diff --git a/content/en/docs/control-center/entitlements/approval-requests.md b/content/en/docs/control-center/entitlements/approval-requests.md index 9f7baed02b5..fa668f387b8 100644 --- a/content/en/docs/control-center/entitlements/approval-requests.md +++ b/content/en/docs/control-center/entitlements/approval-requests.md @@ -13,30 +13,48 @@ This feature is in Public Beta. For more information, see [Release Status](/rele ## Introduction -The **Approval Requests** page allows you to manage all approval requests created for your company. +The **Approval Requests** page allows you to manage all approval requests created for your company. +It is made up of the **Active Requests** and **Resolved Requests** tabs. -## Request Details +## Active Requests -These are the details shown for each request: +This tab displays all requests that have not yet been acted upon, with the following details for each request: -* **Submitted On** – The date when the request was submitted. -* **App Name** – The name of the app for which the request is submitted. -* **Environment** – The app environment for which the request is submitted. -* **Request Type** – The type of request being submitted. - The only available option is **Plan Upgrade**. -* **Production** – This column displays a green checkmark if the environment for which the request is submitted is production. -* **Current Plan** – The plan that the environment is currently on. -* **Requested Plan** – The plan that the environment should be moved to. -* **Status** – The current status of the request, which can be one of the following: +* **Request ID** – The unique identification code of the request. +* **Request Type** – The type of request being submitted, which can be one of the following: + + * **Plan Upgrade** + * **Private Connectivity** + +* **Requester** – The name of the person who made the request. +* **Requested Date** – The date when the request was submitted. +* **Actions** – Allows you to **Reject** or **Approve** the request. + Click the **Details** button next to the request to access further details, such as the request description, and the environment for which the request was made. + +You can filter requests by status and type. + +## Resolved Requests + +This tab displays all requests that have been acted upon, with the following details for each request: + +* **Request ID** – The unique identification code of the request. +* **Request Type** – The type of request being submitted, which can be one of the following: + + * **Plan Upgrade** + * **Private Connectivity** + +* **Requester** – The name of the person who made the request. +* **Requested Date** – The date when the request was submitted. +* **Status** – The status of the request, which can be one of the following: - * **Pending Approval** * **Approved** * **Canceled** * **Rejected** * **Expired** -* **Action** – Click the **Details** button next to the request to access further details, such as the cost of the plan change and the reason for the request. -You can filter requests by status and type. +* **Reviewer** – The name of the person who reviewed and approved, canceled, or rejected the request. +* **Resolved Date** – The date when the request was acted upon, and its status was changed. +* **Action** – Click the **Details** button next to the request to access further details, such as the request description, and the environment for which the request was made. ## Approving a Request diff --git a/content/en/docs/control-center/security/private-connectivity/_index.md b/content/en/docs/control-center/security/private-connectivity/_index.md new file mode 100644 index 00000000000..82ca0f1d69c --- /dev/null +++ b/content/en/docs/control-center/security/private-connectivity/_index.md @@ -0,0 +1,84 @@ +--- +title: "Private Connectivity" +linktitle: "Private Connectivity" +url: /control-center/private-connectivity/ +description: "Describes the Private Connectivity section in the Mendix Control Center." +weight: 30 +--- + +## Introduction + +The **Private Connectivity** page allows you to view and manage your company's Private Connectivity assets: networks, agents, resources, and connections. + +## Use Cases + +Many apps running on Mendix Cloud have integrations with external resources, such as databases, services, and other applications. Some of these resources are public, accessible via the public internet. Others are running on your internal networks, either on-premises or on cloud infrastructure, as PaaS/SaaS. You can connect to these resources over the public internet as well, [securing](/developerportal/deploy/securing-outgoing-connections-from-your-application/) them with HTTPS, a reverse proxy, and client certificates. This scenario requires you to expose your internal resource to the public internet. However, due to security, compliance, or legacy reasons, not everyone wants to or is able to do this. + +Mendix Cloud Private Connectivity helps you securely and privately connect your Mendix apps to your internal resources. This means that the connection will not go over the public internet, but through a private tunnel between your Mendix apps and your own infrastructure. This can be an on-premises data center or a cloud infrastructure, such as AWS, Azure or GCP. You can also connect multiple networks running on different infrastructures. + +Mendix Cloud Private Connectivity only supports outgoing connections, meaning connections that are initiated from your Mendix apps towards resources on your own infrastructure. You will not be able to connect to your Mendix Cloud apps from an external client over the private tunnel. + +Private Connectivity allows you to securely and privately perform actions such as the following, without exposing internal resources to the public internet: + +* Retrieving data from a Microsoft SQL database on Azure into your Mendix app +* Connecting to a Kafka broker running on your own AWS account +* Connect to an SAP system running on your on-premises data center + +## Tailscale {#private-connectivity-tailscale} + +Mendix partners with [Tailscale](https://tailscale.com) to offer Private Connectivity. Tailscale is a recognized leader in secure networking, providing a secure, private mesh network solution built on the high-performance and modern cryptography of the WireGuard® protocol. Mendix generates all the assets required to create a private connection on the Tailscale platform. Neither Tailscale nor Mendix can access the data that is sent over the Tailscale network. All traffic is [encrypted](https://tailscale.com/kb/1504/encryption) end-to-end, with separate keys and public key infrastructure for each network. + +## Architecture {#private-connectivity-architecture} + +The following sections provide an overview of the components which make up the Private Connectivity architecture. + +### Networks + +Mendix has an enterprise account with Tailscale. Within the Mendix-owned Tailscale account, Mendix creates a dedicated network for you. You can have multiple networks if you want to, for example, isolate production traffic from non-production traffic. + +### Agents + +Next, you need to install agents on your own infrastructure. These agents are connectivity tools that initiate an outgoing connection to the network Mendix created for you. + +Agents require authentication keys that are managed on the Mendix platform, and can only connect to the network to which their authentication key is linked. +Agents can be installed directly on the network which hosts the resources to which you want to connect. Alternatively, they can be installed on a separate network from where they have access to the resources. + +An agent can connect to only one network, but you can install multiple agents that connect to the same network. For example, you can install an agent in your on-premises data center and another agent in your AWS account, so that your Mendix apps can connect to resources on both infrastructures. + +### Resources + +Once agents are installed, you need to use them to expose resources. These resources are subnets of a network. They are available through the agent, and not through the public internet. + +Resources exposed via agents must always be enabled on the Mendix platform before they can be connected to from your Mendix apps. This gives you full control over what resources are accessible. + +### Connections + +Once resources are exposed and enabled, you can add connections. Connections link a specific app environment to a specific resource. + +Connections must be requested. Only if they are approved can a Mendix app connect to the resource on the other side of the connection. This four-eye principle allows for governance over your connections, giving you full control over what app environment can access what resource. Approved connections can be disabled at any time, retracting access from the app environment to the resource. + +You can add multiple connections for each app environment, giving them access to resources on your on on-premises data center, as well as to resources on your AWS account. + +Mendix installs a Tailscale agent in the app container of each app environment with one or more approved connections. As the Tailscale agent is running inside the app container, only that specific app can access your network and approved connections. + +## Frequently Asked Questions {#private-connectivity-faq} + +### Does Mendix or Tailscale have access to my data? + +No. All data going over the Tailscale network is [encrypted](https://tailscale.com/kb/1504/encryption) end-to-end, with separate keys and public key infrastructure for each network. Neither Tailscale nor Mendix can access the data that is sent over the Tailscale network. + +### Is Tailscale SOC2-compliant? + +Yes, Tailscale has completed an [SOC 2 Type II certification](https://tailscale.com/security). + +### Do I need to sign up for my own Tailscale account? + +No, you do not need to sign up for a Tailscale account yourself. All assets required for Mendix Cloud Private Connectivity are created within the Mendix Tailscale account. This is similar how we create all resources required to run your apps on Mendix Cloud in the Mendix AWS account. + +### Can I connect my existing Tailscale networks? + +At this time, it is not possible to connect to an existing Tailnet if you are an existing Tailscale customer. + +## Resources + +For information on how to configure and use Mendix Private Connectivity, refer to [Configuring and Using Private Connectivity](/control-center/configure-private-connectivity/). \ No newline at end of file diff --git a/content/en/docs/control-center/security/private-connectivity/configure-private-connectivity.md b/content/en/docs/control-center/security/private-connectivity/configure-private-connectivity.md new file mode 100644 index 00000000000..a477125967b --- /dev/null +++ b/content/en/docs/control-center/security/private-connectivity/configure-private-connectivity.md @@ -0,0 +1,458 @@ +--- +title: "Configuring and Using Private Connectivity" +linktitle: "Configuring and Using Private Connectivity" +url: /control-center/configure-private-connectivity/ +description: "Describes the configuration steps of Private Connectivity in the Mendix Control Center." +weight: 1 +--- +## Introduction + +To connect from a Mendix app to a resource on your internal network, you need to follow these steps: + +1. Add a network. This is done on the Mendix platform. +2. Add an agent. This is done on the Mendix platform. +3. Install an agent. This is done on your internal infrastructure. +4. Run the agent. This is done on your internal infrastructure. +5. Expose resources. This is done on the Mendix platform. +6. Enable resources. This is done on the Mendix platform. +7. Request a connection. This is done on the Mendix platform. +8. Approve the connection. This is done on the Mendix platform. +9. Configure DNS (optional). This is done on the Mendix platform. + +The following sections provide details on each of the steps. + +## Networks {#private-connectivity-networks} + +Mendix Private Connectivity networks are the bridge between Mendix Cloud and your own infrastructure. You need at least one network to be able to connect from a Mendix app to your own infrastructure. You can, however, create multiple networks, for example, to isolate your production traffic from non-production traffic. + +On the **Networks** tab of the **Private Connectivity** page, you can see all the networks associated to your company. The page shows the following information for each network: + +* **Network** – The name of the network. +* **External Agents** – The number of agents that are installed on your internal infrastructure, and that are connected to the network. +* **Environments** – The number of app environments on Mendix Cloud that have at least one connection using the network. +* **Actions** – A list of actions that you can take on the network: + + * **Details** + * **Add DNS** + * **Add Agent** + * **Edit** + * **Delete** + +### Adding a Network {#private-connectivity-networks-add} + +To add a new network for your company, follow these steps: + +1. On the **Private Connectivity** page, click one of these buttons, depending on your scenario: + + * If you do not yet have any networks, click **Create a Network** to launch the network wizard. + * If you already have a network, click **Add Network** on the **Networks** tab. + +2. Read through the **Instructions** tab of the wizard, which contains a short summary of the steps required to connect from a Mendix app to a resource on your network, then click **Next**. +3. On the **Create Network** tab, provide a descriptive and recognizable name for your new network, then click **Create**. +4. On the **Add Agent** tab, provide a descriptive and recognizable name for the new agent, then click **Add**. + Refer to [Adding an Agent](#private-connectivity-agents-add) for details. + +Your network and agent are now added. You can continue with [installing the agent](#private-connectivity-agents-install) on your infrastructure and [configuring the DNS](#private-connectivity-networks-dns) for your network. + +### Viewing and Editing Networks {#private-connectivity-networks-details} + +To view and edit an existing network, follow these steps: + +1. On the **Networks** tab, find the network for which you want to view details, or that you want to edit. +2. Click **More Options** ({{< icon name="three-dots-menu-horizontal" >}}). +3. Select **Details**. The details of that network are displayed: + + * **Network** – The name you gave to the network. This field is editable. + * **Network ID** – The internal ID of your network. You can copy this, for example, if you want to provide it in a support ticket for any issues with the network. + * **External Agents** – A list of all external agents that run on your own internal infrastructure, and that have access to the network. + This field also displays the status of each agent. + * **DNS Details** – A list of domains for which you have [configured DNS](#private-connectivity-networks-dns). + * **Environment Details** – A list of app environments that are using the network to connect to a resource, as well as the environment's status. + * **Show Logs** – This allows you to see [the flow logs](https://tailscale.com/kb/1219/network-flow-logs) for your network. They can help you troubleshoot issues with connectivity on your network. + +4. Click **Save** to save any changes you have made. + +### Configuring DNS for your Network {#private-connectivity-networks-dns} + +If your Mendix app connects to external resources, you probably want to do this using host names. DNS (Domain Name System) servers, also known as nameservers, translate a host name, like `www.mendix.com` to an IP address, like `192.168.1.1`. If the DNS record with that translation is on a public nameserver, Mendix apps can access those by default with no issues. However, if you want to connect to a private host name, like `mydatabase.myinternalnetwork.net`, where the DNS record for this host name is stored on a private nameserver, your Mendix app will not be able to resolve the host name to an IP address, thus making the host inaccessible for the Mendix application. + +With Mendix Cloud Private Connectivity, you can configure your network to use restricted nameservers for specific domains. Using a restricted nameserver is also known as split DNS. If you configure an internal nameserver for a domain, for example `myinternalnetwork.net`, any DNS request for host names within that domain, for example `mydatabase.myinternalnetwork.net`, will be forwarded to the configured nameserver. There, the host name will be resolved to an IP address. This will allow you to use internal host names to connect to resources on your internal infrastructure, without having to add the DNS records for those internal resources on a public DNS server. + +To configure split DNS for a new domain on your network, follow these steps: + +1. Click **More Options** ({{< icon name="three-dots-menu-horizontal" >}}) for a network, then select **Add DNS**. +2. In the **Edit DNS** dialog box, click **Add New Domain**. +3. Provide the following information: + + * **Domain** – Provide the domain for which the nameservers should be used, such as `myinternalnetwork.net`. + * **Nameservers** – Provide the IP address of the nameserver to use to resolve DNS queries for the provided domain. You can add multiple nameserver IP addresses for high availability. + +4. Click **Save** to save changes. + +To remove split DNS for a domain on your network, follow these steps: + +1. Click **More Options** ({{< icon name="three-dots-menu-horizontal" >}}) for a network, then select **Add DNS**. +2. In the **Edit DNS** dialog box, find the domain for which you want to remove the DNS, then click **Delete Domain**. +3. Confirm that you want to delete the domain. + +To add a nameserver for a domain that you have already added to your network, follow these steps: + +1. Click **More Options** ({{< icon name="three-dots-menu-horizontal" >}}) for a network, then select **Add DNS**. +2. In the **Edit DNS** dialog box, find the domain you want to add a nameserver for, then click **Add New Nameserver**. +3. Provide the following information: + + * **Nameservers** – Provide the IP address of the nameserver to use to resolve DNS queries for the provided domain. You can add multiple nameserver IP addresses for high availability. + +4. Click **Save** to save changes. + +To remove a nameserver for a domain that you have already added to your network, follow these steps: + +1. Click **More Options** ({{< icon name="three-dots-menu-horizontal" >}}) for a network, then select **Edit DNS**. +2. In the **Edit DNS** dialog box, find the domain that you want to delete a nameserver for. +3. Click **Delete Nameserver** for the nameserver you want to delete. +4. Confirm that you want to delete the nameserver. + +### Deleting Networks {#private-connectivity-networks-delete} + +To delete a network, follow these steps: + +1. On the **Networks** tab, find the network that you want to delete. +2. Click **More Options** ({{< icon name="three-dots-menu-horizontal" >}}), then select **Delete**. +3. Confirm that you want to delete the network. + +When you delete a network, the following actions also occur: + +* All agents connected to that network are deleted. +* The agents' authentication keys are revoked. +* All resources exposed through the agents and all connections to those resources are removed. +* Approved connections are broken immediately. + +{{% alert color="warning" %}} +When you delete a network, agents that are connected to your infrastructure are not uninstalled. +Refer to the instructions for [uninstalling an agent](#private-connectivity-agents-uninstall). +{{% /alert %}} + +## Agents {#private-connectivity-agents} + +To connect your infrastructure to your Mendix Private Connectivity networks, you need agents. +At least one agent is necessary to be able to connect from a Mendix app to your infrastructure, but you can connect multiple agents to each network. + +On the **Agents** tab of the **Private Connectivity** page, you can see all the agents associated to your company. The page displays the following information for each agent: + +* **Agent** – The name of the agent. +* **Network** – The network to which the agent is connected. +* **Resources** – The number of resources exposed through the agent. +* **Status (Last seen)** – The status of the agent, or the last time it was connected to the network: + + * **Connected** – The agent is currently connected to the network. + * Date and time – The last time the agent was connected to the network. The agent is not connected at this time. + +### Adding an Agent {#private-connectivity-agents-add} + +You can only add agents if you have at least one network. Refer to [Adding a Network](#private-connectivity-networks-add) to create a network if you have not done so already. + +To add a new agent to a network, follow these steps: + +1. Launch the agent wizard by choosing one of the following options: + + * On the **Networks** tab, select a network to which you want to add an agent, then click **More Options** ({{< icon name="three-dots-menu-horizontal" >}}), and select **Add Agent**. + * On the **Agents** tab, click **Add Agent**. +2. On the **Add Agent** tab, select the network to which you want to add the agent. +3. Provide a descriptive and recognizable name for the agent. +4. Select the infrastructure type for your agent. +5. Click **Create**. + +Your agent is now added. You can continue with [installing the agent](#private-connectivity-agents-install) in your own infrastructure. + +### Viewing and Editing Agents {#private-connectivity-agents-details} + +To view and edit an existing agent, follow these steps: + +1. On the **Agents** tab, find the agent for which you want to view details, or that you want to edit. +2. Click **More Options** ({{< icon name="three-dots-menu-horizontal" >}}), then select **Details**. The details of that agent are displayed: + + * **Agent Name** – The name you gave to the agent. This field is editable. + * **Agent ID** – The internal ID of your agent. You can copy this, for example, if you want to provide it in a support ticket for any issues with the agent. + * **Agent Key** – The authentication key of your agent. You can copy this authentication key for use when [starting an agent](#private-connectivity-agents-run). + This key should be treated as confidential. + * **Network** – The network to which the agent is connected. + * **Status (Last seen)** – The status of the agent, or the last time it was connected to the network: + + * **Connected** – The agent is currently connected to the network. + * Date and time – The last time the agent was connected to the network. The agent is not connected at this time. + + * **Resource Details** – A list of the resources exposed via the agent. + * **DERP Details** – Information on the preferred Tailscale [Designated Encrypted Relay for Packets (DERP) server](https://tailscale.com/kb/1232/derp-servers). + +3. Click **Save** to save any changes you have made. + +### Deleting an Agent {#private-connectivity-agents-delete} + +To delete an existing agent, follow these steps: + +1. On the **Agents** tab, find the agent that you want to delete. +2. Click **More Options** ({{< icon name="three-dots-menu-horizontal" >}}), then select **Delete**. +3. Confirm that you want to delete the agent. + +When you delete an agent, the following actions occur automatically: + +* The agent's authentication key is revoked. +* All resources exposed through the agent and all connections to those resources are removed. +* Approved connections are broken immediately. + +{{% alert color="warning" %}} +Deleting an agent does not uninstall the agent from your own infrastructure. +Refer to the instructions for [uninstalling an agent](#private-connectivity-agents-uninstall). +{{% /alert %}} + +### Installing an Agent on your Infrastructure {#private-connectivity-agents-install} + +To establish a connection between your network and your infrastructure, you must install an agent on this infrastructure. Installing an agent is typically done by your internal IT department, Infra department, or Network team. + +#### Installing an Agent on a Windows Server {#private-connectivity-agents-install-windows} + +To install an agent on a Windows server, follow these steps: + +1. Access the [Tailscale Download page](https://tailscale.com/download/windows). +2. Select **Windows**, then click **Download Tailscale for Windows**. +3. Once the Tailscale installer for Windows is downloaded, run the installer to install the agent. + +Continue with [starting the agent](#private-connectivity-agents-run). + +#### Installing an Agent on a Linux Server {#private-connectivity-agents-install-linux} + +To install an agent on a Linux server, run the following script on the server where you want to install the agent: + +```bash Linux +curl -fsSL https://tailscale.com/install.sh | sh +``` + +Alternatively, open the [Tailscale Download page for Linux](https://tailscale.com/download/linux) for instructions on manually installing the Tailscale agent on your specific Linux distribution. + +Continue with [starting the agent](#private-connectivity-agents-run). + +### Starting an Agent on your Infrastructure {#private-connectivity-agents-run} + +Once you have installed your agent, you can start the agent and connect to your network. To do this, you need an authentication key, which was created when you [added the agent](#private-connectivity-agents-add). You can find and copy the authentication key for your agent on [the agent details page](#private-connectivity-agents-details). + +To start an agent and to connect it to your network, run the following script on the machine where the agent is installed. +You need to replace `AUTH_KEY` with the authentication key of your agent. + +``` +tailscale up --auth-key= +``` + +### Uninstalling an Agent on your Infrastructure {#private-connectivity-agents-uninstall} + +After [deleting an agent](#private-connectivity-agents-delete), you can uninstall it from your infrastructure. Uninstalling an agent is typically done by your internal IT department, Infra department, or Network team. + +#### Uninstalling an Agent on a Windows server {#private-connectivity-agents-uninstall-windows} + +Tailscale for Windows can be uninstalled like any Windows app, by using the Windows Control Panel: + +1. Go to **Settings**, then to **Apps**. +2. Find **Tailscale**, then press the **Uninstall** button. + +If you want to completely delete Tailscale, destroying any state or local information, you can also remove the files at the following paths: + +* `C:\ProgramData\Tailscale` +* `C:\Users\%USERNAME%\AppData\Local\Tailscale` +* `C:\Windows\System32\config\systemprofile\AppData\Local\Tailscale` + +The path under `System32` was only used in older versions of the Tailscale client, and may not be present on your system. + +#### Uninstalling an Agent on a Linux server {#private-connectivity-agents-uninstall-linux} + +You can uninstall Tailscale by using the uninstall command of the package manager you used to install the binary in the first place. + +* For all Ubuntu and Debian versions, uninstall using `apt-get`: + + ```bash Linux + sudo apt-get remove tailscale + ``` + +* For CentOS 7 and Amazon Linux 2, uninstall using `yum`: + + ```bash Linux + sudo yum remove tailscale + ``` + +* For openSUSE Leap 15.1, 15.2, and openSUSE Tumbleweed, uninstall using `zypper`: + + ```bash Linux + sudo zypper rm tailscale + ``` + +* For CentOS 8, CentOS Stream 9, RHEL 8, and Fedora, uninstall using `dnf`: + + ```bash Linux + sudo dnf remove tailscale + ``` + +If you want to completely delete Tailscale, destroying any state or local information, you can also remove the file at the following path: `/var/lib/tailscale/tailscaled.state`. + +## Resources {#private-connectivity-resources} + +Resources are services, such as databases or applications, on your infrastructure that are exposed via your agents and that are accessible via your networks. Mendix apps can be connected to these resources. + +On the **Resources** tab of the **Private Connectivity** page, you can see all the exposed resources of your company. +The page displays the following information for each resource: + +* **Resource** – The name of the resource. +* **Agent** – The name of the agent that exposes the resource. +* **Network** – The name of the network to which the agent exposing the resource is connected. +* **Status** – The status of the resource. This can be one of the following: + + * Enabled – Technical Contacts can request connections to the resource. + * Disabled – Technical Contacts cannot request connections to the resource. + +* **Environments** – The number of app environments on Mendix Cloud that have an approved connection to the resource. + +### Viewing and Editing Resources {#private-connectivity-resources-details} + +To view and edit a resource, follow these steps: + +1. On the **Resources** tab, find the resource for which you want to view details, or that you want to edit. +2. Click **More Options** ({{< icon name="three-dots-menu-horizontal" >}}), then select **Details**. + The details of that resource are displayed: + + * **Resource Name** – The name you gave to the resource. This field is editable. + * **Resource ID** – The internal ID of your resource. You can copy this, for example, if you want to provide it in a support ticket for any issues with the agent. + * **Resource Type** – The type of resource, which can be: + + * **Route** – The resource is an exposed subnet route. + + * **Route** – The exposed IP range. This is only displayed if the resource type is **Route**. + * **Agent** – The name of the agent that exposes the resource. + * **Network** – The name of the network to which the agent exposing the resource is connected. + * **Status** – The status of the resource. This can be one of the following: + + * **Enabled** – Users can request connections to the resource. + * **Disabled** – Users cannot request connections to the resource. + + * **Environment Details** – A list of app environments that have an approved connection to the resource. + +3. Click **Save** to save any changes you have made. + +### Exposing Resources {#private-connectivity-resources-expose} + +Before you can connect to resources running on your own infrastructure, you have to expose these resources through an agent. This requires you to install an agent on the machine running the resource, or on a machine that has access to the resource. + +Mendix Cloud Private Connectivity currently supports exposing physical [subnet routes](https://tailscale.com/kb/1019/subnets) to your network via an agent. You can expose a single IP range, such as `192.0.2.0/24`, or multiple IP ranges separated by a semicolon, such as `192.0.2.0/24,198.51.100.0/24`. + +#### Exposing Subnet Routes on a Windows server {#private-connectivity-resources-expose-routes-windows} + +To expose subnet routes for an agent that is already running, run the following script on the machine where the agent is installed. +Replace `IP_RANGE` with the IP ranges you want to expose: + +```shell Windows +tailscale set --advertise-routes= +``` + +You can also configure the exposed subnet routes when starting the agent. +In that case, use the following script, replacing `AUTH_KEY` with the authentication key of your agent, and `IP_RANGE` with the IP ranges you want to expose: + +```shell Windows +tailscale up --auth-key= --advertise-routes= +``` + +#### Exposing Subnet Routes on a Linux server {#private-connectivity-resources-expose-routes-linux} + +To expose subnet routes for an agent on a Linux server, follow these steps: + +1. [Enable IP forwarding](https://tailscale.com/kb/1019/subnets?tab=linux#enable-ip-forwarding) +2. Run the following script on the machine where the agent is installed, and replace `IP_RANGE` with the IP ranges you want to expose: + + ```shell Linux + sudo tailscale set --advertise-routes= + ``` + +You can also configure the exposed subnet routes when starting the agent. In that case, use the following script, replacing `AUTH_KEY` with the authentication key of your agent, and `IP_RANGE` with the IP ranges you want to expose: + +```shell Linux +sudo tailscale up --auth-key= --advertise-routes= +``` + +### Enabling and disabling Resources {#private-connectivity-resources-enable-disable} + +Once resources are [exposed](#private-connectivity-resources-expose), they must be enabled by a Mendix Admin. Users can only request connections to resources once they have been enabled. + +To enable a resource, follow these steps: + +1. On the **Resources** tab, find the resource you want to enable. +2. Click **Enable**. + +To disable a resource, follow these steps: + +1. On the **Resources** tab, find the resource you want to disable. +2. Click **Disable**. + +## Connections {#private-connectivity-connections} + +Mendix Private Connectivity connections allow applications on Mendix Cloud to connect to Mendix Private Connectivity resources over Mendix Private Connectivity networks. +A connection has to be requested and approved before an application on Mendix Cloud can connect to the resource. +An application on Mendix Cloud can have multiple connections to multiple resources. + +On the **Connections** tab of the **Private Connectivity** page, you can see all the connections associated to your company. The page displays the following information for each connection: + +* **App** – The name of the app for the connection. +* **Environment** – The name of the environment for the connection. +* **Network** – The network for the connection. +* **Resource** – The name of the resource for the connection. +* **Status** – The status of the connection. This can be one of the following: + + * **Pending** – The connection was requested, but not yet approved. The app environment cannot connect to the resource using this connection. + * **Approved** – The connection is approved. The app environment can connect to the resource using this connection. + * **Rejected** – The connection is rejected. The app environment cannot connect to the resource using this connection. + + For details on how Technical Contacts request connections for a specific environment, refer to [Connecting to External Resources](/developerportal/deploy/connecting-to-external-resource/). + +### Viewing Connection Details {#private-connectivity-connections-details} + +To view an existing connection, follow these steps: + +1. On the **Connections** tab, find the connection for which you want to view details. +2. Click **More Options** ({{< icon name="three-dots-menu-horizontal" >}}), then select **Details**. The details of that connection are displayed: + + * **Request Details** – The details of the connections request: + + * **Name** – The name of the user that requested this connection. + * **Status** – The status of the connection request. This can be one of the following: + + * **Pending** – The connection was requested, but not yet approved. The app environment cannot connect to the resource using this connection. + * **Approved** – The connection is approved. The app environment can connect to the resource using this connection. + * **Rejected** – The connection is rejected. The app environment cannot connect to the resource using this connection. + + * **Date** – The date and time when the connection was requested. + + * **App** – The name of the app for the connection. + * **Environment** – The name of the environment for the connection. + * **Network** – The network for the connection. + * **Resource** – The name of the resource for the connection. + * **Resource ID** – The internal ID of your resource. You can copy this, for example, if you want to provide it in a support ticket. + * **Agent** – The name of the agent for the connection. + * **Agent ID** – The internal ID of the agent. You can copy this, for example, if you want to provide it in a support ticket. + * **Network** – The name of the network for the connection. + * **Network ID** – The internal ID of the network. You can copy this, for example, if you want to provide it in a support ticket. + +## Approving and Rejecting Connections {#private-connectivity-connections} + +Once a connection is requested, it must be approved before the app environment can connect to the resource. + +To approve a connection, follow these steps: + +1. On the **Connections** tab, find the connection you want to enable. +2. Click **Approve**. + +{{% alert color="warning" %}} +If this is the first connection that is approved for an app environment, the Technical Contact must [redeploy](/developerportal/deploy/mendix-cloud-deploy/deploying-an-app/) the environment to be able to use the connection. +{{% /alert %}} + +To disable a connection, follow these steps: + +1. On the **Connections** tab, find the connection you want to disable. +2. Click **Reject**. + +## Activities + +On the **Activities** tab, you can view a log of activities performed on your Private Connectivity assets. diff --git a/content/en/docs/control-center/security/set-up-sso-byoidp.md b/content/en/docs/control-center/security/set-up-sso-byoidp.md index 44e1e41bbfc..f614f2f5daf 100644 --- a/content/en/docs/control-center/security/set-up-sso-byoidp.md +++ b/content/en/docs/control-center/security/set-up-sso-byoidp.md @@ -1,7 +1,7 @@ --- title: "Setting Up an SSO (BYOIDP)" url: /control-center/security/set-up-sso-byoidp/ -weight: 30 +weight: 40 description: "Describes how you can use your company IdP to authenticate to Mendix." aliases: - /developerportal/control-center/set-up-sso-byoidp/ diff --git a/content/en/docs/deployment/mendix-cloud-deploy/connecting-external-resources.md b/content/en/docs/deployment/mendix-cloud-deploy/connecting-external-resources.md new file mode 100644 index 00000000000..e6d4b5b55c7 --- /dev/null +++ b/content/en/docs/deployment/mendix-cloud-deploy/connecting-external-resources.md @@ -0,0 +1,107 @@ +--- +title: "Connecting to External Resources" +url: /developerportal/deploy/connecting-to-external-resource/ +weight: 80 +description: "How to connect to external resource using private connectivity" +beta: true + +#If moving or renaming this doc file, implement a temporary redirect and let the respective team know they should update the URL in the product. See Mapping to Products for more details. +--- + +{{% alert color="warning" %}} +This feature is in Public Beta. For more information, see [Release Status](/releasenotes/release-status/). +{{% /alert %}} + +## Introduction + +[Mendix Cloud Private Connectivity](/control-center/private-connectivity/) enables your Mendix applications to securely and privately connect to internal resources, whether they are on-premises or in the cloud. This ensures that the connection bypasses the public internet and instead goes through a private tunnel, enhancing security and compliance. + +This document guides [Technical Contacts](/developerportal/general/app-roles/#technical-contact) through the process of requesting and managing connections to external resources using Mendix Cloud Private Connectivity. + +## Prerequisites {#prerequisites} + +Before requesting a connection, the following conditions must be met: + +* You are the [Technical Contact](/developerportal/general/app-roles/#technical-contact) for the Mendix application. +* A Mendix Admin has created and configured the necessary private network in the [Control Center](/control-center/configure-private-connectivity/). This includes installing agents and exposing the specific external resource you want to connect to. + +## Connections {#connections} + +Mendix Cloud Connect Connections allow applications on Mendix Cloud to connect to Mendix Cloud Connect Resources over Mendix Cloud Connect Networks. Each connection request must be initiated by a Technical Contact and approved by a Mendix Admin before the application on Mendix Cloud can connect to the Resource. + +An application on Mendix Cloud can establish multiple connections to various resources. You can view and manage all connections and their statuses within the [Connections](/developerportal/deploy/environments-details/#connections) section on the application's **Network** tab. + +{{% alert color="info" %}} +An application environment can only be connected to a single private network at a time. This means that all external resources you connect to from an application environment must be on the same private network. +{{% /alert %}} + +### Requesting a New Connection {#connection-request} + +As a Technical Contact, you can request a new connection from your application environment to an approved external resource. + +Follow these steps to request a new connection: + +1. From [Apps](https://sprintr.home.mendix.com), go to the app's **Environments** page. +2. Click **Details** ({{% icon name="notes-paper-edit" %}}) on the preferred environment. +3. Go to the **Network** tab. +4. In the **Connections** section, click **Add** to initiate a new connection request. +{{% alert color="info" %}} +Contact your Mendix Admin if the resource you want is not available on the list. +{{% /alert %}} + +5. In the **Add Connection** dialog, select an available network. This action displays the resources exposed on that network. +{{% alert color="info" %}} **Network Selection Behavior** + +* If your application environment already has an active connection, the network associated with that connection will be automatically selected and cannot be changed unless all existing connections are deleted. +* If only one private network is available for your application, it will be automatically selected. +{{% /alert %}} + +6. Select the specific resource you want your application environment to connect to. +7. Click **Send Request** to submit your connection request for approval. All submitted connection requests appear in the [Control Center](/control-center/configure-private-connectivity/) for the Mendix Admin review. +8. [Track and manage](#manage-connection-requests) your connection requests from the [Connections](/developerportal/deploy/environments-details/#connections) section on the application's **Network** tab. + +{{% alert color="info" %}} +If this is the first connection approved for an application environment, you must redeploy that environment for the connection to become active and usable. +{{% /alert %}} + +### Connection Request Status + +This diagram shows the progress of the request status from when the connection request is submitted to when it is completed (approved or rejected): + +{{< figure src="/attachments/deployment/mendix-cloud-deploy/connecting-to-external-services/connection-request-status-flow.png" alt="Flowchart illustrating the lifecycle of a Mendix Cloud Private Connectivity request, showing stages like 'Pending Approval', 'Mendix Admin Review', 'Approved', and 'Rejected'." >}} + +Once a Technical Contact submits a connection request, it enters a **Pending Approval** status. The request is then sent to a Mendix Admin for review: + +* If the Mendix Admin rejects the request, its status becomes **Rejected**. +* If the Mendix Admin approves the request, its status becomes **Approved**, and the connection becomes active. +* A Mendix Admin can also revoke an already approved connection, which will change its status back to **Rejected**. + +The connection status is visible in the **Connections** section of the **Network** tab. + +## Managing Connections {#manage-connection-requests} + +The [Connections](/developerportal/deploy/environments-details/#connections) section on the application's **Network** tab allows Technical Contacts to view all connections for the environment, track pending request statuses, and delete established connections. + +Depending on the connection's status, you can perform the following actions: + +### Cancelling a Connection Request {#cancel-connection} + +As a Technical Contact, you can cancel a connection request if its status is **Pending Approval**. + +To cancel a pending connection request: + +1. On the [Connections](/developerportal/deploy/environments-details/#connections) section of the Network tab, locate the connection request with the status **Pending Approval**. +2. Click **Cancel Request** next to that connection. + +### Deleting a Connection + +After a connection request is approved, you can delete the connection at any time. + +To delete an approved connection: + +1. On the [Connections](/developerportal/deploy/environments-details/#connections) section of the **Network** tab, locate the approved connection you want to remove. +2. Click **Delete** next to that connection. + +{{% alert color="info" %}} +Deleting a connection immediately breaks the connection between your application environment and the resource. +{{% /alert %}} diff --git a/content/en/docs/deployment/mendix-cloud-deploy/environments-details.md b/content/en/docs/deployment/mendix-cloud-deploy/environments-details.md index 60e38fa5306..7fc00274634 100644 --- a/content/en/docs/deployment/mendix-cloud-deploy/environments-details.md +++ b/content/en/docs/deployment/mendix-cloud-deploy/environments-details.md @@ -218,6 +218,24 @@ For more information, see [Scheduled Events](/refguide/scheduled-events/). On the **Network** tab, you can manage the elements described below. +### Connections {#connections} + +You can connect from your applications on Mendix Cloud to resources on your own infrastructure using Mendix Cloud Private Connectivity. + +The **Connections** tab contains the following information: + +* **Resource** – The name of the service such as databases being connected +* **Network** – The name of the network associated with the connection +* **Status (Last seen)** – The connection's current state, such as **Pending Approval**, **Approved** or **Rejected** + +You can perform the following actions for connections: + +* **Add** a new connection +* **Cancel** a connection request +* **Delete** a connection + +For more information, refer to [Connecting to External Resources](/developerportal/deploy/connecting-to-external-resource/). + ### Custom Domains {#custom-domains} * **Domain Name** @@ -560,4 +578,4 @@ One custom service is available: Mendix Event Broker. This service is required t ### Enabling Custom Services -Custom services are only available if the app's Technical Contact has enabled them. The custom services are enabled or disabled separately for each environment of each app. For more information, see [Services](/developerportal/deploy/environments/#services) in the *Environments* documentation. +Custom services are only available if the app's Technical Contact has enabled them. The custom services are enabled or disabled separately for each environment of each app. For more information, see [Services](/developerportal/deploy/environments/#services) in the *Environments* documentation. \ No newline at end of file diff --git a/content/en/docs/releasenotes/control-center/_index.md b/content/en/docs/releasenotes/control-center/_index.md index 38b89d3b01c..8132bed22c7 100644 --- a/content/en/docs/releasenotes/control-center/_index.md +++ b/content/en/docs/releasenotes/control-center/_index.md @@ -14,6 +14,13 @@ To see the current status of the Mendix Control Center, see [Mendix Status](http ## 2025 +### November __, 2025 + +#### New Features + +* We have introduced **Private Connectivity**, a zero-trust security infrastructure which helps you manage connections between your Mendix Cloud apps and internal resources, bypassing the public internet. It allows you to create secure networks through which your apps can safely access internal databases and services hosted on-premises or in cloud environments, without exposing them publicly. + Refer to [Private Connectivity](/control-center/private-connectivity/) for background details and architecture, then read through [Configuring and Using Private Connectivity](/control-center/configure-private-connectivity/) to learn how to create and manage your own private networks. + ### September 29, 2025 #### New Features diff --git a/content/en/docs/releasenotes/deployment/_index.md b/content/en/docs/releasenotes/deployment/_index.md index 78194b25fcb..0f5ec96ebae 100644 --- a/content/en/docs/releasenotes/deployment/_index.md +++ b/content/en/docs/releasenotes/deployment/_index.md @@ -15,7 +15,7 @@ Follow the links in the table below to see the release notes you want: | Type of Deployment | Last Updated | | --- | --- | -| [Mendix Cloud](/releasenotes/developer-portal/mendix-cloud/) | October 29, 2025 | +| [Mendix Cloud](/releasenotes/developer-portal/mendix-cloud/) | November 15, 2025 | | [Mendix on Kubernetes](/releasenotes/developer-portal/mendix-for-private-cloud/) | October 21, 2025 | | [Mendix on Azure](/releasenotes/developer-portal/mendix-on-azure/) | October 23, 2025 | | [SAP Business Technology Platform (SAP BTP)](/releasenotes/developer-portal/sap-cloud-platform/) | August 27, 2024 | diff --git a/content/en/docs/releasenotes/deployment/mendix-cloud.md b/content/en/docs/releasenotes/deployment/mendix-cloud.md index 5d301d2a798..d45792a456e 100644 --- a/content/en/docs/releasenotes/deployment/mendix-cloud.md +++ b/content/en/docs/releasenotes/deployment/mendix-cloud.md @@ -16,6 +16,13 @@ For information on the current status of deployment to Mendix Cloud and any plan ## 2025 +### November 15, 2025 + +#### New Features + +* We have added a new beta feature in the **Network tab** of the **Environment Details** page that enables Technical Contacts to securely [connect Mendix applications to external resources](/developerportal/deploy/connecting-to-external-resource/) through [Mendix Cloud Private Connectivity](/control-center/private-connectivity/). + * From the [Connections](/developerportal/deploy/environments-details/#connections) section of the **Network** tab, Technical Contacts can now request new private connections, track the status of their pending connection requests, connect to external resources, and delete existing connections. + ### October 29, 2025 #### New Features diff --git a/layouts/partials/landingpage/latest-releases.html b/layouts/partials/landingpage/latest-releases.html index c0689a05abc..5aa07a2fa6d 100644 --- a/layouts/partials/landingpage/latest-releases.html +++ b/layouts/partials/landingpage/latest-releases.html @@ -14,6 +14,6 @@

Latest Releases

  • Deployment -

    October 29, 2025

    +

    November 15, 2025

    • diff --git a/static/attachments/deployment/mendix-cloud-deploy/connecting-to-external-services/connection-request-status-flow.png b/static/attachments/deployment/mendix-cloud-deploy/connecting-to-external-services/connection-request-status-flow.png new file mode 100644 index 00000000000..c781026c0d8 Binary files /dev/null and b/static/attachments/deployment/mendix-cloud-deploy/connecting-to-external-services/connection-request-status-flow.png differ