TunHub Integration

TunHub is a Cloudaware-managed proxy integration designed to ensure a secure connection between customer local network resources and Cloudaware CMDB. This guide explains how to set up TunHub in Cloudaware.

To see the TunHub integration in action, request a demo.

Introduction

To enable the Cloudaware CMDB collector to discover infrastructure running on a private network, a local proxy must be deployed. The local collector proxy requires ingress access to the target endpoint and egress access to the Cloudaware TunHub server.

The proxy configuration can be deployed to any Breeze agent that meets the requirements. Up to two Breeze agents — active and standby — can be designated to support a single endpoint connection.

Customers can set up the TunHub integration using a self-service interface in the Cloudaware Admin panel.

Breeze setup

Select any existing or a new server that has access to the resources in your private network and may communicate to Cloudaware. Follow the steps below to install Breeze agent:

Log in to the Cloudaware account → Admin.
Find Breeze in DevOps integrations → click 1 Configured. Select the desired version and download the agent.
Install Breeze on a server that meets the following requirements:

Operating System: Linux only
- Ubuntu 14 and newer
- CentOS/RedHat/Oracle Linux 6–9
- Debian 9 and newer
- Amazon Linux (note that Amazon Linux 2023 is currently not supported for TunHub)
CPU: 1 core
Memory: Minimum 256 MB
Storage: Minimum 200 MB

Ports:
Outbound TCP 443 to breeze-server.cloudaware.com (for the Breeze agent)
Outbound TCP 443 to tunhub.cloudaware.com (for TunHub)

Once Breeze is installed, the server gets access to breeze-server.cloudaware.com and may act as TunHub proxy.

TunHub setup

Create a tunnel

Create a tunnel to grant Cloudaware access to private network resources. A tunnel must include at least one route. You can add more routes in the next step.

Log in to Cloudaware account → Admin.
Find TunHub in DevOps integrations. Click +Add.
Fill out the form:
WHERE
Description - the integration name
Primary Channel - Breeze Agent ID* of Breeze agent installed on the host. Note: This field cannot be edited later, so verify its accuracy.
Standby Channel (optional) - Breeze Agent ID* of Breeze agent installed on the reserve host. If Primary Channel is unavailable for any reason, Standby Channel will be used for Cloudaware TunHub integration until Primary Channel connection is restored.
Dedicated Port - check this box if your organization cannot provide unique public source IP addresses for all egress TunHub connections. This will assign a dedicated port out of 30000-40000 range (ensure that your firewall allows egress for this range). If the box is unchecked, TunHub will listen on port 443 and expect the connection to originate from a unique public IP address.

*To locate the Breeze Agent ID, use the CMDB Navigator in your Cloudaware account. Identify the server using either a specific list view or the general search function. Open the server record and check the field labeled 'Breeze Agent'. For Azure Virtual Machines, use the value from the 'VM ID' field instead.

Note that Breeze Agent ID values may follow the formats below, depending on the server type:

AWS EC2 Instance - i-XXXXXXXXXXXXXXXXX (=Instance ID)
Azure Virtual Machine - XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (=VM ID)
Azure VM Scale Set Instance - XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (=VM ID)
vCenter Virtual Machine - vcenter_XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX_vm-1111111 (=vCenter ID_Virtual Machine External ID)
Google GCE Instance - 1111111111111111111 (=Google ID)
Physical Server - ipXX.XX.X.XX_macXXXXXXXXXX (=Name)

Primary and Standby Channels must have different public IP addresses.

Click Save to test the connection.

Review the integration status. The yellow light in 'Primary Channel' means that TunHub is waiting for the local collector proxy (Breeze) to connect.

Configure routes

The TunHub integration should have at least one configured route. A route maps a private address within your network to an address accessible by Cloudaware. It also generates an alternate address that can be used when adding integrations requiring a secure connection.

Click the three-dot menu → Edit Tunnel & Routes.

Click +Add Route.

Each private network resource requires a unique designated route to be configured in Cloudaware TunHub.

Fill out the form:
WHERE
Description - the route name (= the resource name, e.g. Jira)
Remote Host - Domain Name or IP address of the resource in a private network
Remote Port - the port of the resource in a private network for Cloudaware to access, commonly 443
Click Save. Allow some time for a route to get a green status, then proceed.
Once the route is pre-configured and ready, get the Destination Host and Destination Port generated for adding the integration in question.

Integration Name	Destination Host/Port to be used for field(s)
Jira	URL (e.g. `https://tunhub.cloudaware.com:12345`)
VMWare vCenter	URL (e.g. `https://tunhub.cloudaware.com:12345`)
SCCM	Host (e.g. `https://tunhub.cloudaware.com`) Port (e.g. `1245`)
SolarWinds	URL (e.g. `https://tunhub.cloudaware.com/12345`) Note that ports 17774 (or 17778 for older versions) should be used as remote ports in TunHub routes.

Go back to the integration details. The green light in 'Primary Channel' means that TunHub integration has been successfully added. If there is a red light, please contact support@cloudaware.com.

If the checkbox 'Managed by Cloudaware' is checked, neither a managed tunnel nor its routes can be edited/deleted by a customer.

API access

The TunHub integration enables a secure connection to private Kubernetes, VMware, SCCM, Snowflake, Rancher, Jira, and other environments. Customers can use the external Cloudaware API to programmatically request a list of TunHub gateways (tunnels) or routes, change settings for a specific gateway, and swap primary and secondary channels.

Configuration

Address this guide to generate API Key and Token.
Use external.tunhub.tunnels APIs to send requests.

Sample requests

the initial request to get the list of TunHub gateways (tunnels)

CODE

GET https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER

WHERE

TOKEN_PLACEHOLDER in token is your token generated earlier
KEY_PLACEHOLDER in key is your API key generated earlier

response example:

to get the list of routes of a specific TunHub gateway (tunnel) ID

CODE

GET https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels/TUNHUB_TUNNEL_ID_PLACEHOLDER/routes?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER

WHERE

TUNHUB_TUNNEL_ID_PLACEHOLDER is a TunHub tunnel id from the list of tunnels generated in the initial request (in the format: 1xxx1x11-1111-11xx-11x1-1111x11x11x1)
TOKEN_PLACEHOLDER in token is your token generated earlier
KEY_PLACEHOLDER in key is your API key generated earlier

response example:

to update name or description of a TunHub tunnel

CODE

PUT https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels/TUNHUB_TUNNEL_ID_PLACEHOLDER?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER

WHERE

TUNHUB_TUNNEL_ID_PLACEHOLDER is a TunHub tunnel id from the list of tunnels generated in the initial request (in the format: 1xxx1x11-1111-11xx-11x1-1111x11x11x1)
TOKEN_PLACEHOLDER in token is your token generated earlier
KEY_PLACEHOLDER in key is your API key generated earlier

response example:

to swap primary and standby channels of a TunHub tunnel

CODE

POST https://external-dot-cloudaware-vm.appspot.com/_ah/api/external/v1/tunhub/tunnels/TUNHUB_TUNNEL_ID_PLACEHOLDER/swap-channels?token=TOKEN_PLACEHOLDER&sandbox=false&key=KEY_PLACEHOLDER

WHERE

TUNHUB_TUNNEL_ID_PLACEHOLDER is a TunHub tunnel id from the list of tunnels generated in the initial request (in the format: 1xxx1x11-1111-11xx-11x1-1111x11x11x1)
TOKEN_PLACEHOLDER in token is your token generated earlier
KEY_PLACEHOLDER in key is your API key generated earlier

response example: