Define Policy¶
Now we'll create a Policy to enable connectivity between your tagged systems. Policies determine which systems can connect to each other, and which can't. There are two types of Policy:
- Direct Access Policies, which enable direct, peer-to-peer connectivity between two devices running Enclave.
- Gateway Access Policies, which route traffic to peers via an Enclave Gateway. These can be useful when you can't install Enclave on a device (e.g. a printer), or want to route traffic through Enclave to existing or public networks.
In this article, we'll exclusively discuss Direct Access Policies. You can find more information about Gateway Access Policies here.
Each Direct Access Policy is composed of at least two Tags, one assigned to the Sender
side of the Policy, and the other the Receiver
side of the Policy.
Any systems which are members of Tags added to the Sender
side of Policy may originate traffic to any systems which are members of Tags added to the Receiver
side of the same Policy.
Depending on how you arrange the Tags in your Policy, you can create either a partially connected or a fully connected mesh.
Production use
This guide suggests creating some example Policies. You can (and should) create Policies which reflect the structure of your organisation for use in production. Visit the Policy section to learn more about creating, naming and managing Policies.
In a partially connected mesh, only specific systems connect to one another.
Here we'll define a Policy that directly connects systems tagged with org.workstations to systems tagged with org.servers. Connectivity is established between the left and right sides of the Policy (Sender
to Receiver
) but not between systems on the same side.
-
In the Portal, navigate to the
Policies
page. -
Select the
Create New Policy
button and describe the new Policy asServer Access
. Make sure you leaveDirect Access Policy (default)
selected. -
Add the org.workstations Tag to the Sender side of the Policy.
-
Add the org.servers Tag to the Receiver side of the Policy.
-
Save the Policy.
Congratulations! Your new Policy will take effect immediately and Enclave will quickly build direct connectivity between your enrolled systems. You've successfully built your first Enclave connection.
In a fully connected mesh, all systems in the Policy are connected to one another
Here we'll define a Policy that directly connects any systems tagged with org.any to any other systems tagged with org.any to explicitly create a fully connected mesh.
Production use
Fully connected mesh networks may create large numbers of connections between participating systems. A fully connected mesh of 16 systems will create 120 connections, but a mesh with 32 participants will create 496 connections. You should consider the capabilities of your underlying network infrastructure when deploying a fully connected mesh. Learn more.
-
In the Portal, navigate to the
Policies
page. -
Select the
Create New Policy
button and describe the new Policy asFull Mesh
. Make sure you leaveDirect Access Policy (default)
selected. -
Add the org.any Tag to the Sender side of the Policy.
-
Add the org.any Tag to the Receiver side of the Policy.
-
Save the Policy.
Congratulations! Your new Policy will take effect immediately and Enclave will quickly build direct connectivity between your enrolled systems. You've successfully built your first Enclave connection.
Any future systems you enrol and attach these Tags to will automatically inherit the connectivity defined in this Policy, helpful in auto-scaling scenarios to minimise the management overhead of connecting additional systems.
Now that you've got your first connection, see next steps to learn more about what you can do with Enclave.