TunHub Integration
TunHub is a Cloudaware-managed proxy integration designed to ensure a secure connection between customer local network resources and Cloudaware CMDB. This guide explains how to set up TunHub in Cloudaware.
To see the TunHub integration in action, request a demo.
Introduction
In order for Cloudaware CMDB collector to discover infrastructure running on the private network, customers must deploy a local proxy. Local collector proxy must have ingress access to the target endpoint and egress access to the Cloudaware TunHub's server.
Proxy configuration can be deployed to any Breeze agent that meets requirements. Up to two Breeze agents (active and standby) can be designated to support single endpoint connection.
Customers are able to set up the TunHub integration using a self-service interface in Cloudaware Admin panel.
Breeze Setup
Select any existing or a new server that has access to the resources in your private network and may communicate to Cloudaware. Follow the steps below to install Breeze agent:
1. Log in to Cloudaware account → Admin → Breeze to download the Breeze agent.
2. Install Breeze on this server*.
Server requirements:
Linux only (Ubuntu 14 and newer, Centos/RedHat/Oracle Linux 6-9, Debian 9 and newer, Amazon Linux*) CPU: 1 Memory: 256 MB minimum Storage: 200 MB *Amazon Linux 2023 is currently not supported for TunHub | Ports: outbound TCP 443 for Breeze agent (dest: breeze-server.cloudaware.com) outbound TCP 443 for TunHub (dest: tunhub.cloudaware.com) |
3. Once Breeze is installed, the server gets access to breeze-server.cloudaware.com and may act as TunHub proxy.
TunHub Setup
Create A Tunnel
Create a tunnel to grant Cloudaware access to your private network resources. A tunnel should contain one or more routes, which can be added on the next step.
1. Log in to Cloudaware account → Admin.
2. Find TunHub in the list of integrations. Click +Add.
3. Fill in the required information:
*Description - the integration name
**Primary Channel - Breeze Agent ID of Breeze agent installed on the host (pay attention to this field as it cannot be edited later!)
To locate Breeze Agent ID, use CMDB Navigator in your Cloudaware account. Locate the server using the specific list view or general Search. Check the field 'Breeze Agent'. The field values may be of the following formats:
AWS EC2 Instances - i-XXXXXXXXXXXXXXXXX (=Instance ID)
Azure Virtual Machines - XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (=VM ID)
Azure VM Scale Set Instances - XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (=VM ID)
vCenter Virtual Machines - vcenter_XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX_vm-1111111 (=vCenter ID_Virtual Machine External ID)
Google GCE Instances - 1111111111111111111 (=Google ID)
Physical Servers - ipXX.XX.X.XX_macXXXXXXXXXX (=Name)
***Standby Channel (optional) - Breeze Agent ID of Breeze agent installed on the reserve host. If Primary Channel is unavailable for any reason, Standby Channel will be used for Cloudaware TunHub integration until Primary Channel connection is restored.
Primary and Standby Channels must have different public IP addresses.
****Dedicated Port - check this box if it is not possible to have unique public source IP addresses for all egress TunHub connections in your organization. This will assign a dedicated port out of 30000-40000 range (ensure that your firewall allows egress for this range). Otherwise, TunHub listens on port 443 and expects the connection to be established from a unique public IP address.
4. Click Save to test the connection.
5. Review the integration details. The yellow light in 'Primary Channel' means that TunHub is waiting for the local collector proxy (Breeze) to connect.
Configure Routes
TunHub integration should have at least one route configured. A route is an entity that maps a private address in your network to the one which is reachable by Cloudaware. The route generates an alternate address which customers may use for adding integrations that require secure connection.
1. Click three dots → Edit Tunnel & Routes → +Add Route.
Each private network resource requires a unique designated route to be configured in Cloudaware TunHub.
2. Fill the form:
*Description - the route name (= the resource name, e.g. MyCompany JIRA)
**Remote Host - Domain Name or IP address of the resource in a private network
***Remote Port - the port of the resource in a private network for Cloudaware to access (commonly 443)
3. Click Save. Breeze agent runs every 15 minutes, so allow some time for a route to get the green status and then proceed.
4. Once the route is pre-configured and ready, get the generated Destination Host and Destination Port required for adding the integration in question.
Integration Name | Destination Host/Port To Be Used For Field(s) |
---|---|
URL (e.g. https://tunhub.cloudaware.com:12345) | |
URL (e.g. https://tunhub.cloudaware.com:12345) | |
Host (e.g. https://tunhub.cloudaware.com) | |
URL (e.g. https://tunhub.cloudaware.com/12345) Note that ports 17774 (or 17778 for older versions) should be used as remote ports in TunHub routes. |
5. Go back to the integration details. The green light in 'Primary Channel' means that TunHub integration has been successfully added. If there is a red light, please contact support@cloudaware.com.
If the checkbox ‘Managed by Cloudaware' is checked, neither a managed tunnel nor its routes can be edited/deleted by a customer.
API Access
The Cloudaware TunHub integration enables a secure connection to private Kubernetes, VMware, SCCM, Snowflake, Rancher, Jira, and other environments. Customers can use the external Cloudaware API to programmatically request the list of TunHub gateways (tunnels) or routes, change settings for a specific gateway, and swap primary and secondary channels.
Configuration
1. Address this guide to generate API Key and Token.
2. Use external.tunhub.tunnels APIs to send requests.
Sample Requests
the initial request to get the list of TunHub gateways (tunnels)
GET https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER
where
TOKEN_PLACEHOLDER in token
is your token generated earlier
KEY_PLACEHOLDER in key
is your API key generated earlier
response example:
to get the list of routes of a specific TunHub gateway (tunnel) id
GET https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels/TUNHUB_TUNNEL_ID_PLACEHOLDER/routes?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER
where
TUNHUB_TUNNEL_ID_PLACEHOLDER is a TunHub tunnel id from the list of tunnels generated in the initial request (in the format: 1xxx1x11-1111-11xx-11x1-1111x11x11x1)
TOKEN_PLACEHOLDER in token
is your token generated earlier
KEY_PLACEHOLDER in key
is your API key generated earlier
response example:
to update name or description of a TunHub tunnel
PUT https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels/TUNHUB_TUNNEL_ID_PLACEHOLDER?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER
where
TUNHUB_TUNNEL_ID_PLACEHOLDER is a TunHub tunnel id from the list of tunnels generated in the initial request (in the format: 1xxx1x11-1111-11xx-11x1-1111x11x11x1)
TOKEN_PLACEHOLDER in token
is your token generated earlier
KEY_PLACEHOLDER in key
is your API key generated earlier
response example:
to swap primary and standby channels of a TunHub tunnel
POST https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels/TUNHUB_TUNNEL_ID_PLACEHOLDER/swap-channels?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER
where
TUNHUB_TUNNEL_ID_PLACEHOLDER is a TunHub tunnel id from the list of tunnels generated in the initial request (in the format: 1xxx1x11-1111-11xx-11x1-1111x11x11x1)
TOKEN_PLACEHOLDER in token
is your token generated earlier
KEY_PLACEHOLDER in key
is your API key generated earlier
response example: