TunHub Integration Guide

In order for Cloudaware CMDB collector to discover infrastructure running on the private network, customers must deploy a local proxy. Local collector proxy must have ingress access to the target endpoint and egress access to the Cloudaware TunHub's server.

Introduction

Proxy configuration can be deployed to any Breeze agent that meets requirements. Up to 2 Breeze agents (active and standby) can be designated to support single endpoint connection.

Customers are able to set up the TunHub integration using a self-service interface in Cloudaware Admin panel.

Breeze Setup

Select any existing or a new server that has access to the resources in your private network and may communicate to Cloudaware. Follow the steps below to install Breeze agent:

1. Log in to Cloudaware account → Admin → Breeze to download the Breeze agent.

2. Install Breeze on this server*.

Server requirements:

Linux only (Ubuntu 14 and newer, Centos/RedHat/Oracle Linux 6-9, Debian 9 and newer, Amazon Linux)

CPU: 1

Memory: 256 MB minimum

Storage: 200 MB

Ports:

outbound TCP 443 for Breeze agent (dest: breeze-server.cloudaware.com)

outbound TCP 443 for TunHub (dest: tunhub.cloudaware.com)

3. Once Breeze is installed, the server gets access to breeze-server.cloudaware.com and may act as TunHub proxy.

TunHub Setup

Create A Tunnel

Create a tunnel to grant Cloudaware access to your private network resources. A tunnel should contain one or more routes, which can be added on the next step.

1. Log in to Cloudaware account → Admin.

2. Find TunHub in the list of integrations. Click +Add.

3. Fill in the required information:

*Description - the integration name

**Primary Channel - Breeze Agent ID of Breeze agent installed on the host (pay attention to this field as it cannot be edited later!)

To locate Breeze Agent ID, use CMDB Navigator in your Cloudaware account. Locate the server using the specific list view or general Search. Check the field 'Breeze Agent'. The field values may be of the following formats:

AWS EC2 Instances - i-XXXXXXXXXXXXXXXXX (=Instance ID)
Azure Virtual Machines - XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (=VM ID)
Azure VM Scale Set Instances - XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (=VM ID)
vCenter Virtual Machines - vcenter_XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX_vm-1111111 (=vCenter ID_Virtual Machine External ID)
Google GCE Instances - 1111111111111111111 (=Google ID)
Physical Servers - ipXX.XX.X.XX_macXXXXXXXXXX (=Name)

***Standby Channel (optional) - Breeze Agent ID of Breeze agent installed on the reserve host. If Primary Channel is unavailable for any reason, Standby Channel will be used for Cloudaware TunHub integration until Primary Channel connection is restored.

Primary and Standby Channels must have different public IP addresses.

****Dedicated Port - check this box if it is not possible to have unique public source IP addresses for all egress Tunhub connections in your organization. This will assign a dedicated port out of 30000-40000 range (ensure that your firewall allows egress for this range). Otherwise, Tunhub listens on port 443 and expects the connection to be established from a unique public IP address.

4. Click Save to test the connection.

5. Review the integration details. The yellow light in 'Primary Channel' means that TunHub is waiting for the local collector proxy (Breeze) to connect.

Configure Routes

Tunhub integration should have at least one route configured. A route is an entity that maps a private address in your network to the one which is reachable by Cloudaware. The route generates an alternate address which customers may use for adding integrations that require secure connection.

1. Click three dots → Edit Tunnel & Routes → +Add Route.

Each private network resource requires a unique designated route to be configured in Cloudaware TunHub.

2. Fill the form:

*Description - the route name (= the resource name, e.g. MyCompany JIRA)

**Remote Host - Domain Name or IP address of the resource in a private network

***Remote Port - the port of the resource in a private network for Cloudaware to access (commonly 443)

3. Click Save. Breeze agent runs every 15 minutes, so allow some time for a route to get the green status and then proceed.

4. Once the route is pre-configured and ready, get the generated Destination Host and Destination Port required for adding the integration in question.

Integration Name	Destination Host/Port To Be Used For Field(s)
JIRA	URL (e.g. https://tunhub.cloudaware.com:12345)
vCenter Management Server	URL (e.g. https://tunhub.cloudaware.com:12345)
SCCM	Host (e.g. tunhub.cloudaware.com) Port (e.g. 1245)

5. Go back to the integration details. The green light in 'Primary Channel' means that TunHub integration has been successfully added. If there is a red light, please contact support@cloudaware.com.

If the checkbox ‘Managed by Cloudaware' is checked, neither a managed tunnel nor its routes can be edited/deleted by a customer.

API Access

The Cloudaware TunHub integration enables a secure connection to private Kubernetes, VMware, SCCM, Snowflake, Rancher, Jira, and other environments. Customers can use the external Cloudaware API to programmatically request the list of TunHub gateways (tunnels) or routes, change settings for a specific gateway, and swap primary and secondary channels.

Configuration

1. Address this guide to generate API Key and Token.

2. Use external.tunhub.tunnels APIs to send requests.

Sample Requests

the initial request to get the list of TunHub gateways (tunnels)

GET https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER

CODE

where

TOKEN_PLACEHOLDER in token is your token generated earlier
KEY_PLACEHOLDER in key is your API key generated earlier

response example:

to get the list of routes of a specific TunHub gateway (tunnel) id

GET https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels/TUNHUB_TUNNEL_ID_PLACEHOLDER/routes?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER

CODE

where

TUNHUB_TUNNEL_ID_PLACEHOLDER is a TunHub tunnel id from the list of tunnels generated in the initial request (in the format: 1xxx1x11-1111-11xx-11x1-1111x11x11x1)
TOKEN_PLACEHOLDER in token is your token generated earlier
KEY_PLACEHOLDER in key is your API key generated earlier

response example:

to update name or description of a TunHub tunnel

PUT https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels/TUNHUB_TUNNEL_ID_PLACEHOLDER?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER

CODE

where

TUNHUB_TUNNEL_ID_PLACEHOLDER is a TunHub tunnel id from the list of tunnels generated in the initial request (in the format: 1xxx1x11-1111-11xx-11x1-1111x11x11x1)
TOKEN_PLACEHOLDER in token is your token generated earlier
KEY_PLACEHOLDER in key is your API key generated earlier

response example:

to swap primary and standby channels of a TunHub tunnel

POST https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels/TUNHUB_TUNNEL_ID_PLACEHOLDER/swap-channels?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER

CODE

where

TUNHUB_TUNNEL_ID_PLACEHOLDER is a TunHub tunnel id from the list of tunnels generated in the initial request (in the format: 1xxx1x11-1111-11xx-11x1-1111x11x11x1)
TOKEN_PLACEHOLDER in token is your token generated earlier
KEY_PLACEHOLDER in key is your API key generated earlier

response example: