ACLs and Tag Management

Easily manage network access with the new Netmaker ACLs

With the latest ACL feature in Netmaker, managing network access has never been easier. This powerful addition allows network administrators to control communication between devices by defining policies that restrict or allow access.

What is an ACL?

An Access Control List (ACL) is a set of rules that specify which users or devices are allowed or denied communication within a network. ACLs are used by network administrators to control traffic flow, ensuring that only authorized entities can access or interact with certain network resources, enhancing overall network security.

There are two main types of ACL policies: User Policies and Resource Policies

User Policies

This type of policy controls which users can access or interact with specific network devices (e.g., servers, databases, gateways). It ensures that only authorized users have permission to access sensitive devices or services.

Example: Grant access to a DevOps team for database servers while restricting other teams' access to the same resources. This ensures only authorized users can access sensitive resources, improving network security.

Resource Policies

This policy controls which devices (like servers, web applications, databases, or gateways) can communicate with each other. It restricts or permits communication between devices based on the network's security needs.

Example: A web server might be allowed to communicate with a database server but blocked from connecting to other devices, such as file storage servers or printers. This limits unnecessary or unauthorized traffic between devices, enhancing network security and performance.

Default Policies

The Default Policies are automatically generated whenever a new network is created, enabling unrestricted two-way communication between users and resources, as well as between resources themselves. These policies ensure full connectivity during the initial setup.

1. All Nodes: Enables all resources (e.g., servers, gateways) to communicate freely with one another in both directions.

2. All Remote Access Gateways: Allows remote access gateways (remote-access-gws) to communicate with all resources and vice versa.

3. All Users: Grants all users full access to all resources, ensuring open two-way communication.

4. Network Admin: Grants users in the netmaker Admin Group and the All Networks Admin Group full two-way communication with the remote access gateways (remote-access-gws) and associated resources.

5. Network User: Grants users in the netmaker User Group and the All Networks User Group unrestricted access to remote access gateways (remote-access-gws) and associated resources in both directions.

How to Add ACLs in Netmaker

Once you're in the ACL tab, you'll see a list of all the ACLs for the entire network. From here, you can enable or disable any ACL. And if you want to add a new policy, just click on Add Policy.

Here, you can define a custom rule by specifying:

• Policy For: Choose whether the policy applies to resources (controlling device access) or users (managing user permissions).

• Rule Name: Give the rule a clear name, like "api-gateway-access" or “devops-team”

• Source and Destination: Select the source and destination entities to control which nodes can communicate. Tags are available to help group nodes and apply rules more efficiently.

• Enable Policy: Toggle this switch to activate or deactivate the policy.

Once configured, click Save Policy to apply the policy.

To enable communication between peers in the same group, add the group to both the Source and Destination fields.

How to Update ACLs in Netmaker

Identify the ACL policy you want to update, click on the three dots, and choose the "Edit" option

After selecting "Edit," make the necessary adjustments to the ACL policy settings based on your requirements.

How to Remove ACLs in Netmaker

Identify the ACL policy you want to remove, hover over the three dots, and select the "Remove" option.

Tag Management (Pro)

Tag your devices for easy management within the network.

Tag Management in Netmaker enables administrators to organize and manage devices within a network by applying tags. Tags simplify the process of grouping, categorizing, and managing nodes, making network management more efficient and scalable.

What is Tag Management

Tags are labels that can be assigned to devices in a network. Instead of managing nodes individually, you can group them by assigning tags that reflect their roles, environments, or other relevant attributes. This categorization helps streamline administrative tasks, such as access control, resource allocation, and policy enforcement.

With Netmaker's Tag Management, administrators gain the ability to easily group and manage devices, improving both security and operational efficiency.

Key Features of Tag Management

• Tagging devices: Administrators can assign tags to devices either manually or automatically.

• Peer Auto-grouping: Devices can be automatically grouped based on the enrollment key used when they join the network.

• Efficient Management: Grouping devices by tags makes it much easier to apply policies, manage resources, or enforce network segmentation based on categories.

How to Use Tag Management

Administrators can tag devices either during or after their enrollment into the network.

Tagging Devices from the Node Interface

• Since v0.90.0, administrators can now tag devices directly from the node interface. Simply navigate to the node interface, select the device you wish to tag, and click Update tags.

• Assign the appropriate tag from the available options.

Manually Grouping Devices

1

Open Tag Manager

Go to the Tag Manager interface to add one or more tags.

2

Select Devices

Select the device(s) you want to assign to a specific tag or group. Since version 0.90.0, admins also have the option to select a color for the tag, providing a visual distinction for easier organization.

3

Create Tag

Click on "Create Tag" to generate the tag.

Automatically Grouping Devices via Enrollment Keys

1

Create or Edit Enrollment Key

Create an Enrollment Key or edit an existing one in the Enrollment Keys screen.

2

Associate Tag

Associate the enrollment key with a specific tag.

3

Modify if Needed

You can also modify an existing Enrollment Key.

4

Automatic Grouping on Join

Any new device joining the network with this key will automatically be grouped with the defined tags or groups.

Use Cases for Tag Management

• Network Segmentation: Tagging can be used to logically segment devices based on their role, location, or environment. For example:

  • tags: “prod”, “dev”, “staging”

  • tags: “internal”, “external”, “frontend”, “backend”, “web-servers”, “file-servers”

• Access Control: Tags simplify the process of applying Access Control Lists (ACLs) to groups of devices. For instance, all devices tagged as "external" can be denied access to certain internal services, while "internal" devices are granted full access.

• Node Identification: Tags make it easier to identify devices with specific characteristics, such as location, purpose, or criticality (e.g., “critical”, “backup”).

Best Practices for Tag Management

• Use Descriptive Tag Names: Ensure that tag names are clear and descriptive, such as “dev”, “prod”, “external”, or “critical”.

• Consistent Tagging: Establish consistent naming conventions to avoid confusion. For example, use lowercase letters and hyphens or underscores to separate words (e.g., “ext-client” vs. “extClient”).

• Document Tag Purposes: Keep a record of what each tag is used for, so other administrators or team members can quickly understand its purpose.