Overview

This bulletin covers announcements from NetFoundry, details on features released between September 2023 & December 2023 and information on latest blogs & articles. We are excited to share that controller high availability feature has moved to the alpha release. Highlights include the launch of “zrok frontdoor”, custom domain name support and improvements to the network upgrade process.

Router link listener control:

When Public routers ( Including NetFoundry hosted public routers) are provisioned, the link listener can be turned off during the provisioning of the router and enabled at a later stage. This would help our customers and partners to make sure that the router’s domain name / IP are whitelisted on security gateway devices before the router participates in the fabric. Once the router is provisioned and live, the IP and domain name of the router is available on console / console API which can be picked up for outbound policy whitelisting.

Custom domain name support for public routers:

Public routers now support the option of custom domain names. The public routers are assigned NetFoundry domain names by default. The option of adding custom domain names has been added. Hosting and managing the custom domain name is the responsibility of customers for the public routers to be reachable from private routers and endpoints on the network. This feature would help our customers to manage fewer domain names for outbound whitelisting with partners and end customers. The custom domain’s CNAME record should be pointed to the NetFoundry domain name by the customer.

Improvements to network upgrade process: 

We have made two key changes to the network upgrade process that would help the way we manage network upgrades for large networks. The upgrade process continues to be executed by the NetFoundry support team.

  • Router binary can now be upgraded prior to the controller upgrade. The pre-requisite is that the router is backward compatible to the controller version which would be confirmed by our support team in the planning stage of network upgrades.
  • A collection of routers can be selectively upgraded. Prior to launch of this feature, all the routers in the network had to be upgraded in one go or had to be upgraded one by one.

These features would help reduce the window for the network upgrade process and also plan the upgrade of specific edge routers ahead of the controller upgrade while not affecting the rest of the network. In a scenario of multi-tenant or B2B networks, customers and partners can now plan upgrade of the edge routers as per the business convenience.

 

Move to single port – 443 via Application layer protocol negotiation 

Last quarter, we added the ability to optionally shut port 6262 for salt communication and stick to ports 443 and 80. In the journey of simplifying port requirements to operate the CloudZiti network, we have made yet another feature release.

Cloud Ziti Controller and Routers can operate with a single open port. In order to implement this feature we use ALPN (Application Layer Protocol Negotiation) TLS extension. It allows TLS client to request and TLS server to select appropriate application protocol handler during TLS handshake. Customers who desire to move to a single port of 443 from the current model of two ports –  443 & 80 can raise a ticket with our support desk or contact the Technical Account Manager to implement this feature. The feature is available from MOP version 7.3.94 and above. Due to the introduction of ALPN header, all networks that have to be upgraded to 7.3.94 and above will require that the routers are upgraded prior to the controller upgrade so that the routers do not lose connection to the controller due to the missing ALPN header. The choice of shutting down port 80 still exists with the customer post the network upgrade.

Pls refer the release notes for more details on move to single port.

Launch of “zrok frontdoor”: 

“zrok frontdoor” is a combination of reverse proxy and zero trust networks that offer the flexibility of reaching resources such as web apps, files or APIs while not directly exposing them to the internet. zrok frontdoor is built on the same openziti platform that is used by zrok and is currently available as an opensoure project. Learn more about zrok frontdoor here.  You can also watch a demo of zrok frontdoor.

 

Update on Controller HA: 

High availability of controllers or distributed controllers is a critical project that we have been working on for a year now. We are excited to share the news with our customers that we have made an internal alpha release of HA of controllers. The details of HA of controller design is available in a ZitiTV session.

Articles, updates and software releases:

  • The following articles have been added recently:

Solution Recipes:

Agentless zero trust networking for ODOO with BrowZer

Agentless zero trust networking for  Graphite with BrowZer 

Secure Solarwinds dashboard access with BrowZer

Support guides:

Deploy Ziti Edge Routers Behind a Proxy 

Blogs :

Securing enterprise private mobile apps – LLM – Azure AI example

Enrollment and authentication in  ZTNA embedded mobile apps

Business Rule Driven Ephemeral Network Access

Securing Azure OpenAI Applications with OpenZiti

Closing Thoughts:

Watch our youtube channel and openziti channel for updates, demos and all exciting stuff on NetFoundry. If you are interested in our “Browzer” solution , zrok.io, additional use cases or if you have any feedback about these features, please contact us at customer.success@netfoundry.io. You can also reach out to us on the same email address if you would like to participate in the customer spotlight sessions.

Surendran Naidu
Website

I head the Global Technical Account Management / Customer Success function at NetFoundry. I'm passionate about enterprise architecture, Zero Trust Security, cyber security and networking in specific and ICT techs in general.

Discuss On: