Router policies
A router policy governs the relationship between identities and routers. It answers the question: Which routers is this identity allowed to connect to and use?
This policy authorizes specific identities to connect to and use specific routers. While there's no single typical use,
a common pattern is providing access to a set of publicly accessible routers (e.g., using an #all or #public
attribute) to allow any identity to initially access the network. These policies can also be used for:
- Restricting access: Limit specific identity groups to a dedicated subset of routers.
- Performance tiers: Provide dedicated bandwidth or specific network performance characteristics to certain identities (though this is managed by the underlying network infrastructure).
Requirements for connection
Router policies are mandatory, but a policy alone isn't sufficient to establish a connection:
- You must have at least one router policy defined, and the identity must meet the specific criteria (attributes) defined within that policy, for the identity to be able to connect to the NetFoundry network.
- The router specified in the authorized policy must meet two key operational conditions at the time the identity
attempts to connect:
- The router must be network-addressable and reachable by the client.
- The router must be successfully connected to the NetFoundry mesh overlay.
If an identity is authorized to use multiple routers, the NetFoundry smart routing logic chooses the best path based on internal performance metrics (such as cost and precedence).
Console reference
Router policies table
The Router Policies tab (often labeled Edge Router Policies) lists the rules that authorize specific identities to connect to specific Edge Routers to enter the network fabric.
| Column | Description |
|---|---|
| Name | The unique, user-defined name for the policy. |
| Router Attributes | The set of router attributes included in this policy. Defines which routers accept connections from the listed identities. |
| Identity Attributes | The set of identity attributes included in this policy. Defines which identities are authorized to connect to the matched routers. |
| Semantic | The logic used to match attributes (AnyOf or AllOf). Determines if an entity needs one or all listed attributes to match the policy. |
| Created At | The date and time the policy was created. |
| ID | The unique, system-assigned ID (UUID) assigned to the policy by the controller. |