|
|
|
|
@@ -1,90 +1,79 @@
|
|
|
|
|
|
|
|
|
|
# Manage network access
|
|
|
|
|
NetBird allows administrators to restrict access to resources (peers) by creating access rules and
|
|
|
|
|
defining what peer groups are permitted to establish connections with one another. Rule can allow connections
|
|
|
|
|
by specific protocol and ports.
|
|
|
|
|
NetBird enables administrators to oversee and manage access between resources (peers) through access policies. These policies specify which peers and peer groups are permitted to connect to each other, detail the protocols and ports for these connections, and offer the option to include posture checks to apply zero trust principles, helping to adapt access control to specific contexts.
|
|
|
|
|
|
|
|
|
|
## Introduction
|
|
|
|
|
A NetBird account comes with a `Default` rule that allows all peers of the account to connect to each other by all protocols,
|
|
|
|
|
forming a full mesh network. In most cases, this is the desired state for a small network or network that has low-security requirements.
|
|
|
|
|
When you need to restrict access to certain resources that belong to specific users or services within your organization,
|
|
|
|
|
you can create rules that dictate who can access what.
|
|
|
|
|
Initially, a NetBird account is configured with a `Default` policy which allows peers to connect via any protocol, resulting in the formation of a full mesh network. This setup often suits small networks or those requiring minimal security. In scenarios where higher security is needed or access to specific resources must be restricted for certain users or services, policies can be set up to determine access permissions.
|
|
|
|
|
|
|
|
|
|
Access control rules make use of groups to control connections between peers; these groups can be added as `Source` or `Destination` of a rule and will be evaluated when the Management service distributes the list of peers across your network.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Access control policies make use of groups to control connections between peers. These groups, which are sets of peers (meaning different machines with the NetBird client installed), can be added as Source or Destination of a policy. They are evaluated when the Management service distributes the list of peers across your network.
|
|
|
|
|
|
|
|
|
|
## Concepts
|
|
|
|
|
### Groups
|
|
|
|
|
A NetBird group works and follows a similar concept to tags in other platforms; they are easily created and can be associated with peers and used in rules to control traffic within your network.
|
|
|
|
|
A NetBird group works and follows a similar concept to tags in other platforms; they are easily created and can be associated with peers and used in policies to control traffic within your network.
|
|
|
|
|
|
|
|
|
|
Some characteristics of groups:
|
|
|
|
|
- They are unique.
|
|
|
|
|
- One group can have multiple peers.
|
|
|
|
|
- Peers can belong to multiple groups.
|
|
|
|
|
- Rules can have multiple groups in their `Source` and `Destination` lists.
|
|
|
|
|
- They are created in the `Access Control` or `Peers` tabs.
|
|
|
|
|
- They can only be deleted via API.
|
|
|
|
|
- There is a default group called `All`.
|
|
|
|
|
Here are some key attributes of groups:
|
|
|
|
|
- Each group is unique.
|
|
|
|
|
- A single group can have multiple peers.
|
|
|
|
|
- Peers can be part of multiple groups simultaneously.
|
|
|
|
|
- Groups can be included in the 'Source' and 'Destination' lists of policies.
|
|
|
|
|
- Groups are generated within the 'Access Control' or 'Peers' tabs.
|
|
|
|
|
- Groups can be deleted only via the API.
|
|
|
|
|
- There exists a default group called 'All'.
|
|
|
|
|
|
|
|
|
|
<Note>
|
|
|
|
|
You can assign groups automatically with the [peer auto-grouping feature](/how-to/register-machines-using-setup-keys#peer-auto-grouping).
|
|
|
|
|
</Note>
|
|
|
|
|
|
|
|
|
|
### The All Group
|
|
|
|
|
The `All` group is a default group to which every peer in your network is automatically added to. This group cannot be modified or deleted.
|
|
|
|
|
The 'All' group serves as a default group that automatically includes every peer in your network. This group cannot be modified or removed.
|
|
|
|
|
|
|
|
|
|
### Rules
|
|
|
|
|
Rules are defined as sets of Source and Destination peer groups, which specify the allowable communication between them.
|
|
|
|
|
Depending on the rule configuration, this communication can be either bidirectional or unidirectional.
|
|
|
|
|
Rules are processed when the Management service distributes a network map to all peers of your account. Because you can only create ALLOW rules, there is no processing
|
|
|
|
|
order or priority, so the decision to distribute peer information is based on its association with a group belonging to an existing rule.
|
|
|
|
|
### Policies
|
|
|
|
|
Policies act as rules governing how different resources (peers) can communicate and connect. They specify the source and destination of communication and can allow bidirectional or unidirectional connections.
|
|
|
|
|
|
|
|
|
|
Currently, the communication between lists of groups in source and destination lists of a rule for ALL and ICMP protocols,
|
|
|
|
|
and for TCP and UDP when you don't define limitation by port, it is bidirectional, meaning that destinations can also
|
|
|
|
|
initiate connections to a group of peers listed in the source field of the rule.
|
|
|
|
|
Policies are processed when the Management service shares a network map with all peers of your account. Because you can only create ALLOW policies, there is no processing order or priority. So, the decision to distribute peer information is based on its association with a group belonging to an existing policy.
|
|
|
|
|
|
|
|
|
|
The behavior of a network without any rules is to deny traffic. No peers will be able to communicate with each other.
|
|
|
|
|
For ICMP and ALL protocols, as well as for TCP and UDP protocols **without** specific port restrictions, communication between groups listed in the source and destination fields is bidirectional. This means that both source and destination groups can initiate connections with each other. To establish one-way connections, you must specify a protocol (UDP or TCP), along with a port.
|
|
|
|
|
|
|
|
|
|
<Note>
|
|
|
|
|
If you need to allow peers from the same group to communicate with each other, just add the same group to the `Source` and `Destination` lists.
|
|
|
|
|
If you need to allow peers from the same group to communicate with each other, you can do so by adding the same group to the `Source` and `Destination` lists.
|
|
|
|
|
</Note>
|
|
|
|
|
|
|
|
|
|
### The Default Rule
|
|
|
|
|
The `Default` rule is created when you first create your account. This rule is very permissive because it allows communication between all peers in your network.
|
|
|
|
|
It uses the [`All`](#the-all-group) group as a source and destination. If you want to have better
|
|
|
|
|
control over your network, it is recommended that you delete this rule and create more restricted rules with custom groups.
|
|
|
|
|
Without policies, a network operates by denying traffic, meaning peers cannot communicate with each other. That's why the default policy is automatically created upon account creation.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### The Default policy
|
|
|
|
|
The `Default` policy is created when you first create your account. This policy is very permissive because it allows communication between all peers in your network, utilizing the [`All`](#the-all-group) group as both the source and destination. It's worth noting that the [`All`](#the-all-group) group is also automatically present when the account is being created. If you want to have better control over your network, it is recommended that you delete this policy and create more restricted policies with custom groups.
|
|
|
|
|
|
|
|
|
|
<Note>
|
|
|
|
|
If you need to restrict communication within your network, you can create new rules and use different groups, and then remove the default rule to achieve the desired behavior.
|
|
|
|
|
If you need to restrict communication within your network, you can create new policies and use different groups. Then, you can remove the default policy to achieve the desired behavior.
|
|
|
|
|
</Note>
|
|
|
|
|
|
|
|
|
|
### Multiple Mesh Networks
|
|
|
|
|
As mentioned above, rules by default are bidirectional which is basically the control of how your network will behave as a mesh network.
|
|
|
|
|
But for TCP and UDP protocols, if you define ports in the rule, rule can be unidirectional.
|
|
|
|
|
As mentioned above, policies are bidirectional by default, essentially controlling how your network behaves as a mesh network. However, for TCP and UDP protocols, if you specify ports in the policy, it can become unidirectional.
|
|
|
|
|
|
|
|
|
|
There is a `Default` rule, which configures a Default mesh connection between all peers of your network. With rules,
|
|
|
|
|
you can define smaller mesh networks by grouping peers and adding these groups to `Source` and `Destination` lists.
|
|
|
|
|
Also you can create unidierectional rules to restrict traffic between groups for TCP and UDP protocols if you define ports.
|
|
|
|
|
There is a `Default` policy, which configures a default mesh connection between all peers of your network. With policies, you can define smaller mesh networks by grouping peers and adding these groups to `Source` and `Destination` lists. Additionally, you can create unidirectional policies to restrict traffic between groups for TCP and UDP protocols if you define ports.
|
|
|
|
|
|
|
|
|
|
## Managing Rules
|
|
|
|
|
## Managing Policies
|
|
|
|
|
|
|
|
|
|
### Creating Rules
|
|
|
|
|
After accessing the `Access Control` tab, you can click the `Add Rule` button to create a new rule.
|
|
|
|
|
In the popup, specify a name for the rule, and define source and destination groups.
|
|
|
|
|
You can set traffic direction only when you choose TCP or UDP protocols.
|
|
|
|
|
### Creating Policies
|
|
|
|
|
After accessing the `Access Control` > `Policies` tab, click on the `Add policy` button to create a new policy. In the popup, specify source and destination groups, and add Posture Checks if needed. Make sure to set traffic direction only when TCP or UDP protocols are selected. Finally, provide a name and description for your policy.
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
|
<img src="/docs-static/img/overview/create-rule.png" alt="high-level-dia" className="imagewrapper"/>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
If required, you can create new groups by entering new names in the input box for either source or destination lists.
|
|
|
|
|
|
|
|
|
|
Once you are done configuring the rule, click the `Create` button to save it. You will then see your new rule in the table.
|
|
|
|
|
If necessary, you can create new groups simply by entering new names in the input box for either the source or destination lists.
|
|
|
|
|
|
|
|
|
|
Once you have finished configuring the policy, click `Add Policy` to save it. You will then see your new policy in the table.
|
|
|
|
|
<p>
|
|
|
|
|
<img src="/docs-static/img/overview/new-rule-list.png" alt="high-level-dia" className="imagewrapper"/>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<Note>
|
|
|
|
|
Because of its permissiveness, new rules will take effect once you remove the `Default` rule.
|
|
|
|
|
Because of its permissiveness, new policies will take effect once you remove the `Default` policy.
|
|
|
|
|
</Note>
|
|
|
|
|
|
|
|
|
|
<Note>
|
|
|
|
|
@@ -92,8 +81,8 @@ Protocol type All or ICMP must be bi-directional. Also unidirectional traffic fo
|
|
|
|
|
</Note>
|
|
|
|
|
|
|
|
|
|
### Adding peers to groups
|
|
|
|
|
If you create a new group when defining a rule, you will need to add a peer to the group for the rule to take effect.
|
|
|
|
|
You can do it by accessing the `Peers` tab and clicking the `Groups` column of any peer you want to associate with the new group.
|
|
|
|
|
If you create a new group when defining a policy, you will need to add a peer to the group for the policy to take effect.
|
|
|
|
|
You can assign a peer to a group by accessing the `Peers` section. Then, choose the specific peer you want to assign to a group. Click on the `Assigned Groups` select box and select the group(s) you wish to assign to this peer.
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
|
<img src="/docs-static/img/overview/associate-peer-groups.png" alt="high-level-dia" className="imagewrapper"/>
|
|
|
|
|
@@ -103,16 +92,18 @@ You can do it by accessing the `Peers` tab and clicking the `Groups` column of a
|
|
|
|
|
You can assign groups automatically with the [peer auto-grouping feature](/how-to/register-machines-using-setup-keys#peer-auto-grouping).
|
|
|
|
|
</Note>
|
|
|
|
|
|
|
|
|
|
### Updating Rules
|
|
|
|
|
To update a rule, you can click on the rule's `Name` or on either `Sources` and `Destinations` columns. You could also click the menu
|
|
|
|
|
button of a rule and select `View`. This will open the same screen where you can update rule groups, description, and status or change allowed
|
|
|
|
|
traffic direction and protocols with ports.
|
|
|
|
|
### Updating Policies
|
|
|
|
|
|
|
|
|
|
### Disabling Rules
|
|
|
|
|
To disable a rule, use the switch in the `Enabled` column of the table.
|
|
|
|
|
To update a policy, just click on its name and customize it according to your requirements. This action will open the same screen where you can update policy groups, descriptions, and status, or modify allowed traffic direction, protocols with ports, and posture checks, similar to the information described in the "Creating Policies" section above.
|
|
|
|
|
|
|
|
|
|
### Deleting Rules
|
|
|
|
|
To delete a rule, click `Delete` in the table. A confirmation window will pop up.
|
|
|
|
|
### Disabling Policies
|
|
|
|
|
To disable a policy, use the switch in the `Active` column of the table.
|
|
|
|
|
<p>
|
|
|
|
|
<img src="/docs-static/img/overview/disable-rule.png" alt="high-level-dia" className="imagewrapper"/>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
### Deleting Policies
|
|
|
|
|
To delete a policy, click on `Delete` in the table, and confirm the message that appears.
|
|
|
|
|
|
|
|
|
|
<p>
|
|
|
|
|
<img src="/docs-static/img/overview/delete-rule-menu.png" alt="high-level-dia" className="imagewrapper"/>
|
|
|
|
|
|
Misha Bragin