Accessing Edge Services through the WAN Interface

This section describes the Service Listener feature and how to provide access to Edge services through the iNode WAN interface by creating service listeners at the iNode level for a service(s). You can create and configure a service listener per service, for an existing service or for a service to be created later.

Prerequisites

Before you begin, verify the following conditions are met:

• Organization Policy: Ensure that your organization has the service listener policy enabled. Contact View Support to enable this feature.
• User Permissions: Service listeners can be created by users with SERVICE-ADMIN, NODE-ADMIN, SUPPORT, SUPERADMIN, and ADMIN roles.
• iNode Version: The Service Listener feature is supported on iNode version 2641.0.3. Older iNode versions do not support this feature. Please upgrade your iNodes to version 2641.0.3 to use this feature.
• Network Configuration: For service listeners to function, ensure that in the Edge iNode page > Add Network configuration, the Default Destination field is set to WAN.
• Firewall Configuration in Network where iNode is deployed: Make sure to configure the required firewall policy in the network where the iNode is deployed to permit access to the iNode WAN interface
• GCP Edge iNode Firewall Policy Configuration: Ensure/verify the following:
  • Configure the Firewall Policy for the GCP Edge iNode.
  • Provide network tags in the Edge instance network. Use these tags when configuring the firewall policy to allow access for the instance. This step is important to ensure that the services are accessible through the internet.

Please see the example use case at the end of this section.

Create a Service Listener

To create a service listener, do the following steps:

1. From the iNodes > All iNodes page, select the name of the Virtual Edge iNode to display its iNode details page.
2. From the iNode details page, select the Service Listeners tab.
3. On the right, select the plus icon (+) to display the Add Listener page.
4. Select the service and enter a name for this service. The Service Selector field indicates the service for which the listener is being configured. Ensure that the service name is / will be the name of the edge service deployed. The service name is case-sensitive. The service listener uses this selector to choose the service for the external access provided.
   • If a service exists, the access is provided immediately.
   • You can create the service listener and then create the service with the configured name (label). When the service is created, the access is provided.
5. Specify the Single / Multiple port configuration:
   • iNode Port value can be used only once in a given iNode across all services. Allowed valid port range is 1024-32767.
   • Port on which the Edge service is actually listening within the iNode.
   • Protocol defines which protocol is allowed for WAN access. Allowed values are TCP, UDP.
6. Specify the list of IP addresses in CIDR notation (maximum of 5) that are allowed access to the Edge service in the Allow Access From field. If not specified, the default is to allow access to all. Ensure to configure this to restrict access to the external world.
7. When done, click Save.

Update Service Listener

You can edit and update an existing Service Listener configuration for the listener ports and allow access based on the updates.

To update a service listener configuration, do the following steps:

1. From the Service Listeners tab, select the Edit icon (three-vertical-dot > pencil icon) for the listener configuration to update.
2. On the Edit Listener page, edit and update the listener name, ports, and allowed access, as needed.
3. When done, click Update.

View Service Listener Status

To view service listener status, do the following steps:

1. In the Service Listeners tab, expand the name of your listener to display the listener Port configuration state.
2. Select the View Status icon (three-vertical-dot > pencil icon) to display the Statuspage.
   The View Listener Status is not available for ORG ADMIN.
   
3. To get the hit counter values, enable the Security Policy Hit Counter toggle in Network > Security options.
   You need to enable the Security Policy Hit Counter toggle in Network > Security options for both TAN and WAN networks to get the correct hit counter values.
   

Delete Service Listener

You can delete a service listener by selecting the Delete Listeners in the Service Listeners tab. Once the listener is deleted, the external access to the service is revoked.

Service Listener Configuration Use Case Example

This section describes an example use case for creating and configuring a service listener on an iNode in the Google Cloud Platform (GCP).

In this example, an edge service application named Edgeservice is running in a network exposed at port 8080 for connections. The goal is to access this service from the internet through the iNode WAN interface at node port 8080. The WAN interface has the global exposed IP address.

Service Listener Configuration in Google Cloud Platform

Adding network tags during create / edit instance

1. Follow the steps described in Launching Virtual Edge iNodes (GCP) to bring up the iNode. The example figure shows an iNode named demo-gcpnode.
2. Add the desired network tag in the Networking section → Network tags text box. In the example figure, note the added tag serviceaccess and HTTP/ HTTPS traffic is enabled in the Firewall option.
3. Once the iNode is created, the configuration details show the network tags attached to the iNode instance. The example figure shows the following network tags → http-server, https-server and user-defined network tag → serviceaccess.

Associating Firewall policy to the GCP iNode instance using network tags

1. Choose the VPC Network option from the Navigation menu and select the Firewall option.
2. Complete the following fields:
   1. Provide a name and description for the firewall rule.
   2. Set the desired priority and action (allow/deny) options.
   3. In the Target box provide the network tag associated with the GCP instance; in our example, serviceaccess.
   4. In the Source IPv4 ranges, specify the list of IP addresses that are allowed to access the Edge service. Depending on the previous configuration, a deny list can also be provided. For more information, refer to the GCP Help documentation.
   5. Configure the ports to be opened for access.

In the network details section of the iNode instance, the new firewall rule configured must also be listed with the default rules that GCP creates for an instance.

Configuration in Secure Edge Portal

The example figure shows the new service listener Edgeservice.

After the listener is configured, Edgeservice will be accessed from the IP addresses listed in the Allow Access From field using the Public IP (of GCP instance) @ 8080 node port.