Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
connectivity-suite:architecture [2020/03/18 09:18]
juraschek ↷ Page moved from cs:architecture to connectivity-suite:architecture
— (current)
Line 1: Line 1:
-====== Introduction ====== 
-The Connectivity Suite is the lean remote management system to build your private network infrastructure and maintain NetModule devices. Therefore, the Connectivity Suite has three key capabilities:​ 
- 
-  *  Build complete network infrastructures remotely by setting up automatically an encrypted VPN infrastructure for secure communication 
-  *  Monitor networks and devices in real time  
-  *  Manage networks and devices centralized by scheduled OTA updates and configurations 
- 
-The Connectivity Suite has been designed to have a scalable architecture. It allows to be installed in the cloud or on-premises depending on customer needs. The system architecture is based on Linux running microservices in Docker containers. ​ 
- 
-{{ :​cs:​software_architecture_basic2.png?​ }} 
- 
-  *User interface: Web interface accessible by https (SSL + OpenID). 
-  *Middleware:​ Establishes the communication between the User Interface and the microservices in the Core for a scalable, robust and distributed system. The Middleware runs in a separate container 
-  *Core: In the core several microservices (Keycloak, Inventory, Configuration,​ Deployment, Health, Identity Server) are running which are servicing REST API requests. 
- 
-The solution can be used in standalone mode by using the interactive user interface provided by NetModule or by integrating the Connectivity Suite into customer applications by using the powerful REST API. 
- 
-===== Services ===== 
-The Connectivity Suite runs several standalone services (microservices) in the Core, servicing REST API requests. Each service handles its own configuration and persistence and is running as an individual Docker container. The services are using the service of the Kafka or the PostgreSQL database for persistence. Following services are provided: 
- 
-**Inventory**\\ 
-The Inventory microservice provides endpoints to manage devices. The microservice stores the static configuration (type, manufacturer,​ model, serial number, etc.) of a device. The microservice keeps also track of currently valid IP addresses through which each device can be reached. 
- 
-**Configuration**\\ 
-The Configuration microservice provides endpoints to manage the available Software as well as the runtime configuration of devices registered in the system. Firmware images can be uploaded as well as referenced in this service. The runtime configuration of devices is also managed by the Connectivity Suite which allows to set the runtime properties (IP address, networks, …) and upload a device-specific configuration. Those properties will be merged with an uploaded configuration file when a complete deployable firmware or configuration is being retrieved. 
-Configurations cannot be deleted, only replaced by a sequentially numbered, updated configuration. Thus, a complete history of all previous device configurations remains available. 
- 
-**Deployment**\\ 
-The Deployment microservice provides endpoints to manage the deployment of software and configuration to devices. To deploy a configuration/​software to a device which needs to be scheduled with a job. A job has a schedule (when and for up to how long to execute) and a list of deployable jobs that should be deployed to devices. Once a job schedule is activated, the microservice will make sure it’s executed according to instructions. The state of the job can also be queried through the service. ​ 
- 
-**Health**\\ 
-The Health microservice provides health data from devices to monitor the connectivity status and the uptime of each device and network. 
- 
- 
- 
-===== Provisioning ===== 
-Provisioning is called the process to connect a device for the first time to the Connectivity Suite. The Provisioning is required since a device is initially not able to connect to the Connectivity Suite. When a device connects with the Connectivity Suite for the first time it directly connects to the Provisioning server which is located in the Provisioning network. Once a device is in the Provisioning network it can be assigned to any Tenant via the Connectivity Suite and can connect automatically to the Connectivity Suite also after disconnection. 
- 
-During the provisioning the device is provisioned with the network address of the Connectivity Suite installation,​ VPN configuration,​ key material. The configuration of the device will be updated accordingly to connect automatically to Provisioning server of the Connectivity Suite. 
- 
-===== Tenant ===== 
-Tenant is a group of devices. From the user perspective a Tenant could be used to separate devices depending on the country, region, business unit or something else. Administration rights can be assigned for each Tenant separately to restrict user access per Tenant. Devices that belong to one Tenant can not communicate with devices which are connected to another Tenant. 
- 
-Devices within a Tenant can communicate,​ whereas devices cannot communicate cross Tenant. The Tenant represents a network of devices. 
- 
-=====1:1 NAT===== 
-1:1 NAT (Network Address Translation) is a mode of NAT that maps one internal address to one external address each. 1:1 NAT is used on every Tenant; it can also be enabled on a device if required. 1:1 NAT on Tenants allows using the same address space for multiple Tenant subnets. 1:1 NAT on a Device behaves likewise, thus making it possible to access its End Devices via the Connectivity Suite VPN network. 
- 
-===== System architecture ===== 
- 
-=== Home network === 
-The Home network is a VPN subnet consisting of all Tenants. The Home network is used to address all devices (and possible end devices) which ar assigned to Tenants. Its size can be roughly estimated like this: Maximum number of devices X average number of end devices behind a single device. 
-  
- 
- 
-{{ :​cs:​Home2.png?​ }} 
- 
-=== Provisioning network === 
-A Provisioning network is a VPN subnet consisting of devices newly detected by the Connectivity Suite but not assigned to a Tenant yet. Only the Platform Administrator has access to this subnet and can move Devices to a Tenant. A Connectivity Suite instance has exactly one Provisioning network. 
- 
-{{ :​cs:​provisioning5.png?​ }} 
-==== Tenant network ==== 
-A Tenant is a VPN subnet consisting of devices (routers) and generic devices (network devices which are not routers ex. server). Tenants can be used to group Devices. A Tenant is used for separation of devices. A Tenant network is hosted by virtual VPN servers. The certificates used for establishing VPN connections are created in an automated fashion. 
- 
-{{ :​cs:​Tenants5.png?​ }} 
- 
- 
- 
-==== Example ==== 
- 
-The following figure shows the main components that constitute the Connectivity Suite and its associated networks. The Connectivity Suite provides the function to connect networks which have identical IP addresses within their subnet. This function is enabled by 1:to:1 NAT. 
- 
- 
-{{ :​cs:​system_architecture2.png?​nolink|}} 
- 
- 
-[[cs:​start|← Back to Connectivity Suite Main Page]]