Effective firewalls are an important part of any secure network design. When using Defined Networking’s Managed Nebula, only those devices enrolled on your account are able to communicate with each other, but it is still prudent to limit the ways those devices interact.
Role-based access rules
Up until now, the only way to define firewall rules in Managed Nebula has been to assign roles to each of your devices and open ports between those roles. This simple approach works well for many cases, for example to allow access to machines with a role of
webserver on TCP port 443 (https) from any other host with the role of
user-device. Now your company’s dashboard can be kept off the global internet, but still accessed by your employees.
But what if certain employees also need to be able to SSH into that
webserver to make changes to it? Using only roles, you could create a new role called
user-device-admin, and open TCP port 22 for hosts with that role, but then you would need to find any other roles with rules targeting
user-device, and update them to also allow
user-device-admin. This can be tedious and difficult to maintain.
Firewalls are more powerful with tags
With the release of tag-based firewall rules, creating more complex firewall rules is much easier. Now, instead of creating a new role for admins, you can assign them a tag like
user-type:admin, along with the existing
user-device role. Then, create a firewall rule that allows SSH from any hosts that have the
user-device role and the new
user-type:admin tag. Now admins will be able to SSH into the web servers, and will still have access to the company dashboard website.
Tags can be thought of as attributes or slices of identity which can be applied to devices on your Managed Nebula network. They contain a key and a value, formatted as
key:value. Each host can have multiple tags, and new tags can be created on-the-fly as you create or edit your hosts.
Add tags to your hosts today
That’s right, you can now edit your hosts, relays, and lighthouses to change their name and role, or add and remove tags. Be sure to update all of your devices to the latest version of dnclient before editing to ensure that these changes are properly applied across your network. The minimum supported version is
0.2.1 for desktop clients, and
0.3.0 for mobile apps. Read our guide to creating firewalls using roles and tags to get started.
Try it today
Tags make it much easier to create robust access control rules in your Managed Nebula network and pave the way for future product improvements. Try them out today in a free Managed Nebula account with up to 100 hosts and let us know what you think.
Nebula, but easier
Take the hassle out of managing your private network with Defined Networking, built by the creators of Nebula.