Configure ZTNA for hosted resources with Azure container instances

In this topic, you will learn how to configure Portnox™ Zero Trust Network Access to allow your users to access your private console resources hosted in Microsoft Azure and accessible within an Azure private network, by using a Docker container in an Azure container instance.

In this scenario:

  • You want your on-premises and remote users to be able to access private console resources that are hosted in Azure.

  • You need to host a Portnox Docker container in Azure, for example, in Azure container instances, and in the same Azure virtual network as the hosted console resources.

We assume that you have already configured Azure, a virtual network in Azure, and that you already run a hosted console resource, accessible via a dedicated port within your Azure local network. We also assume that you already distributed certificates to your client devices.

Set up the ZTNA gateway in Portnox Cloud

In this section, you will set up a ZTNA gateway in Portnox Cloud, create a container instance in Azure, and run the Portnox ZTNA Docker container.

  1. In the top menu of Portnox Cloud, select the Zero Trust Resources > Gateways option. Then, on the Gateways screen, click on the + Create gateway button.

  2. On the Create gateway screen, enter a name for this gateway in the Gateway friendly name field, and in the Region field, select either US Node or EU Node. Then, click on the Create gateway and generate Docker commands button.

  3. In the Provision container step, click on the Copy command link under the displayed Docker command to copy the command to the clipboard.

    Then, save this command in a notepad. You will need it later.

  4. Create an Azure container instance:
    1. In the Azure portal, in the top-bar search field, type: container instances and then click on the Container instances entry below.

    2. On the Container instances pane, click on the Create button to create a new container instance.

    3. On the Create container instance pane, select and enter your details as required, and in the Image source field, select the Other registry option.

    4. In the Image type field, select the Private option, in the Image field, type portnox/ztna-gateway:latest, in the Image registry login server, type index.docker.io, and in the Image registry user name and Image registry password fields, type your credentials for a free Docker Hub account.
      Note:
      You can also select a Public registry, but Docker Hub has introduced a pull rate limit on Docker images, which may impact the creation of your container instance if not using a Docker Hub account.

    5. In the Networking tab, select the existing virtual network, and in the Ports section, delete the default port, enter port 41641, and select protocol UDP.

      Important:
      Make sure to select the same virtual network that you use to host your web application. This is necessary so that the Docker image and the web application can communicate within the local network.
    6. In the Advanced tab, in the Environment variables section, add the following environment variables:
      APIUSER The value in the Docker command after the APIUSER= string (see previous step)
      APIKEY The value copied from the API token section in Portnox Cloud by clicking the  ⧉  icon.
      GWID The value in the Docker command after the GWID= string
      USERSPACE_NETWORKING 1

      For example:

      Docker command:

      Environment variables:

    7. In the Review + create tab, click on the Create button to create the container instance.

Set up the ZTNA resource in Portnox Cloud

In this section, you will set up a ZTNA resource in Portnox Cloud and configure it to access your private console resource hosted in the same virtual network as the Docker container.

  1. In the top menu of Portnox Cloud, select the Zero Trust Resources > Resources option. Then, on the Resources screen, click on the + Create resource button.

  2. In the Resource type step, select the Console resource option, the relevant Protocol, and then the Choose an existing gateway option. In the Gateway field, select the gateway that you have just created.
    Note:
    Currently, Portnox Cloud supports the following protocols for console resources: Remote Desktop Protocol (RDP), Secure Shell (SSH), Virtual Network Computing (VNC), and Telnet.

  3. In the Details step, in the Resource Name field, enter the name for this resource and optionally the Resource Description.
    Note:
    The Resource Name must be a valid subdomain name, because the URL will be constructed using this name. You should only use lowercase letters, digits, and hyphens.

    Result: If you want to use the Portnox URL, you can copy the URL for your resource by clicking on the  ⧉  icon.

    Note:
    Make sure to check if your web resource will accept connections when accessed using this URL. If your web security solution has an anti-CSRF feature, you will need to configure it to allow this URL.
  4. Optional: If you want to use a URL in your own domain for the resource:
    1. Activate the Use a custom URL linked to an SSL certificate checkbox.

    2. In the Upload SSL certificate section, click on the Select file button, and upload the certificate and private key for the custom URL (in the PKCS #12 format). Then, enter the password for the private key in the Certificate password field, and click on the Apply certificate button.

      Note:
      You must acquire the specific subdomain certificate from the relevant certificate authority, or you can use a wildcard certificate for all your subdomains.
    3. Verify the details displayed for the certificate.

    4. If you are using a certificate with multiple domains/subdomains or a wildcard certificate, in the Domain field, select the relevant domain for your resource’s URL, and in the Suffix field (if active – only for wildcard certificates), enter the subdomain.

      In this example, your resource URL will be: privateapp.vorlon.com.

    1. In your DNS server, add a canonical name record for your resource’s URL.

      For example, in the BIND server, enter the following record:

      privateapp.vorlon.com. IN CNAME privateapp.us.portnox.com.
  5. In the Network details section, enter the details of the hosted resource in the Hostname or IP Address and Port fields.
    Note:
    By default, the Port field is pre-filled with the port number that is typical for the selected protocol. For example, port 22 for SSH. Unless your server is running on a non-standard port, keep the default port number.
    Note:
    Use the IP address and port configured in your Azure instance that hosts your resource. Ensure that the Docker container and the web application instance use the same Azure virtual network.

  6. Depending on the Protocol that you selected earlier, configure additional options available for that protocol.

    For comprehensive information about options available for different protocols, see the following topic: ZTNA console application configuration options.

  7. Click on the Next button.
  8. Optional: In the Enforcement step, change the setting to Override with custom policy and then select a risk assessment policy if you want to control access to this resource using a custom risk assessment policy.
  9. Click on the Add resource button to save your configuration.

Result: Your users can now access your private console resource by typing the URL in the browser.

Note:
When accessing a ZTNA console resource, you must first open it in the browser. The browser displays a login page where you enter your credentials. After logging in, access works as follows:
  • For most protocols, the session runs directly in the browser. Third-party clients are not supported – you cannot use, for example, PuTTY for SSH or Telnet, or TightVNC for VNC.
  • For RDP, the browser login page also shows a Download RDP file button, which lets you connect using your RDP client of choice instead of the browser.

Configure the hosted application access control policy

In this section, you will configure the access control policy for groups that you want to have access to this hosted application.

  1. In the Cloud portal top menu, click on the Groups option.

  2. Select a group that you want to configure, click on the  ⋮  icon at the end of the row that represents the group, and then select the Group policies option.

    Note:
    Repeat this step and the next steps for any other groups that you want to be able to access hosted applications.
  3. Scroll down to the ZTNA Resources section.
  4. Optional: If needed, change the System Default Policy in the Hosted resources drop-down menu to another access control policy. Then, click on the Save button on the bottom of the page to save your changes.
  5. Optional: To configure the selected access control policy, follow the steps in this topic: Create or edit an access control policy