Management (in the EMC)

Gateways are managed by the Enclave management console (EMC). The EMC provides a web interface for managing gateways, including creating, updating, and deleting gateways, as well manage any of their associated gateway nodes or settings. You can manage gateways through the EMC under Networking > Gateways.

Configuration

To add a gateway, you will need to know the following information:

• Hostname: The hostname of the gateway.
• Name: An optional human-readable name for the gateway.
• Static IP: Optional static IP address for the gateway. Required if the gateway is going to be utilized as an egress route. Note that support for egress routing is still currently in a limited release phase.
• Enclave gateway subnet: This is a new virtual subnet that will be created for the gateway. This needs to be a unique subnet outside of your Enclave network subnet. This subnet is used to route traffic to the gateway. For example, if your Enclave network subnet is 10.100/16, you could use 10.101.1/24 for the gateway subnet. Any gateway nodes that are created behind this gateway will be assigned an IP address from this subnet.
• Labels: Optional labels to assign to the gateway.

The enclave gateway subnet

The Enclave gateway subnet is a virtual subnet that is created for the gateway. This subnet is used to route traffic to the gateway. It is important to choose a unique subnet that does not overlap with your existing Enclave network subnets. Currently, we support only one gateway subnet per gateway, and it must no larger than a /24 subnet. The gateway subnet is used to assign IP addresses to gateway nodes that are created behind the gateway. It's worth noting that if you change your gateway subnet, you will need to manually update the enclave IP addresses of any gateway nodes that are already created behind the gateway since this will likely break network connectivity to those nodes.

Adding gateway nodes

Under the Networking > Gateways section in the EMC, select a gateway you want to add a node to, and select the Gateway Nodes tab at the top. From there, you can add a new gateway node by clicking the Add gateway node button. You will need to provide the following information:

• Hostname: The hostname of the gateway node.
• Name: An optional human-readable name for the gateway node.
• Remote address type: The type of remote address for the gateway node. This can be either a static IP address or a hostname. If hostname is selected, the agent will resolve the hostname using DNS configured on the device.
• Labels: Optional labels to assign to the gateway node.

Reassigning gateway nodes

If you need to assign a gateway node to a different gateway, you can do so by selecting the gateway node under Agents > Nodes in the EMC. Then you can utilize the Gateway dropdown to select a different gateway for the node. This will automatically update the routing for the gateway node to use the new gateway. This can be useful if you are moving gateways around in your network.

How routing works to gateway nodes (ingress routing)

If you have enclave rules that allow you to route traffic to a gateway node, the agent will create a separate route to route traffic to the gateway subnet. Traffic to the gateway node will first flow into the gateway and then DNAT (Destination Network Address Translation) to the gateway node's IP address or hostname. This allows you to access the gateway node over the Enclave network. It is worth noting that encryption terminates at the gateway so it can be handled correctly by the remote device. All traffic is encrypted between the agent and the gateway.

How routing works from gateway nodes (egress routing)

If you have a physical gateway, gateway nodes support egress routing into the overlay network. This means that gateway nodes can access resources in the Enclave network, such as other gateway nodes or agents. The gateway node will use the gateway's static IP address or hostname to automatically route the traffic back into the Enclave network and have it resolve at the given enclave IP. The device behind the gateway does not have to have any routing information configured to know about the Enclave network subnet (or other gateway subnets) since the translation is done automatically by the gateway. This allows you to deploy gateways without any changes to network topology or management of vendor locked devices. It is worth noting that traffic is encrypted once it leave the gateway.