Socket Auto-creation Rules
The Auto-Creation of Sockets feature is designed to streamline and automate the process of socket creation based on predefined rules. This feature enhances the efficiency of the Border0 system, reducing the need for manual intervention when creating new sockets.
With this feature, you can establish rules that dictate when and how new sockets are created. For example, you can set a rule to create a new socket whenever a certain condition is met, At present, we support EC2, ECS, and RDS rules. These rules can be set up to attach a policy to the created sockets automatically. You also have the option to configure a tag or label to match. For instance, this will allow you to auto create sockets for EC2 instances with a tag labeled border0: true
.
The Auto-Creation of Sockets feature leverages the service discovery capabilities of connector plugins. When a plugin discovers a new potential service, it will evaluate the configured auto-creation rules. If the conditions of a rule are met, a new Socket is automatically created and exposed as a new Border0 Socket.
Beyond the automatic creation of sockets, Border0 also offers the feature of automatic Socket deletion. Specifically, if a plugin is disabled, we will automatically delete the associated Socket or if a Label no longer matches the rule, we'll automatically delete the previously created Socket. Auto-create rule evaluation, and thus, creation and deletion happen on each refresh interval of the plugin.
Remember, the power of Auto-Creation of Sockets lies in the rules you create. So, it's important to carefully define your rules to align with your infrastructure needs.
High level, the following is what is needed and how the auto-creation process works.
- Auto creation rules. This is where you define what kind of targets will be evaluated for Auto Socket creation. Potentially with Label filters and the ability to define what Policy will be applied to the auto created socket.
- A connector
- Discovery plugin For each connector, you can disable one or more discovery plugins. These plugins will scan and discover, for example, EC2 instances. The plugin can be configured with some filters and a scan interval.
- Attach Auto Created rule(s) to a Connector Now that we have provisioned auto creation rules (step 1) and have a discovered resources (Step 3). We can attached the auto creation rules to the connector. This means that every disocvery run scan interval, the Border0 system will evaluate the auto creation rules and create, or delete Sockets based on the rule set and discovered resources.
1 - Create your auto creation rule
First, navigate to the connectors page. Click on the "Socket Autocreation Rules", followed by the "New Autocreation Rule" button. You'll be directed to a page where you can select the type of predefined rule for your socket. These rules can later be used for any connector in your organization.
After creating the rules, you can now attach them to your connector. Remember, you can attach as many rules as needed.
Notice how per rule, you can configure what Policies will be applied to the auto-created Sockets. Also note that you have the ability to match by tag (key /value). Ie this allows you to control what resources should be considered for auto creation of sockets. Only if the tags match the rule, or when no tags are configured by the rule (meaning any tag), will the auto creation rule apply.
Predefined auto-creation Rules
Currently, the auto-creation rule feature in our system supports a variety of services including EC2, ECS, EKS, and RDS. This means you can establish rules that will automatically create new sockets when certain conditions related to these services are met.
EC2
- Private Network Reachability: Create sockets for EC2 instances that can be reached over a private IP or private DNS name. The connector will use 'EC2 Instance Connect' to connect to the upstream EC2 instance.
- Public Network Reachability: Create sockets for EC2 instances that can be reached over a public IP or public DNS name. The connector will use 'EC2 Instance Connect' to connect to the upstream EC2 instance.
- SSM Online: Create sockets for EC2 instances that have registered with AWS Session Manager. The connector will use 'SSM' to connect to the upstream EC2 instance.
ECS
Create sockets for ECS services. The connector will use 'SSM' to connect to the ECS service.
EKS
Establish sockets for EKS clusters that have reachable Kubernetes endpoints.
RDS: Mysql
Create sockets for MySQL RDS instances.
RDS: Postgres
Create Sockets for PostgreSQL RDS instances.
2 - Attach rules to the connector
Go back to the connectors page and select your connectors. Remember, auto creation only works when discovery plugins are enabled, so make sure you enable at least one Discovery plugin.
Next, let's validate that resources are being discovered by clicking on the "Discovery" tab.
From the "Autocreation Rules" tab, click on the "Attach" button. Here, you can select as many rules as you want and set their priority. The priority is in ascending order, meaning '1' has higher priority than '2'. In other words, rule '1' will be evaluated first, and only if this rule doesn't result in a match, will the next rule be evaluated.
After setting the priority, make sure to save your changes. Once saved, the rules will be applied to your connectors accordingly. The system will automatically create sockets based on these rules and the service discovery capabilities of your connector plugins. Remember it may take a bit before sockets are created, as the evaluation of rules and auto creation logic runs after every 'scan interval'. The scan interval can be configured in the settings of each discovery plugin.
When a plugin discovers a new potential service, it triggers the auto-creation rules. If the conditions of a rule are met, a new Socket is automatically created and exposed as a new Border0 Socket.
That's it!
Congrats! Your services are now auto-discovered, and with the Auto Creation feature, new Sockets will automatically be created based on your pre-configured rules. Magic! ✨
Updated 11 months ago