Managing Zones
An overview about how Zones work in the Byos SL Overlay
Overview
The Byos Secure Lobby Overlay is an overlay network within the Byos platform. It enables Secure Edges to have secure communications between themselves and the Internet using Layer 2 Tunnels.
What is a Zone?
A Zone is a region within the Secure Lobby Overlay, that is used to segment and control traffic between Edges. The Default Zone within the Byos Overlay is set at 192.168.61.0/24
How does a Zone relate to a Policy Group?
Policy Groups are assigned to Zones, and thus a Policy Group’s Edges will will be governed by the Zone’s networking settings in the Byos Secure Lobby Overlay.
How do Zones and Edges Relate?
An Edge will be enrolled into a Policy Group, and the Zone will thus be inherited from the Group.
What is the Hierarchy of the Byos Network?
This is the hierarchy of sections within the Byos Solution:
- Zones - Network zones within the Byos Secure Lobby Overlay. Communication between Zones can be established or restricted.
- Policy Group - A collection of Edges, with an assigned set of policies, configured in the Management Console
- Edge - A Byos Secure Edge device
- Microsegment - The internal network created by the Byos Edge, isolated from the outer WAN side of the Edge.
- Asset - Any Device connected to the Byos Edge, inside the microsegment
Here is a brief graphic representation of how Zones, Policy Groups, Edges, and Assets Works together:
- Zone 1
- Only allowed to access Zone 2 outbound
- Zone 2
- allows inbound Access From Zone 1 & Zone 3
- Is allowed to access Zone 3 outbound
- Zone 3
- Bidirectional (inbound and outbound) traffic to and from Zone 2
Viewing the Zones In your Byos Secure Lobby Overlay
Zone Details
- Name
- Network ID & CIDR
- Zone Network Info
Connections
- Inbound connections into the Zone
- Outbound Connections from the Zone
- SL Guest Connections into the Zone
Members
- Policy Groups
- Edges
Creating a Zone
- Names the Zone.
- Select the Network ID and CIDR for the Zone.
- Select which Policy Group associated with the Zone.
- Select other Zone or Zones that will have inbound access to this newly created Zone.
- Select the other Zone or Zones this newly created Zone will have outbound access to.
- Select the User accounts that will have access to this newly created Zone.
Updating a Zone
When clicking on a Zone, the side bar will display the pertinent information for that Zone. All Zone settings can be modified:
- Zone Name
- Zone Network ID & CIDR
- Inbound, Outbound, and User Connections between Zones
- Which Policy Groups are assigned to the Zone, and thus which Edges in the Zone
Deleting a Zone
When a Zone is deleted, all Policy Groups in that Zone will be moved back to the Default Policy Group. They can be re-assigned once the Zone is deleted.
Zone Conflicts
When creating Zones, it is necessary for each zone to have a unique Network ID to avoid routing conflicts within the Overlay.
Internal Microsegment Network IDs set at the Policy Group level also need to be unique so that there are not conflicts between Microsegments and Zones.
Full Zones
If a Zone is full, it means it has been fully allocated with Edges within it. For example, the Default Zone has a CIDR of /29 meaning it can have 3 Hosts (ie. Edges) within it. However, if more Edges are added into the Zone, they will be rejected. Most of these changes will be rejected; a few examples include:
- Moving an Edge into a Policy Group, that has a Full Zone
- Moving a Policy Group (with Edges) into a full Zone
_-_Reject.gif?table=block&id=e6ab4e84-bedd-469d-a254-0a59b53a6a85&cache=v2)
- Reducing the Size of a Zone to have less available hosts than Edges already in the Zone
- Deleting a Zone, meaning the Policy Groups (thus Edges) revert to the Default Zone, but the Default Zone is Full
- Deleting a Policy Group and the Edges being moved into the Default Policy Group, but the Default Policy group is a part of a Zone that is full
Last updated on October 11, 2023