Publish an Generic TCP Infrastructure Service to Users

This article will show you how to create a Infrastucture service to enable access to an internal database located in your private network, so a user can conveniently yet securely connect using their favorite DB management tool.

This guide uses the Amazon RDS database as an example. However, you can publish any networked service that uses the TCP protocol on a single fixed port as a Banyan Infrastructure service.

Scenario

For this quick start guide, we have an internal web application that needs to published to end users. As depicted in the diagram below, this guide uses the Amazon RDS database, which is installed on a host named mydb with IP address 10.10.12.12 with the DB process listening on port 3306.

We assume your end users have been added to your Banyan directory, and that they have the latest Banyan Desktop or Mobile App installed on devices from which they will access the Jenkins application.

Setup

The setup for this quick start guide is as follows:

  1. A Banyan Access Tier is installed in the same network segment as the database server to be published using Banyan. This guide uses an Access Tier named product-team.

  2. A wildcard DNS record pointing to the Access Tier, so that the Access Tier can serve multiple services. This guide assumes the DNS record *.corp.example.com maps to the product-team Access Tier.

  3. The database that needs to be published is running on a host named mydb with IP address 10.10.12.12 with the DB process listening on port 3306.

  4. The database credentials for the users who need to need access mydb have been provisioned and supplied to the users.

  1. A Banyan Connector is installed in the same network segment as the web application to be published using Banyan. This guide uses an Access Tier named datacenter1.

  2. A wildcard DNS record is set up as a Banyan Registered Domain. This guide assume the DNS record *.corp.example.com has been added as a Registered Domain in your Command Center.

  3. The database that needs to be published is running on a host named mydb with IP address 10.10.12.12 with the DB process listening on port 3306.

  4. The database credentials for the users who need to need access mydb have been provisioned and supplied to the users.

Steps

We will now enable secure access to the database in three steps.

Step 1. Create a Policy for Infrastructure Access

1.1 Log in to the Banyan Command Center and navigate to Secure Access > Policies > Create New Policy.

1.2 Create a new Policy using the template TCP Policy.

1.3 Enter a Policy Name (such as, quickstart-user-infra) and a Description.

1.4 Configure the Policy Attributes:

  • Only allow access from the following role: ANY (or a role according to your organization’s requirements)
  • Only allow users and devices with the following Trust Levels: No Trust Level - ignore TrustScore (or a Trust Level according to your organization’s security requirements)

Step 2. Register the Database as an Infrastructure Service

2.1 Navigate to Manage Services > Infrastructure Services and then click + Register Service.

2.2 Select the template Other TCP Service.

2.3 Enter the Service Name (such as, aws-rds) and set the service attributes based on your deployment model:

  • Select the product-team Access Tier

  • Enter the Service Domain Name for this service mydb.corp.example.com and leave the port as 8443; the Banyan App will connect to this domain to set up an MTLS tunnel so users can access the service

  • Select the datacenter1 Connector

  • Enter the Service Domain Name for this service mydb.corp.example.com and leave the port as 8443; the Banyan App will connect to this domain to set up an MTLS tunnel so users can access the service

2.4 Specify how backend connectivity should be set up:

  • Set the incoming connections to be proxied to be Fixed Backend Domain

«««< Updated upstream

  • Enter the Backend Domain Name and Port. In this guide, we use mydb and port 3306; you may use the backend IP address instead of the backend domain here.

  • Enter the Backend Domain Name and Port. In this guide, we use mydb and port 3306; you may use the backend IP address instead of the backend domain here.

    Stashed changes

  • Configure the Service Connection Settings:
    • Leave the Assigned Listen Port blank to use a random port
    • Allow end users the ability to override these settings in the Banyan Desktop App

2.5 Attach the policy we had previously created in Step 1.4, and then set enforcement mode to Enforcing.

2.6 Click Register Service.

Step 3. As an End User, launch the Banyan Desktop App and access the Database

3.1 Launch the Banyan Desktop App, locate the hosted database (for example, Amazon RDS) server from the list of TCP Services, and then click Connect.

3.2 Click into the service details and take note of the (localhost:port) provided in the Banyan Desktop App (for example, 127.0.0.1:XXXXX).

3.3 Launch your preferred database management tool (such as Microsoft SQL Server Management Studio, pgAdmin, phpMyAdmin, MySQL Workbench, etc.), and then create a new server using the localhost:port noted in the previous step. If necessary, enter your credentials to authenticate.

Behind the scenes, Banyan evaluates your device posture, enforces your security policies, and grants access accordingly.

Success!

And, that’s it! You have created a Zero Trust policy for a remote database and accessed it conveniently using your preferred database management tool.



Last modified: Oct 07, 2021