Secure Tunnel
A Secure Tunnel provides endpoint-to-endpoint connections across a hybrid network without opening firewall rules in an enterprise network. It allows access between different networks through TCP over HTTPS technology.
It can be applied in many use scenarios, such as MCMP, RBA, Infrastructure automation, Slack Connection for AIOps, Instana, and Turbonomic.
The traffic through these connections is encrypted with HTTPS. A Secure Tunnel can control access to resources between different networks, with more granular control, and collect all the operations and traffic logins in audit records.
It is not necessary to modify any access rules and firewall configuration between existing infrastructure if you use a Secure Tunnel. It is like a traditional VPN, bridging two networks between the Secure Tunnel server and the Secure Tunnel Connector.
To learn more about Secure Tunnel, see the following sections:
Terminology
To manage a connection, you need to understand the following concepts:
-
Secure Tunnel a group of microservices that include the following services:
- UI Server
- Used to provide the static resources of the Secure Tunnel console and to handle some UI logic.
- API Server
- Verifies and processes the user's operation request that comes from the Secure Tunnel console. Then, it operates the Secure Tunnel Custom Resources(CRs) according to the request.
- Controller
- Used to monitor updates to the Secure Tunnel Custom Resources(CRs) and to take actions according to the CR updates.
- Tunnel Connection
- The configuration data for bridging two networks.
- Application mapping
- The configuration data used to control:
- which applications on the network of the Secure Tunnel side can be accessed by the Secure Tunnel Connector side.
- which applications on the network of the Secure Tunnel Connector side can be accessed by the Secure Tunnel side.
- The Tunnel Connection worker and Secure Tunnel Connector use this data to control the access to applications.
- The configuration data used to control:
- Tunnel Connection worker
- The instance of the Tunnel Connection, one Tunnel Connection is created on one or more Tunnel Connection worker pods. It is also the server side of a TCP-over-HTTPS tunnel. Based on the OSS project.
- UI Server
- Secure Tunnel Connector
- The other side of a TCP over HTTP tunnel, it is installed on the peer network of the Secure Tunnel to bridge the network where the Secure Tunnel is installed. It is based on theOSS project.
Architecture
Features
- Like a traditional VPN, Secure Tunnel can bridge two or more networks. Unlike VPN, it provides more fine-grained resource control.
- Lightweight, easy to install and use, and can be used anywhere.
- Authentication and authorization with the Platform UI core or OCP OAuth and RBAC system.
- Provides two user interfaces
- Secure Tunnel console: A customer can configure a Secure Tunnel Connection and control which applications can be accessed by the peer network from the console UI.
- Command line: An automation script can configure a Secure Tunnel Connection and control which applications can be accessed by the peer network by using the
kubectloroccommand line tools to operate the CRs of the Secure Tunnel.
- The connection is encrypted with mTLS.
- Based on OSS project.
High-Level Design
- Secure Tunnel can be installed to an OCP(Red Hat OpenShift Container Platform) from the Operator Hub of the Red Hat OpenShift console.
- Secure Tunnel Connector can be installed to an OCP, Kubernetes (such as IBM Kubernetes Service) or host machine (VM or physical machine).
-
It can bridge the network on the Secure Tunnel side and the network on the Secure Tunnel Connector side through a WebSocket connection between the Secure Tunnel and Secure Tunnel Connector with mTLS authentication.
Then, you can use the Secure Tunnel console or command line tools to control:
- which applications on the network of the Secure Tunnel side can be accessed by the Secure Tunnel Connector side.
- which applications on the network of the Secure Tunnel Connector side can be accessed by the Secure Tunnel side.
Security
The following security measures make Secure Tunnel a safe tool to use.
-
Authentication
- IBM Cloud Pak for Watson AIOps console accesses the Tunnel Connection worker with JWT authentication token.
-
The Connector is authenticated with Mutual Transport Layer Security (mTLS).
-
Access control
Only IBM Cloud Pak for Watson AIOps console users with the Automation Adminstrator or Administrator role can use Secure Tunnel.
For more information about users and roles, see Managing user access control.
-
Data encryption in communication
- All traffic from out-cluster (Connector or console) is transported by HTTPS.
- All application mapping traffics are encrypted by TCP over HTTPS.
-
Auditing
- All configuration changes (tunnel connection or application mapping) are stored in the log system for auditing. For more information, see Configuring tunnel audit logs.
- All connections are stored in the log system for usage metrics and auditing.
How to use Secure Tunnel
-
To create a Secure Tunnel for an integration, see Creating Secure Tunnel Connections.
-
To copy the application mapping URL that can be accessed by an integration, or view the configuration details and status of all tunnel connections and application mappings, see Viewing Secure Tunnel.
-
To modify configurations for a Secure Tunnel, see Modifying Secure Tunnel.
-
To audit Secure Tunnel operations and connections, see Auditing Secure Tunnel.