Skip to main content

NetFoundry console overview

The NetFoundry console (the console) is a zero-trust network as a service (NaaS) platform that lets you create secure, app-specific networks without the complexity of traditional networking. The goal is simple: make it easy to build fast, reliable, and secure connectivity for any application or device.

The console

The console is the central user interface (UI) you use to manage, configure, and monitor your entire overlay network.

The console acts as the frontend for the platform's various APIs. Every action you take—such as creating a service or policy—is automatically translated into a corresponding API call. These calls are directed either to the Network Management API (for core networking resources like identities and routers) or to the NetFoundry Platform API (for account management, user administration, and hosting). This direct correlation means you can manage everything from the web console or automate it completely through the APIs, enabling a network as code workflow.

Network components

A NetFoundry network is built from two core systems that work together: the control plane and the data plane.

Control plane

The controllers compose the main control plane. They manage all the networking primitives, including policies, and handle all authentication and authorization for every connection. The controllers are essentially the brain of the network.

Data plane

The data plane consists of the components that move encrypted traffic across the network. In NetFoundry, this means routers and SDK-based clients:

  • SDK clients: Applications or processes that embed an OpenZiti SDK to originate or receive secure overlay traffic.

    • This category also includes NetFoundry tunnelers, which are purpose-built applications using the SDK to bridge underlay traffic (local networks, devices, or endpoints) onto the NetFoundry overlay, and back again.

  • Routers: The NetFoundry nodes that forward encrypted traffic between SDK clients. Routers form the mesh overlay and are responsible for path selection, forwarding, and maintaining the secure data-plane topology.

Once authorization and policy decisions are made by the control plane, the data plane simply moves encrypted packets across the overlay.

Identity-first, zero-trust overlay

Beyond the data plane, NetFoundry's controller-driven model enables an identity-first, zero-trust architecture. Instead of relying on networks, IP addresses, or trusted zones, access is defined entirely by identities and the policies that govern them.

  • Services: Logical definitions of the applications or resources made available on the overlay—independent of network location, IP addressing, or infrastructure.
  • Attributes: Flexible labels applied to identities, services, and routers. Attributes make it possible to group, target, and organize resources without relying on traditional network constructs.
  • Policies: Authorization rules that define which identities are allowed to reach specific services. Policies enforce zero trust by creating explicit identity-to-service relationships, enabling microsegmentation down to individual applications rather than entire networks.

These controller-managed components form the heart of NetFoundry's zero-trust approach, ensuring that only authenticated identities with explicit authorization can access specific services with no implicit trust, no lateral movement, and no exposure of the underlying network.