.io
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/auth0-idp/application-configure.png" alt="auth0-application-configure" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/auth0-idp/application-configure.png" alt="auth0-application-configure" className="imagewrapper-big"/>
</p>
6. Record the **Client ID** and **Client Secret** that Auth0 generates for your application.
@@ -234,7 +234,7 @@ We recommend using a secure channel to share the Clients secret. You can send
7. Retrieve Application's **Domain** from the **Basic Information** tab
<p>
<img src="/docs-static/img/how-to-guides/single-sign-on/auth0-idp/application-domain.png" alt="auth0-application-domain" className="imagewrapper-big"/>
<img src="/docs-static/img/manage/team/single-sign-on/auth0-idp/application-domain.png" alt="auth0-application-domain" className="imagewrapper-big"/>
</p>
8. Share following with our team. Please use a secure method for sharing the sensitive parts of this information:

2
src/pages/selfhosted/identity-providers.mdx
View File

@@ -1181,7 +1181,7 @@ This Auth0 API will be used to access NetBird Management Service API.
#### Step 4: Enable Interactive SSO Login (Optional)
The [Interactive SSO Login feature](/get-started/install#running-net-bird-with-sso-login) allows for machine
authorization with your Identity Provider. This feature can be used as an alternative to [setup keys](/how-to/register-machines-using-setup-keys)
authorization with your Identity Provider. This feature can be used as an alternative to [setup keys](/manage/peers/register-machines-using-setup-keys)
and is optional.
You can enable it by following these steps:

10
src/pages/selfhosted/self-hosted-vs-cloud-netbird.mdx
View File

@@ -34,12 +34,12 @@ The cloud-hosted version is more suitable for organizations that want a hassle-f
While the self-hosted and cloud-hosted versions share the same core connectivity features, the cloud-hosted version has
some additional features that are targeted at business customers and help with network automation and management. These features include:
- **[Users and groups provisioning](/how-to/idp-sync)** from your identity provider (IdP).
- **[Traffic events logging](/how-to/traffic-events-logging)** of connections to internal resources for audit and analysis.
- **[Event streaming](/how-to/activity-event-streaming)** to 3rd party platforms and SIEM systems.
- **[Users and groups provisioning](/manage/team/idp-sync)** from your identity provider (IdP).
- **[Traffic events logging](/manage/activity/traffic-events-logging)** of connections to internal resources for audit and analysis.
- **[Event streaming](/manage/activity/event-streaming)** to 3rd party platforms and SIEM systems.
- **[Integrations with EDR](/manage/access-control/endpoint-detection-and-response)** like CrowdStrike and others.
- **[Peer approval](/how-to/approve-peers)** to join the network.
- **[User invites](/how-to/add-users-to-your-network#direct-user-invites)**.
- **[Peer approval](/manage/peers/approve-peers)** to join the network.
- **[User invites](/manage/team/add-users-to-your-network#direct-user-invites)**.
- **[MSP functionality](/how-to/msp-portal)** for managing multiple tenant networks from a single account.
## Geo Distributed Relay Servers

0
src/pages/how-to/client-on-mikrotik-router.mdx → src/pages/use-cases/client-on-mikrotik-router.mdx
View File

4
src/pages/use-cases/distributed-multi-cloud-ai-argocd-microk8s-vllm.mdx
View File

@@ -98,7 +98,7 @@ helm install --create-namespace -f values.yaml -n netbird netbird-operator netbi
**Expose Kubernetes Control Plane to your NetBird Network**
To access your Kubernetes control plane from a NetBird network, you can expose your Kubernetes control plane as a [**NetBird resource**](https://docs.netbird.io/how-to/networks#resources) by enabling the following option in the operator values:
To access your Kubernetes control plane from a NetBird network, you can expose your Kubernetes control plane as a [**NetBird resource**](https://docs.netbird.io/manage/networks#resources) by enabling the following option in the operator values:
```jsx
ingres:
@@ -141,7 +141,7 @@ kubectl -n argocd annotate svc/argocd-server netbird.io/expose="true" netbird.
Next we will enable sidecars. **Why Sidecars?** The application controller needs to make API calls to remote MicroK8s clusters. The sidecar provides transparent network access to those clusters through the NetBird mesh.
To enable sidecar functionality in your deployments, you first need to generate a setup key, either via the UI (enable the **Ephemeral Peers** options) or by following [**this guide**](https://docs.netbird.io/how-to/register-machines-using-setup-keys) for more details on setup keys. We will inject side-cars to ArgoCD application controller so it can communicate with remote MicroK8s clusters.
To enable sidecar functionality in your deployments, you first need to generate a setup key, either via the UI (enable the **Ephemeral Peers** options) or by following [**this guide**](https://docs.netbird.io/manage/peers/register-machines-using-setup-keys) for more details on setup keys. We will inject side-cars to ArgoCD application controller so it can communicate with remote MicroK8s clusters.
Note: We recommend checking out the section of our [Kubernetes Operator docs on using sidecars](https://docs.netbird.io/how-to/kubernetes-operator#accessing-remote-services-using-sidecars) for more context and detail.

4
src/pages/how-to/examples.mdx → src/pages/use-cases/examples.mdx
View File

@@ -4,7 +4,7 @@ export const title = 'Examples'
## NetBird Client on AWS ECS (Terraform)
<p>
<img src="/docs-static/img/examples/wiretrustee-on-aws-ecs.png" alt="high-level-dia" width="400"/>
<img src="/docs-static/img/use-cases/examples/wiretrustee-on-aws-ecs.png" alt="high-level-dia" width="400"/>
</p>
A common way to run containers in the AWS cloud is to use Elastic Container Service (ECS).
@@ -100,7 +100,7 @@ One of the simplest ways of running NetBird client application is to use a pre-b
* **NetBird account.**
Register one at [app.netbird.io](https://app.netbird.io/).
You would need to obtain a [setup key](/how-to/register-machines-using-setup-keys) to associate NetBird client with your account.
You would need to obtain a [setup key](/manage/peers/register-machines-using-setup-keys) to associate NetBird client with your account.
The setup key could be found in the NetBird Management dashboard under the Setup Keys tab - [https://app.netbird.io/setup-keys](https://app.netbird.io/setup-keys).

0
src/pages/how-to/netbird-on-faas.mdx → src/pages/use-cases/netbird-on-faas.mdx
View File

12
src/pages/how-to/routing-peers-and-kubernetes.mdx → src/pages/use-cases/routing-peers-and-kubernetes.mdx
View File

@@ -26,7 +26,7 @@ suit your needs.
See the screenshot below for reference:
<p>
<img src="/docs-static/img/how-to-guides/k8s-create-setup-key.png" alt="k8s-create-setup-key" width="400" className="imagewrapper"/>
<img src="/docs-static/img/use-cases/routing-peers-and-kubernetes/k8s-create-setup-key.png" alt="k8s-create-setup-key" width="400" className="imagewrapper"/>
</p>
With your setup key created, note it down for the next steps.
@@ -41,12 +41,12 @@ Set the distribution group to `hetzner-servers`. This group is used to distribut
See the screenshot below for reference:
<p>
<img src="/docs-static/img/how-to-guides/k8s-add-network-route.png" alt="k8s-add-network-route" width="400" className="imagewrapper"/>
<img src="/docs-static/img/use-cases/routing-peers-and-kubernetes/k8s-add-network-route.png" alt="k8s-add-network-route" width="400" className="imagewrapper"/>
</p>
Click on Name & Description to give your route a name and description. Then click on `Add Route` to save your changes.
<p>
<img src="/docs-static/img/how-to-guides/k8s-name-network-route.png" alt="k8s-name-network-route" width="400" className="imagewrapper"/>
<img src="/docs-static/img/use-cases/routing-peers-and-kubernetes/k8s-name-network-route.png" alt="k8s-name-network-route" width="400" className="imagewrapper"/>
</p>
### Step 3: Create an access control policy
@@ -55,12 +55,12 @@ Navigate to Access Control Policies in the NetBird management dashboard and clic
Set the source group to `hetzner-servers` and the destination group to `kubernetes-routers`. This configuration allows
the Hetzner servers to access the kubernetes pods.
<p>
<img src="/docs-static/img/how-to-guides/k8s-add-access-control-policy.png" alt="k8s-add-access-control-policy" width="400" className="imagewrapper"/>
<img src="/docs-static/img/use-cases/routing-peers-and-kubernetes/k8s-add-access-control-policy.png" alt="k8s-add-access-control-policy" width="400" className="imagewrapper"/>
</p>
Click on Name & Description to give your policy a name and description. Then click on `Add Policy` to save your changes.
<p>
<img src="/docs-static/img/how-to-guides/k8s-name-access-control-policy.png" alt="k8s-name-access-control-policy" width="400" className="imagewrapper"/>
<img src="/docs-static/img/use-cases/routing-peers-and-kubernetes/k8s-name-access-control-policy.png" alt="k8s-name-access-control-policy" width="400" className="imagewrapper"/>
</p>
### Step 4: Deploy the NetBird agent
@@ -139,7 +139,7 @@ kubectl logs -l app=netbird
You can also verify that the agent is connected to the NetBird management dashboard by checking the dashboard.
<p>
<img src="/docs-static/img/how-to-guides/k8s-netbird-agent-connected.png" alt="k8s-netbird-agent-connected" className="imagewrapper-big"/>
<img src="/docs-static/img/use-cases/routing-peers-and-kubernetes/k8s-netbird-agent-connected.png" alt="k8s-netbird-agent-connected" className="imagewrapper-big"/>
</p>
## Conclusion