Accessing edge services through the WAN interface

This article explains how to use the Service Listener feature to provide access to edge services through a node’s (previously iNode's) WAN interface. Service listeners are created at the node level for existing or future services.

Prerequisites

Before you configure a service listener, verify the following conditions are met:

• Organization Policy: Your organization must have the service listener policy enabled. To activate this feature, contact Neeve Support at [email protected].
• User Permissions: Service listeners can be created by users with SERVICE-ADMIN, NODE-ADMIN, SUPPORT, SUPERADMIN, and ADMIN roles.
• Node Version: The Service Listener feature is supported on node version 2641.0.3 and later. Ensure your node is upgraded to this version to use this feature.
• Network Configuration: On the node details page, ensure that in Add Network settings, the Default Destination field is set to WAN.
• Firewall Configuration: Ensure the network where the node is deployed has the necessary firewall rules to permit access to the node’s WAN interface.
• Virtual Edge Node Firewall Policy Configuration: Ensure that the firewall policy for Virtual Edge Nodes (formerly Virtual Edge iNode) is configured correctly. Use network tags in the edge instance network to allow access.

Refer to the example use case at the end of this article.

Create a service listener

To create a service listener:

1. In the Secure Edge Portal, select Nodes > All Nodes, and then select the Virtual Edge Node to open its details page.
2. Select the Service Listeners tab, and then select the plus icon (+).
   
3.  On the Add Listener page, select the service and enter a name for this service. Ensure the Service Selector field matches the exact nameof the service you are deploying the listener for. The service name is case-sensitive. 
   • If a service already exists, access is granted immediately.
   • If you still need to create the service with the configured name (label), you can create the service listener in advance. Access will be granted once the service is created.
4. Specify the single or multiple port configuration:
   • The Node Port value can be used only once across all services in a node. Allowed valid port range: 1024-32767
   • The Port the Edge service listens on.
   • Select the Protocol for WAN access: TCP or UDP
     
5. In the Allow Access From field, specify up to five IP addresses in CIDR notation that are allowed access to the service. If left blank, access is allowed to all IP addresses. We recommend configuring this to restrict access.
6. Select Save to create the service listener.

Update a service listener

You can edit and update an existing Service Listener configuration for the listener ports and allow access based on the updates.

1. From the Service Listeners tab, click the three-dot menu on the listener entry, and select Edit.
2. On the Edit Listener page, modify the listener name, ports, and allowed access, as needed.
3. Select Update to save your changes.

View service listener status

1. On the Service Listeners tab, expand the listener entry to display the port configuration state.
   
2. Click the three-dot menu and select View Status to display the Statuspage.
   Org Admin users do not have access to the View Listener Status page.
   
3. To view the hit counter values, enable the Security Policy Hit Counter toggle in Network > Security options.
   You must enable this toggle for both TAN and WAN networks to get the correct hit counter values.

   

Delete a service listener

To delete a service listener, go to the Service Listeners tab and select Delete Listeners. Once the listener is deleted, external access to the service is revoked.

Service listener configuration example

This example shows how to configure a service listener on a Virtual Edge Node in Google Cloud Platform (GCP).

Scenario: An edge service named Edgeservice is running on port 8080. The goal is to access this service from the internet through the node WAN interface on port 8080, which has a global exposed IP address.

Add network tags

Add the necessary network tags during instance creation or edit.

1. Follow the instructions in Provision and launch Virtual Edge Nodes with GCPto bring up the Virtual Edge Node. The example figure shows a node named demo-gcpnode.
2. In the Networking > Network tags  field, add the network tag (e.g., serviceaccess). Note that HTTP/ HTTPS traffic is enabled in the firewall configuration.
3. Once the node is created, the configuration details show the network tags attached to the instance. The example below shows the tags http-server and https-server along with the user-defined tag serviceaccess.
   

Associate the firewall policy to node using network tags

1. From the GCP menu, select VPC Network > Firewall.
2. Complete the following fields:
   1. Provide a name and description for the firewall rule.
   2. Set the desired priority and action (allow/deny) options.
   3. In the Target tag field, enter the network tag associated with the instance; in our example, serviceaccess.
   4. In the Source IPv4 ranges field, add the list of IP addresses that are allowed to access the service. (Depending on the previous configuration, you can also provide a deny list. Refer to GCP documentation for guidance.)
   5. Configure the appropriate ports for access.
      
3. On the Network interface details page, confirm the new firewall rule is listed with the default rules that GCP created.
   
   

Configuration in Secure Edge Portal

The example figure shows the new service listener EdgeService in the Secure Edge Portal. EdgeService will be accessible via the IP addresses specified in the Allow Access From field using the public IP of the GCP instance at port 8080.