Steps to "Reload" "routedBypassRulesFile.json" file:
- Create an AWS bucket and place on it the "privateAccessPeersConfig.json" file. See Example below.
- Download the file to the CSC. Run Command "AWS-RunShellScript" on the CSC and do command:
wget <Your bucket file URL> -O /usr/local/etc/mhb-csc/privateAccessPeersConfig.json |
- Run Document "MHB-CSC-Reload-Private-Access-JSON-file" to apply the changes.
Here below 2 Examples:
Example 1: All traffic any to any location.
The fields in bold are not configurable. So please, do not modify.
{ "peers": [ { "nodeName": "ns-cgc00001", "description": "Node on VMware Server 1", "location": "HQ", "publicKey": "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=", "publicIpAndUdpPort": "200.1.1.1:51821", "privateCirdIp": "192.168.7.1/24", "persistentKeepAlive": "no", "networks": [ "10.1.1.0/24", "10.1.2.0/24" ], "privateApps": [ { "description": "Allow all traffic to this site", "ipProtocol": "all", "sourceCirdIp": [ "0.0.0.0/0" ], "destinationCirdIp": [ "10.1.1.0/24", "10.1.2.0/24" ], "destinationSinglePorts": [ "" ], "destinationPortRange": { "fromPort": "", "toPort": "" } } ] }, { "nodeName": "ns-cgc00002", "description": "Node on VMware Server 2", "location": "Datacentre 2", "publicKey": "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=", "publicIpAndUdpPort": "200.1.1.2:51821", "privateCirdIp": "192.168.7.2/24", "persistentKeepAlive": "no", "networks": [ "10.2.1.0/24", "10.2.2.0/24" ], "privateApps": [ { "description": "Allow all traffic to this site", "ipProtocol": "all", "sourceCirdIp": [ "0.0.0.0/0" ], "destinationCirdIp": [ "10.2.1.0/24", "10.2.2.0/24" ], "destinationSinglePorts": [ "" ], "destinationPortRange": { "fromPort": "", "toPort": "" } } ] }, { "nodeName": "ns-cgc00003", "description": "Node on VMware Server 3", "location": "Branch", "publicKey": "TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=", "publicIpAndUdpPort": "200.1.1.3:51821", "privateCirdIp": "192.168.7.3/24", "persistentKeepAlive": "no", "networks": [ "10.3.1.0/24", "10.3.2.0/24" ], "privateApps": [ { "description": "Allow all traffic to this site", "ipProtocol": "all", "sourceCirdIp": [ "0.0.0.0/0" ], "destinationCirdIp": [ "10.3.1.0/24", "10.3.2.0/24" ], "destinationSinglePorts": [ "" ], "destinationPortRange": { "fromPort": "", "toPort": "" } } ] } ] } |
Example 2: Multiple Rules.
ns-cgc00001 : HQ
PrivateApps:
- Intranet Server (TCP 80, 443) from any site.
- Windows Domain Controllers (specific TCP & UDP ports and Ping) from any site.
- Syslog server (TCP 514) from any site.
- Internal GW (PING) from any site.
ns-cgc00002: Datacentre 2
PrivateApps:
- SSH & RDP to "10.2.1.4-6 from HQ MGMT network (10.1.1.100/32).
- PING to "networks" (10.2.1.0/24 & 10.2.2.0/24) from HQ MGMT network (10.1.1.100/32).
ns-cgc00003: Datacentre 3
PrivateApps:
- PING to "networks" (10.3.1.0/24 & 10.3.2.0/24) from HQ MGMT network (10.1.1.100/32).
The fields in bold are not configurable. So please, do not modify.
{ "peers": [ { "nodeName": "ns-cgc00001", "description": "Node on VMware Server 1", "location": "HQ", "publicKey": "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=", "publicIpAndUdpPort": "200.1.1.1:51821", "privateCirdIp": "192.168.7.1/24", "persistentKeepAlive": "no", "networks": [ "10.1.1.0/24", "10.1.2.0/24" ], "privateApps": [ { "description": "Intranet Server", "ipProtocol": "tcp", "sourceCirdIp": [ "0.0.0.0/0" ], "destinationCirdIp": [ "10.1.1.199/32" ], "destinationSinglePorts": [ "80", "443" ], "destinationPortRange": { "fromPort": "", "toPort": "" } }, { "description": "Domain Controllers TCP", "ipProtocol": "tcp", "sourceCirdIp": [ "0.0.0.0/0" ], "destinationCirdIp": [ "10.1.1.100/32", "10.1.2.100/32" ], "destinationSinglePorts": [ "135", "464", "389", "636", "3268", "3269", "53", "88", "445" ], "destinationPortRange": { "fromPort": "49152", "toPort": "65535" } }, { "description": "Domain Controllers UDP", "ipProtocol": "udp", "sourceCirdIp": [ "0.0.0.0/0" ], "destinationCirdIp": [ "10.1.1.100/32", "10.1.2.100/32" ], "destinationSinglePorts": [ "123", "464", "389", "53", "88" ], "destinationPortRange": { "fromPort": "", "toPort": "" } }, { "description": "Domain Controllers PING", "ipProtocol": "icmp", "sourceCirdIp": [ "0.0.0.0/0" ], "destinationCirdIp": [ "10.1.1.100/32", "10.1.2.100/32" ], "destinationSinglePorts": [], "destinationPortRange": { "fromPort": "", "toPort": "" } }, { "description": "Syslog server", "ipProtocol": "tcp", "sourceCirdIp": [ "0.0.0.0/0" ], "destinationCirdIp": [ "10.1.1.199/32" ], "destinationSinglePorts": [ "514" ], "destinationPortRange": { "fromPort": "", "toPort": "" } }, { "description": "Syslog Ping", "ipProtocol": "icmp", "sourceCirdIp": [ "0.0.0.0/0" ], "destinationCirdIp": [ "10.1.1.199/32" ], "destinationSinglePorts": [ "" ], "destinationPortRange": { "fromPort": "", "toPort": "" } }, { "description": "ICMP to Internal GW", "ipProtocol": "icmp", "sourceCirdIp": [ "0.0.0.0/0" ], "destinationCirdIp": [ "10.1.1.133/32" ], "destinationSinglePorts": [ "" ], "destinationPortRange": { "fromPort": "", "toPort": "" } } ] }, { "nodeName": "ns-cgc00002", "description": "Node on VMware Server 2", "location": "Datacentre 2", "publicKey": "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=", "publicIpAndUdpPort": "200.1.1.2:51821", "privateCirdIp": "192.168.7.2/24", "persistentKeepAlive": "no", "networks": [ "10.2.1.0/24", "10.2.2.0/24" ], "privateApps": [ { "description": "Allow SSH and RDP from MGMT HQ to Servers", "ipProtocol": "tcp", "sourceCirdIp": [ "10.1.1.100/32" ], "destinationCirdIp": [ "10.2.1.4/32", "10.2.1.5/32", "10.2.1.6/32" ], "destinationSinglePorts": [ "22", "3389" ], "destinationPortRange": { "fromPort": "", "toPort": "" } }, { "description": "Allow PING from MGMT HQ to all", "ipProtocol": "icmp", "sourceCirdIp": [ "10.1.1.100/32" ], "destinationCirdIp": [ "10.2.1.0/24", "10.2.2.0/24" ], "destinationSinglePorts": [ "" ], "destinationPortRange": { "fromPort": "", "toPort": "" } } ] }, { "nodeName": "ns-cgc00003", "description": "Node on VMware Server 3", "location": "Branch", "publicKey": "TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=", "publicIpAndUdpPort": "200.1.1.3:51821", "privateCirdIp": "192.168.7.3/24", "persistentKeepAlive": "no", "networks": [ "10.3.1.0/24", "10.3.2.0/24" ], "privateApps": [ { "description": "Allow PING from MGMT HQ to all", "ipProtocol": "icmp", "sourceCirdIp": [ "10.1.1.100/32" ], "destinationCirdIp": [ "10.3.1.0/24", "10.3.2.0/24" ], "destinationSinglePorts": [ "" ], "destinationPortRange": { "fromPort": "", "toPort": "" } } ] } ] } |