How Anapaya GATE works
There are several components that make up the Anapaya GATE service, from connecting your service to the SCION Internet, to exposing it to users connected to an Anapaya GATE provider. The following sections describe how these components work together to protect your service and provide reliable access for your users.
Connecting your service to the SCION Internet
The process begins with the service that needs protection. This service is typically hosted in a corporate data center or a public cloud environment. To connect to the SCION Internet, the organization deploys an Anapaya EDGE appliance, often in a redundant configuration for high availability. This connection is facilitated by a SCION-enabled Internet Service Provider (ISP) that provides the necessary SCION access.
Establishing secure tunnels to GATEs
Once connected to the SCION network, the organization's Anapaya EDGE establishes secure IP-in-SCION tunneling sessions to a selection of Anapaya GATE providers. These GATEs are run by trusted ISPs. The organization chooses which GATEs to connect to, thereby defining the exclusive "front doors" through which their service will be accessible.
IP prefix advertisement and controlled reachability
The main aspect of the access control mechanism lies in how the service's IP address prefix is handled.
- The Anapaya EDGE advertises the IP prefix of the protected service only to the selected Anapaya GATEs running in the selected GATE providers' infrastructure.
- These GATEs then redistribute this prefix exclusively within their own networks and certain downstream networks.
- The result is that the service becomes accessible only to users within the networks of the chosen GATE providers. For the rest of the public internet, the service is invisible and unreachable.
Organizations have flexibility in how they source the IP prefix for their protected service:
- Bring Your Own Prefix (BYOP): The organization can use its own existing IP prefixes (at least /24 for IPv4 and /48 for IPv6 prefixes).
- Anapaya Provided Prefix: Alternatively, Anapaya can provide the necessary IP prefix for the service.
User access through GATEs
Users who need to access the protected service must do so through one of the selected Anapaya GATEs. Note that no change is required on the user side; they simply access the service as they would any other service, but their traffic to the service is routed through the GATE.
- Inbound Traffic: A user within a chosen GATE provider's network starts a connection to the service. The traffic enters the GATE, is transported across the secure SCION network to the organization's Anapaya EDGE, and is then forwarded to the protected service.
- Outbound Traffic: Return traffic from the service to the user follows the inverse route, ensuring a symmetric and secure communication path.
Extending reachability with GlobalConnect
For organizations that require broader reachability, Anapaya GATE can be extended through GlobalConnect.