Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

TunHub is a Cloudaware-managed proxy integration designed to ensure a secure connection between customer local network resources and Cloudaware CMDB. This guide explains how to set up TunHub in Cloudaware.

TunHub - CA_logo_black.pngImage Added To see the TunHub integration in action, request a demo.

Table of Contents
stylenone

Introduction

In order for Cloudaware CMDB collector to discover infrastructure running on the private network, customers must deploy a local proxy. Local collector proxy must have ingress access to the target endpoint and egress access to the Cloudaware TunHub's server. 

Proxy configuration can be deployed to any Breeze agent that meets requirements. Up to 2 Breeze agents (active and standby) can be designated to support single endpoint connection.

...

Customers are able to set up the TunHub integration using a self-service interface in Cloudaware Admin panel.

Breeze Setup

Select any existing or a new server that has access to the resources in your private network and may communicate to Cloudaware. Follow the steps below to install Breeze agent:

...

1. Log in to Cloudaware account → Admin Breeze to download the Breeze agent.

2. Install Breeze on this server*.

Server requirements:

Linux only (Ubuntu

v14

14 and newer, Centos/RedHat

v6..8

/Oracle Linux 6-9, Debian 9 and newer, Amazon Linux*)

CPU: 1

Memory: 256 MB minimum

Storage: 200 MB


*Amazon Linux 2023 is currently not supported for TunHub

Ports:

outbound TCP 443 for Breeze agent (dest: breeze-server.cloudaware.com)

outbound TCP 443 for TunHub (dest: tunhub.cloudaware.com)

...

3. Once Breeze is installed, the server gets access to breeze-server.cloudaware.com and may act as TunHub proxy.

TunHub Setup

Create A Tunnel

Create a tunnel to grant Cloudaware access to your private network resources. A tunnel should contain one or more routes, which can be added on the next step.

1. Log in to Cloudaware account → Admin.

...

**Primary Channel - Breeze Agent ID of Breeze agent installed on the host (pay attention to this field as it cannot be edited later!)

To locate Breeze Agent ID, use CMDB Navigator in your Cloudaware account. Locate the server using the specific list view or general Search. Check the field 'Breeze Agent'. The field values may be of the following formats:

AWS EC2 Instances - i-XXXXXXXXXXXXXXXXX (=Instance ID)
Azure Virtual Machines - XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (=VM ID)
Azure VM Scale Set Instances - XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (=VM ID)
vCenter Virtual Machines - vcenter_XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX_vm-1111111 (=vCenter ID_Virtual Machine External ID)
Google GCE Instances - 1111111111111111111 (=Google ID)
Physical Servers - ipXX.XX.X.XX_macXXXXXXXXXX (=Name)

***Standby Channel (optional) - Breeze Agent ID of Breeze agent installed on the reserve host. If Primary Channel is unavailable for any reason, Standby Channel will be used for Cloudaware TunHub integration until Primary Channel connection is restored.
 Click .

Note

Primary and Standby Channels must have different public IP addresses.

****Dedicated Port - check this box if it is not possible to have unique public source IP addresses for all egress TunHub connections in your organization. This will assign a dedicated port out of 30000-40000 range (ensure that your firewall allows egress for this range). Otherwise, TunHub listens on port 443 and expects the connection to be established from a unique public IP address.

4. Click Save to test the connection.

45. Review the integration details. The yellow light in 'Primary Channel' means that TunHub is waiting for the local collector proxy (Breeze) to connect. 5. Set up routes for your TunHub integration

Configure Routes

TunHub integration should have at least one route configured. A route is an entity that maps a private address in your network to the one which is reachable by Cloudaware. The route generates an alternate address which customers may use for adding integrations that require secure connection.


1. Click three dots → Edit Tunnel & Routes +Add Route.

...

...

Note

Each private network resource requires a unique designated route to be configured in Cloudaware TunHub.

2. Fill the form:

...

*Description - the route name (= the resource name, e.g. MyCompany JIRA)

**Remote Host - Domain Name or IP address of the resource in a private network

***Remote Port - the port of the resource in a private network for Cloudaware to access (commonly 443)


3. Click Save. Breeze agent runs every 15 minutes, so allow some time for a route to get the green status and then proceed. 


64. Once the route is pre-configured and ready, get the generated Destination Host and Destination Port to add your integration. For example, in case of JIRA running on a private network Destination Host and Destination Port will be used for URL field required for adding the integration in question.

Integration Name

Destination Host/Port To Be Used For Field(s)

JIRA

URL (e.g. https://tunhub.cloudaware.com:12345)

vCenter Management Server

URL (e.g. https://tunhub.cloudaware.com:12345)

SCCM

Host (e.

...

g. tunhub.cloudaware.com)
Port (e.g. 1245)

5. Go back to reviewing the integration details. The green light in 'Primary Channel' means that TunHub integration has been successfully added. If there is a red light, please contact support@cloudaware.com.

...

If the checkbox ‘Managed by Cloudaware' is checked, neither a managed tunnel nor its routes can be edited/deleted by a customer.

API Access

The Cloudaware TunHub integration enables a secure connection to private Kubernetes, VMware, SCCM, Snowflake, Rancher, Jira, and other environments. Customers can use the external Cloudaware API to programmatically request the list of TunHub gateways (tunnels) or routes, change settings for a specific gateway, and swap primary and secondary channels.

Configuration

1. Address this guide to generate API Key and Token.

2. Use external.tunhub.tunnels APIs to send requests.

Sample Requests

  • the initial request to get the list of TunHub gateways (tunnels)

Code Block
GET https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER

where

TOKEN_PLACEHOLDER in token is your token generated earlier
KEY_PLACEHOLDER in key is your API key generated earlier

...

response example:

...

  • to get the list of routes of a specific TunHub gateway (tunnel) id

Code Block
GET https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels/TUNHUB_TUNNEL_ID_PLACEHOLDER/routes?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER

where

TUNHUB_TUNNEL_ID_PLACEHOLDER is a TunHub tunnel id from the list of tunnels generated in the initial request (in the format: 1xxx1x11-1111-11xx-11x1-1111x11x11x1)
TOKEN_PLACEHOLDER in token is your token generated earlier
KEY_PLACEHOLDER in key is your API key generated earlier

...

response example:

...

  • to update name or description of a TunHub tunnel

Code Block
PUT https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels/TUNHUB_TUNNEL_ID_PLACEHOLDER?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER

where

TUNHUB_TUNNEL_ID_PLACEHOLDER is a TunHub tunnel id from the list of tunnels generated in the initial request (in the format: 1xxx1x11-1111-11xx-11x1-1111x11x11x1)
TOKEN_PLACEHOLDER in token is your token generated earlier
KEY_PLACEHOLDER in key is your API key generated earlier

...

response example:

...

  • to swap primary and standby channels of a TunHub tunnel

Code Block
POST https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels/TUNHUB_TUNNEL_ID_PLACEHOLDER/swap-channels?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER

where

TUNHUB_TUNNEL_ID_PLACEHOLDER is a TunHub tunnel id from the list of tunnels generated in the initial request (in the format: 1xxx1x11-1111-11xx-11x1-1111x11x11x1)
TOKEN_PLACEHOLDER in token is your token generated earlier
KEY_PLACEHOLDER in key is your API key generated earlier

...

response example:

...