How to Manage Access Controls - ACLs
Purpose
How to Configure Access Controls and Zero Trust Policies in Netmaker.
Introduction to NetMaker Access Controls
Netmaker Access Controls provide a robust mechanism for managing communication across your virtual network. This feature allows administrators to define granular rules governing how devices, users, and network routes interact with one another.
Navigating the Access Control Pane
To begin managing your network permissions, navigate to the Access Control section in the NetMaker dashboard. This pane displays the current list of policies and general network communication settings.
Default Connectivity Settings
In a fresh installation, NetMaker typically includes default controls that permit broad access, effectively allowing any device to communicate with any other resource. These default settings ensure that the network is functional immediately upon deployment. However, to achieve a secure, Zero Trust environment, these broad rules are intended to be replaced with specific, least-privileged access policies that you define based on your security requirements.
Creating Custom User Policies
Netmaker allows for the creation of specific user-based policies to control how different user groups interact with network resources. This granular control is essential for moving away from broad default permissions toward a Zero Trust security architecture.
Initiating a New Policy
To begin creating a rule, navigate to the Access Control pane and click the + Add Policy button located in the top-right corner of the interface.
In the New policy modal, locate the Policy for section and select the Users button. This designates that the access rule will apply to specific user identities or groups rather than device tags.
Configuring Service and Identity
Provide a clear, descriptive Policy name, such as ssh-site-1-access, to identify the rule's purpose. For the Service, select SSH from the dropdown menu; notice that the Port field automatically updates to the standard port 22.
Defining Source and Destination
To complete the policy, you must define the flow of traffic:
Source: Click the Source dropdown and select the relevant group, such as the
cloud-overlay User Group.Destination: Click the Destination dropdown, switch to the Egress Routes tab, and select the target network (e.g.,
Remote Site Network 192.168.57.0/24).
After clicking Save, the new policy will be listed in the dashboard. To fully secure the network, identify broad default rules—such as those granting "All Users" access to "All Resources"—and click the trash can icon to delete them. This ensures that only the specific permissions you have defined are active.
Grouping Devices with Tag Manager
NetMaker's Tag Manager allows you to create custom labels for groups of devices, significantly simplifying the management of access control policies. By grouping resources under a single tag, you can apply security rules to multiple nodes simultaneously instead of configuring each one individually.
Creating a Custom Device Tag
To begin organizing your infrastructure, navigate to the Tag Manager section in the left-hand sidebar of the NetMaker dashboard.
Inside the Tag Manager, click the + Add Tag button located in the top-right corner to open the creation modal. Follow these steps to define your new device group:
Visual Identification: Select a color tile (e.g., red) to help visually distinguish this group in the dashboard.
Naming: Type a descriptive name into the Name field, such as
site-devices.
Next, use the Grouped Devices dropdown menu to select the specific nodes you want to include in this group. For example, you might select site-linux-1 and site-linux-2 to group devices located at a specific physical site.
Once your devices are selected, click the Create Tag button to finalize the group. You can now return to the Access Control pane to use this tag as a destination or source in your network policies, enabling streamlined management of communication rules across your entire deployment.
Advanced Policy Features and Zero Trust
Netmaker provides advanced policy controls that allow for granular device-to-device communication, moving beyond simple user-to-resource rules. By leveraging these features, administrators can implement a Zero Trust architecture where only the minimum required permissions are granted.
Applying Policies to Tagged Resources
Instead of creating individual rules for every machine, you can apply policies to entire groups of devices using the Tag Manager. When creating a new policy, navigate to the Destination selection and select the Tags tab.
By selecting a tag, such as # site-devices, the policy automatically applies to all nodes currently assigned to that tag. You can then define the origin by selecting a specific node from the Devices tab under the Source menu.
Configuring Traffic Directionality
A key feature for device-level policies is the ability to define the flow of traffic. Within the policy configuration window, you can toggle the directionality icons located between the source and destination selections.
Bi-directional: Allows traffic to flow freely between both the source and destination.
One-way: Restricts communication so that only the source can initiate connections to the destination, which is ideal for isolating sensitive infrastructure.
Granular Service and Port Control
To further harden the network, policies should be restricted to specific services. NetMaker offers a pre-defined list of common protocols like SSH, HTTP, and HTTPS. Selecting these will automatically populate the standard port associated with that service.
If a service is not listed, select the Custom option. This allows you to manually define a specific port number, ensuring that only the intended application traffic is permitted through the overlay network.
Transitioning to a Zero Trust Model
By default, Netmaker may allow broad access to facilitate initial setup. To achieve a Zero Trust state, it is recommended to define specific policies for every required communication path and then remove default wide-access rules. You can manage these rules directly from the Access Control dashboard using the toggle switches in the Active column.
Last updated
Was this helpful?