Skip to main content

Anapaya CONSOLE

Under Construction

This section is currently under development. More exciting content is coming soon - stay tuned!

The Anapaya CONSOLE is a centralized, cloud-hosted SaaS platform for managing, monitoring, and controlling Anapaya appliances. For product information and feature overview, see the product page.

How the CONSOLE interacts with appliances

The Anapaya CONSOLE continuously monitors appliances by connecting to their API endpoints. This interaction enables the CONSOLE to provide real-time visibility, configuration management, and operational control across your SCION network infrastructure.

Access model

The CONSOLE employs a poll-based model to fetch data from the appliances at regular intervals. The access that the CONSOLE has on the appliance can be configured on the appliance side using the management API configuration. The CONSOLE connects with credentials for a user that need to be registered on the appliance. For basic operation, the observer role is sufficient. If you want to trigger configuration changes or software updates from the CONSOLE directly, the CONSOLE must have the writer role.

For basic operation, the following data is retrieved from the appliances:

  • Telemetry Data: The CONSOLE scrapes all the metrics required for the integrated alerting and performance metrics for the graphs shown in the dashboard. This is a small subset of all the metrics that the appliance exposes.

  • Health Data: The CONSOLE fetches health information to provide insights into the operational status of the appliances.

  • Software Version: The CONSOLE retrieves the software version of each appliance to indicate if updates are available.

  • Configuration State: The CONSOLE checks the configuration state to ensure the appliances have the latest configuration applied.

  • Path Statistics Data: The CONSOLE requests path statistics to visualize path performance in the dashboard.

For advanced operations, such as configuration changes or software updates, the CONSOLE requires write access to the appliance. The following operations can be performed by the CONSOLE when initiated by the user:

  • Configuration Management: The CONSOLE can push configuration changes directly to the appliances, streamlining network management tasks.

  • Software Updates: The CONSOLE can initiate software updates on the appliances, ensuring they are running the latest versions with minimal manual intervention.

Configuring access

The CONSOLE needs to be granted access to the appliances it manages. This is done by configuring a user on the appliance with the appropriate role (observer or writer) and providing the CONSOLE with the credentials of this user. Furthermore, the appliance needs to be reachable from the CONSOLE (see providing connectivity for more details on reachability).

For a detailed guide on how to onboard an appliance to the CONSOLE, including setting up a new user for the CONSOLE, see the onboard an appliance guide. When configuring the CONSOLE user on the appliance, it is important to select the appropriate role.

Use the observer role if you want to restrict the CONSOLE access such that it can only monitor and provide visibility into the appliance without making any changes. While you can still use the Anapaya CONSOLE to generate desired configurations of the appliance, you will need to apply them through an out-of-band method. The CONSOLE will not be able to push configurations, or trigger software updates.

Use the writer role if you want to allow the CONSOLE to manage the appliance fully. Configuration changes and software updates can be triggered by the user through the CONSOLE directly.

Risk consideration

For monitoring-only deployments, assign the observer role to the CONSOLE to minimize risks. This ensures that the CONSOLE cannot trigger any modifications to appliance configuration, even if the CONSOLE itself were compromised.

Providing connectivity

The CONSOLE needs to be able to reach the appliance management API to fetch live data and perform management operations. There are two major ways that we recommend to establish connectivity between the CONSOLE and your appliances.

  1. Expose API via shuttle: Configure your appliance to create a client-initiated tunnel via shuttle. The appliance connects to a Anapaya-hosted shuttle server, and binds the management API on the address inside of the shuttle tunnel. The CONSOLE can then reach the appliance API via the shuttle server. This approach is in-band and relies on SCION connectivity.

  2. Expose API via reverse proxy: Configure a reverse proxy that is reachable from the CONSOLE, that forwards requests to the appliance through your internal management network. The connection between the CONSOLE and your reverse proxy is usually protected by a VPN (e.g., WireGuard) as to not expose the reverse proxy directly to the public internet. This approach is out-of-band and relies on traditional IP connectivity.

Both of these approaches have their pros and cons. In the following we want to highlight some of the considerations when choosing the right approach for your deployment.

Exposing API via shuttle

Pros

  • Simplicity: The shuttle-based approach is easy to set up and requires minimal infrastructure on your side.

  • Client-initiated connection: The appliance initiates the connection to the shuttle server. This means that the management API is not exposed outside of the tunnel, reducing the attack surface.

Cons
  • SCION dependency: The shuttle-based approach relies on SCION connectivity. If your SCION network experiences an outage, the CONSOLE will not be able to reach the appliance. Be sure to have a secondary way to manage your appliances in case of connectivity issues.

Exposing API via reverse proxy

Pros

  • Independence: With the reverse proxy approach, you are in control of what appliances are reachable from the CONSOLE. In the shuttle-based approach, adding a new appliance requires changes on the shuttle server side. In the reverse proxy approach, you can add new appliances unilaterally by configuring the reverse proxy accordingly.

  • More granular access control: The reverse proxy approach allows for more granular access control. You can configure exactly which HTTP endpoints are accessible from the CONSOLE. You can enforce your own access control policies at the reverse proxy level, without relying on the appliance RBAC model.

  • No SCION dependency: The reverse proxy approach does not rely on SCION connectivity. As long as the reverse proxy is reachable from the CONSOLE, you can manage your appliances.

Cons
  • Higher initial setup effort: Setting up a reverse proxy and VPN infrastructure requires more effort compared to the shuttle-based approach.

What to choose?

The choice between the two approaches depends on your specific requirements and constraints. Here are some example scenarios and the recommendation for each case. In doubt, we recommend to start with the shuttle-based approach for its simplicity. If you need help deciding, please reach out to Anapaya support.

shuttle-based approach
  • You are conducting a Proof-of-Concept (PoC) and want to get started quickly.
  • You have a productive deployment with a couple of appliances and want to minimize management overhead.
reverse proxy approach
  • You are very security-conscious and want to have full control over what appliances are reachable from the CONSOLE and lock down the accessible HTTP endpoints.
  • You are a managed service provider and want to integrate the CONSOLE into your existing management network.