Creating As-a-Service
- Sri Raghu
- Gary Leicht
For more information on NIOS-X as a Service, see NIOS-X as a Service.
It is recommended that you pre-create the Locations and Credentials (Pre-Shared Keys) that you will use for each of your remote sites (Access Locations) before configuring the Service Deployment. In order to use a Location when setting up an Access Location, you must set at least a Country and a Post Code. The UI will filter out any location that has just Latitude/Longitude information.
To create a service, complete the following:
Go to Configure > Service Deployment > As-A-Service
At the bottom of the Services pane, click Add Service.
Configure the following in the General tab:
Name: Specify a name for the service.
Description: Provide a brief description.
Tags: Click Add and specify the Key and Value. You can add a maximum of 50 tags. For information about tags, see Managing Tags.
Capabilities: Choose one or more protocol services:
DHCP - choose the policy from the drop-down and confirm the selection by clicking the checkmark. By default, the Global Policy is selected. For more information, see Configuring Global DHCP Properties. If you want to use a custom policy, you can configure a DHCP Config Profile and choose the custom policy. For more information, see Configuring DHCP Config Profiles.
DNS - choose the policy from the drop-down and confirm the selection by clicking the checkmark. By default, the Global Policy is selected. For more information, see Configuring Global DNS Properties. If you want to use a custom policy, you can configure a DNS Config Profile and choose it as a custom policy.
Enable Anycast - Toggle the setting to ON. Select the Anycast Profile from the list and click the blue checkmark. You must create an Anycast configuration before selecting it in NIOS-X as a Service. For more information about a creating Anycast configuration, see Creating Anycast Configuration. For more information about Anycast, see Anycast Addressing.
NTP - choose this option if you want NIOS-X as a Service to sync the time with the Global NTP Settings. NTP (Network Time Protocol) is a standard protocol that system clocks use to ensure their time is always accurate. Servers that use NTP try to synchronize their time as close as possible to UTC (Coordinated Universal Time), the standard timescale used worldwide. For communications between clients and servers, NTP uses UDP (User Datagram Protocol) on port 123.
Security - The Security capability is only available if DNS capability is added. Choose the policy from the drop-down and confirm the selection by clicking the checkmark. The default global policy is selected by default. If you want to use a custom policy, you can configure a custom Security Policy. For more information, see Creating Security Policies.
NOTE: When you add a Capability to a service, you must click the small blue checkmark to the right of the Capability's drop down box option to save that Capability in the service. If you do not, then when you click the Save button, the service will not retain that Capability.
Click the Deployment tab. Click Add Service Deployment. Configure the following tab:
Name: Specify a name for the deployment.
Deployment Type: As a Service is selected by default.
Configure the following in the Service Location pane:
Size: This is the maximum number of Access Locations supported in a service deployment. Choose one of the following sizes:
S (Supports 10 locations)
M (Supports 20 locations)
Use Recommended Location: Select the check box to use the service location recommended by NIOS-X-as-a-Service based on position of the access location(s). For example, if the access location is Mumbai, choosing this check box allows NIOS-X-as-a-Service to choose the Point of Presence (PoP) that is the closest, which in this case is AWS Asia Pacific. If you create two access locations, selecting this check box will allow NIOS-X-as-a-Service to choose the PoP that is closest to both. This option can be selected only when creating a service.
Location: Choose one of the Available Locations. This option is disabled if you have selected the Use Recommended Location option.
Service IP: Specify a single private IP address that the services (DNS/DHCP/Security) will run on. This is the IP address that clients on your network will send DNS/DHCP traffic to. It is recommended to use an IP address which is not being actively used in your network. The following IP addresses are not allowed: 169.254.0.0/16, 172.31.0.0/16.
Service Location Routing: Choose one of the following options:
Static: Choose this option if you are using static routing.
Dynamic (BGP): Choose this option if you are using Anycast (BGP). If you choose this option, configure the following settings:
Service Location ASN: This is the Autonomous System Number (ASN) for the location. The ASN responsible for a network in a given location (e.g., which ASNs operate in a specific country or city).
BGP Timers: In Border Gateway Protocol (BGP), timers are used to maintain stable communication between peers and detect link failures. Two key timers are Keep Alive and Hold Time. Configure the following:
Keep Alive: Ensures that the connection between BGP peers is alive. The default value is 30 seconds. If no updates or other messages need to be sent, a Keep Alive message is sent periodically, and if Keep Alive messages are received, the peer knows the connection is still active.
Hold Time: The purpose of the Hold Time is to define the maximum time a BGP peer will wait before declaring the session down. The default value is 90 seconds, which is three times the Keep Alive interval by default. If a router doesn’t receive any Keep Alive, Update, or Notification messages within the Hold Time, it assumes the peer is down and resets the connection. A Hold Time of 0 means Keep Alive messages are disabled.
Primary Neighbor IP: Specify the IP that that will be used as the source IP when the Service Location initiates traffic to on-prem (for example, forwards a DNS request from the POP to a DNS server that is on-prem).
Secondary Neighbor IP: Specify the IP that that will be used as the source IP when the Service Location initiates traffic to on-prem (for example, forwards a DNS request from the POP to a DNS server that is on-prem). This is the backup of the Primary Neighbor IP as it exists in a separate availability zone in the POP.
Alternative Access Location: If you would like to provide an alternate IP address for managed service, toggle Alternative Access Location and specify the IP address.
Tags: Click Add and specify the Key and Value. You can add a maximum of 50 tags. For information about tags, see Managing Tags.
Configure the following in the Access Locations pane:
Type: Choose if the type is a Site or an AWS Cloud VPC.
Physical Location: Click Select to add Physical Location. Choose Existing to select an existing Physical Location from the drop-down. Alternatively, choose New to create a new Physical Location by specifying the following:
Name: Specify the name of the Site.
Country: Select the country from the drop-down. Alternatively, you can also specify the Postal Code.
Postal Code: Specify the Postal Code. If you specify a valid Postal Code, the address, including country is entered automatically.
Contact: Expand the Contact section to enter Contact Name, Email, and Phone details.
Routing: Choose one of the following options:
Static: Choose this option if you are using static routing. If you choose this option, configure the following settings:
LAN Subnet(s): Specify the LAN Subnets. This must be a private IP subnet that needs to communicate with NIOS-X as a Service. You can specify multiple subnets separated by comma. Click Add. The following subnets are not allowed: 169.254.0.0/16, 100.64.0.0/10, 172.31.0.0/16.
Tunnel: Click Add. Configure the following settings for the tunnel.
Name: Specify a name for the tunnel.
WAN IP Addresses: Specify one or two WAN IP addresses. This is a public IP of your Internet facing gateway (Router/Firewall). A maximum of two IP addresses are allowed separated by a comma. The following IP addresses are not allowed: 169.254.0.0/16, 100.64.0.0/10.
Primary Path: Click Add Credential and configure the following:
Name: Specify the name of the credential.
Description: Provide a brief description.
Pre-shared Key: Specify a pre-shared key.
Tags: For information about tags, see Managing Tags.
Secondary Path: Click Add Credential and configure the following:
Name: Specify the name of the credential.
Description: Provide a brief description.
Pre-shared Key: Specify a pre-shared key.
Tags: For information about tags, see Managing Tags.
Dynamic (BGP): Choose this option if you are using Anycast (BGP). If you choose this option, configure the following settings:
Tunnel: Click Add. Configure the following settings for the tunnel.
Name: Specify a name for the tunnel.
WAN IP Addresses: Specify one or two WAN IP addresses. This is a public IP of your Internet facing gateway (Router/Firewall). A maximum of two IP addresses are allowed separated by a comma. The following IP addresses are not allowed: 169.254.0.0/16, 100.64.0.0/10.
Primary Path: Click Add Credential and configure the following:
Name: Specify the name of the credential.
Description: Provide a brief description.
Pre-shared Key: Specify a pre-shared key.
Tags: For information about tags, see Managing Tags.
Secondary Path: Click Add Credential and configure the following:
Name: Specify the name of the credential.
Description: Provide a brief description.
Pre-shared Key: Specify a pre-shared key.
Tags: For information about tags, see Managing Tags.
Local BGP Configuration: Configure the following settings for local BGP:
Neighbor Router IP Addresses: Specify one or more IP address for the neighbor router.
Access Location ASN: This is the Autonomous System Number (ASN) for the location. The ASN responsible for a network in a given location (e.g., which ASNs operate in a specific country or city).
Hop Limit: If multihop is enabled, enter the maximum hop limit. The default value is 255. Enable Multihop in your Anycast settings to allow BGP to connect with the neighbors that are more than one IP hop away.
Identity: Choose KeyID, FQDN, or Email.
Click Add Tunnel.
Tags: Click Add and specify the Key and Value. You can add a maximum of 50 tags. For information about tags, see Managing Tags.
Click Add Location after configuring the access locations. To make changes in the access location after applying, expand the access location tree and hover on the site name and click ⋮ to perform edit/delete of the access location.
Click Add Deployment to complete a service deployment configuration.
Click ⋮ to edit any parameters of service deployment or delete service deployment.
To add multiple service deployment click Add Service Deployment.
Click Save to save the newly created service.
The Service IP, Primary Neighbor IP and Secondary Neighbor IP are independent /32 IP addresses. It is recommended (but not mandatory) that the IP addresses be unique across all your service deployments. The Primary Neighbor IP is accessible only via the primary VPN tunnel. The Secondary Neighbor IP is accessible only via the secondary VPN tunnel. The Service IP is accessible via both primary and secondary VPN tunnels.
Configure your router and add the required parameters. For more information, refer to Configuring an IPSec Tunnel and your router’s documentation.
Service can be created without Capability and Service Deployment configuration. In such cases no deployments are done on Infoblox managed cloud. Deployments on the Infoblox-managed cloud are done only when user configures Capability and Service Deployment.