Summary
This article discusses how to implement port forwarding in the Banyan Ecosystem using a registered TCP service and a Banyan AccessTier. This will allow you to create exemptions for IPs to access Infrastructure services without the use of the Banyan App, thus opening it up for unregistered access.
Prerequisites
- Have a Banyan AccessTier with connectivity to your destination service.
- The ability to open a port on the networking aspect of the AccessTier Host.
- The ability to register a service in the Banyan Console.
Instructions
Please Note: This will consume the port used during registration for the entire AccessTier. For example, if you forward port 8443, any other 8443 services will get forwarded to a single backend address. If you have a use case that requires multiple services behind the AccessTier using 8443, consider spinning up an AccessTier unique for this use case.
1. Creating A Policy
In order to complete this setup, we must define a policy with IP Exemptions. These IP addresses will be the source address to which you will be allowing to port forward to your service. In this Policy, you will want to use Custom JSON as this format will allow you to add IP Exemptions. The role and trust level do not matter in this policy as port forwarding does not use the same policy flow as other services.
You may use the following template and change the IP address for your convenience. Example Address used is 1.1.1.1:
{ "access": [ { "roles": [ "Any" ], "rules": { "l7_access": [ { "resources": [ "*" ], "actions": [ "*" ] } ], "conditions": { "start_time": "", "end_time": "", "trust_level": "" } } } ], "exception": { "src_addr": [ "1.1.1.1" ] }, "options": { "disable_tls_client_authentication": false, "l7_protocol": "" } }
2. Configure a TCP Service
Once you have your policy completed, we will want to build out a service to apply it to. This is where we will define the backend address and port we will forward traffic to.
Create a new Custom JSON service under the Infrastructure category. Give the service a friendly Name and Description. the under the metadata section use the following template and fill out the details encompassed with <>.
{ "tags": { "template": "CUSTOM", "protocol": "tcp", "domain": "<domain that has a record to the accesstier, ie: banyanaccesstier.customer.com, this is not used during use of this service>", "port": "<The front end port you wish to forward>", "icon": "", "banyanproxy_mode": "TCP", "app_listen_port": "", "allow_user_override": false, "description_link": "" } }
Then use the following template to fill out the Service Attributes section of the service registration, again replacing anything encompassed in <>.
{ "attributes": { "tls_sni": [], "frontend_addresses": [ { "cidr": "", "port": "<The front end port you wish to forward>" } ], "host_tag_selector": [ { "com.banyanops.hosttag.site_name": "<The name of the Accesstier you will use>"" } ], "disable_private_dns": false }, "backend": { "target": { "name": "<Backend Destination IP Address of your service>", "port": "<Backend Destination Port of your service>", "tls": false, "tls_insecure": false, "client_certificate": false }, "dns_overrides": {}, "whitelist": [], "connector_name": "" }, "cert_settings": { "dns_names": [ "<domain that has a record to the accesstier, ie: banyanaccesstier.customer.com, this is not used during use of this service>" ], "custom_tls_cert": { "enabled": false, "cert_file": "", "key_file": "" }, "letsencrypt": false }, "http_settings": { "enabled": false, "oidc_settings": { "enabled": false, "service_domain_name": "", "post_auth_redirect_path": "", "api_path": "", "trust_callbacks": null, "suppress_device_trust_verification": false }, "http_health_check": { "enabled": false, "addresses": null, "method": "", "path": "", "user_agent": "", "from_address": [], "https": false }, "http_redirect": { "enabled": false, "addresses": null, "from_address": null, "url": "", "status_code": 0 }, "exempted_paths": { "enabled": false, "patterns": [ { "hosts": [ { "origin_header": [], "target": [] } ], "methods": [], "paths": [], "mandatory_headers": [] } ] }, "headers": {} }, "client_cidrs": [] }
Once completed, apply your previously created policy from Step 1 to the service.
3. Open the Forwarded Port on your AccessTier's Host
Once you publish your service, you may find you do not have connectivity to it still. You will need change your firewall, security groups, or otherwise to allow TCP traffic to ingress to the AccessTier on the Frontend port. These steps are heavily dependent on your specific infrastructure.
4. Test Your Service!
Finally, you should now be ready to Port Forward! To connect to your service, connect to any IP address or domain which points to the AccessTier configured on your service. You must use the frontend port here as well. For example if my IP address for my AccessTier is 8.8.8.8 and I forwarded port 8443, I would want to connect to a domain which has a record for 8.8.8.8 at port 8443. For example MyAccessTier.Customer.com:8443 or directly select the IP Address such as 8.8.8.8:8443.
Outcome
Once completed you will now have an AccessTier which has a forwarded port. Just like in tradition port forwarding, all traffic to the selected frontend port will be sent to the same address regardless of SNI, paths, or source IP.
If you have any troubles please contact us!
Comments
0 comments
Please sign in to leave a comment.