Create a simple service
This guide walks you through the creation of a simple service, which is the easiest way to define an application resource and automatically generate the necessary policies (dial and bind) and configurations (intercept and host) needed for secure connectivity.
Prerequisites
Before creating a simple service, ensure you have these resources available to authorize and carry your traffic:
- Identities or attributes: Existing identities (e.g.,
@bob-1) or group attributes (e.g.,#tech-doc) to assign as the dialing and hosting endpoints of the service. - Routers: At least one router available to facilitate the connection between your endpoints.
Steps
-
From the console, select your network from the dropdown in the left-hand menu.
-
Click Services from the same menu, then the plus icon (+) to create a new service.
-
Click Create simple service.
-
Fill in the Service Details:
- Service Name: Enter a unique, user-friendly name for the service (e.g., hr-database or jira-server).
- Select or create service attributes: Assign an attribute to the service (e.g.,
#finance-apps). This attribute is used later in service policies and service router policies to authorize access.
-
Configure the Accessing Configuration (dial policy and the intercept):
- What identities can access this service?: Enter the identity reference or identity attributes of the clients
(users/devices) that are allowed to connect to this service (e.g.,
#employees). - How will the service be accessed?:
- SDK Only:
- Set to Yes: The service can only be accessed by applications that have the NetFoundry SDK embedded directly within their code. This allows for fine-grained application security but bypasses the local client intercept.
- Set to No: The service is accessed by a local tunneler that intercepts traffic on the client's operating system. This is the common choice for accessing traditional applications (like RDP, SSH, or web browsers) that don't have the SDK embedded.
- Enter the Hostname/IP and Port that the client will use to connect to the service with (e.g.,
hr-database.ziti, port 1433).
- SDK Only:
- What identities can access this service?: Enter the identity reference or identity attributes of the clients
(users/devices) that are allowed to connect to this service (e.g.,
-
Configure the Hosting Configuration (bind policy and host):
- What identities can host this service?: Enter the identity reference or identity attributes of the host
machines or routers that will provide the egress point for this service (e.g.,
#db-servers). - Where should traffic be sent?:
- SDK Only:
- Set to Yes: The application has the NetFoundry SDK embedded to automatically bind and host the service. This is the common choice for zero trust application embedding.
- Set to No: The service is hosted by a local tunneler or a standalone SDK application running near the resource. This is the common choice for hosting traditional applications.
- Select the Protocol (e.g., TCP).
- Enter the Hostname/IP and Port of the actual application resource that the hosting router will connect
to (e.g.,
10.0.0.5, port 1433).
- SDK Only:
noteClient attributes (users/devices) should be the identity references (
@) or identity attributes (#) that are authorized to dial the service. For more info, see Policies overview. - What identities can host this service?: Enter the identity reference or identity attributes of the host
machines or routers that will provide the egress point for this service (e.g.,
-
Click Save.
After clicking Save, the system automatically generates all the required underlying configuration objects: the dial and bind service policies, and the intercept and host configuration objects. Your service is now ready to be accessed by authorized identities.