Twingate and LightBeam Integration Guide

Overview

The guide provides step-by-step instructions for deploying Twingate and integrating it with LightBeam. It will give insights into Twingate's core components, including the Twingate Client, Twingate Cloud, and Twingate Connectors, as well as the Twingate Admin Console for centralized management. Additionally, the guide covers onboarding RDS to LightBeam on both EKS and EC2 instances, along with troubleshooting tips for resolving potential issues. By following this guide, IT administrators can establish a robust and secure network, ensuring authorized access and privacy protection.

Twingate Components

Twingate Client: The Twingate client is a lightweight application that runs on your local device and provides secure access to your organization's resources. The client communicates with the Twingate cloud to authenticate users and authorize access to specific resources.
Twingate Cloud: The Twingate cloud is the central hub of the Twingate platform, managing access policies, user authentication, and traffic routing. It is a global network of high-performance edge nodes that route traffic between the Twingate client and your organization's resources.
Twingate Connectors: The Twingate connector is a lightweight Docker container that runs in your organization's infrastructure and provides secure access to on-premises and cloud-based resources. The connector connects to the Twingate cloud to authenticate users and route traffic between the Twingate client and your organization's resources.
Twingate Admin Console: The Twingate Admin Console is a web-based interface that allows administrators to manage and configure the Twingate platform. It provides a central location for configuring access policies, managing users and groups, and monitoring network activity.

Assumption:

RDS is not in the same VPC as EKS/EC2 node.
An ec2 VM is needed in the same VPC as RDS to deploy the Twingate Connector docker image.

Supported distributions

The Twingate Linux Client currently supports the following Linux distributions for x86/AMD64 and ARM64-based devices:

Ubuntu (18.04 LTS or later)

System Prerequisites

The Linux Client requires either systemd-resolved service to be enabled/running or NetworkManager service to be configured and enabled/running as the client DNS service.
A notification service is required for interactive user authentication. If a notification service is not available, the Client will provide instructions for receiving a console-based notification feed.

Installation and Setup

Installation of Twingate client on Jumpbox :

The following command will download and install the Twingate Client.

curl -s https://binaries.twingate.com/client/linux/install.sh | sudo bash

Usage notes

Command

Description

sudo twingate setup

Interactively configure the Twingate Client.

twingate start

Start the Twingate Client.

twingate status

Output Twingate Client status.

twingate stop

Stop the Twingate Client.

twingate help

Show usage information.

twingate resources

Show available Resources for the authenticated user.

Steps to Start and Configure Twingate Client

Step 1: Start the Twingate Service

root@ip:~# twingate start
Starting Twingate service
Please run "twingate setup" first to configure access to your Twingate network.
Starting UI notifications

Before starting the Twingate service, ensure you have completed the setup process for configuring access to your Twingate network.

Step 2: Configure Twingate Client

root@ip:~# twingate setup
Twingate Setup 1.0.80+75884 | 0.143.4
By continuing, you agree to the User Terms of Service (https://twingate.com/terms/user)
and acknowledge the Privacy Policy (https://twingate.com/privacy). [A]gree/[q]uit: A
Enter the name of your Twingate network (eg. "acme" for "acme.twingate.com"): lbai
checking...
lbai is a valid Twingate network
Do you want to automatically start the Twingate service at boot? [Y/n]: Y
Do you want the Twingate service to automatically login after restart?
This requires saving authentication data in /var/lib/twingate (accessible only to root) [y/N]: Y
Do you want to automatically share application error reports with Twingate? [Y/n]: N
Do you want to start Twingate now? [Y/n]: Y
Twingate has been started; user authentication is required for access to Resources
To start desktop notifications, run `twingate desktop-start`.
Alternatively, you can run `/usr/bin/twingate-notifier console` in order to receive Twingate authentication requests in the console.

Use the twingate setup command to configure the Twingate Client interactively. Provide the required details, such as your Twingate network name (e.g., "acme" for "acme.twingate.com") and preferences for automatic startup, automatic login after restart, and error report sharing.

Step 3: Check Twingate Client Status

root@ip:~# twingate status
authenticating
Visit the following URL to authenticate to your Twingate network:

https://xxx.twingate.com/client-node/login?redirect_uri=https%3A%2F%2Flbai.twingate.com%2Fapi%2Fv5%2Fclient%2Flogin%3Fdevice_hardware_id%0

Use the twingate status command to check the current status of the Twingate Client. The output will indicate that the client is authenticating, and you will receive a URL to authenticate to your Twingate network.

By following these steps, you can successfully start and configure the Twingate Client, allowing secure access to your organization's resources through the Twingate network.

Script to download and configure Envoy Proxy on LightBeam Jumpbox

#!/bin/bash
# Download Envoy Proxy
wget https://github.com/envoyproxy/envoy/releases/download/v1.24.1/envoy-contrib-1.24.1-linux-x86_64 -P /usr/local/bin
chmod +x /usr/local/bin/envoy-contrib-1.24.1-linux-x86_64


# Request user input for the address
read -p "Enter the address (e.g., clusterabc.us-west-2.rds.amazonaws.com): " address


# Create envoy-postgres.yaml
cat << EOF > /usr/local/bin/envoy-postgres.yaml
static_resources:
  listeners:
  - name: postgres_listener
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 5433
    filter_chains:
    - filters:
      - name: envoy.filters.network.tcp_proxy
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
          stat_prefix: postgres_tcp
          cluster: postgres_cluster


  clusters:
  - name: postgres_cluster
    connect_timeout: 1s
    type: strict_dns
    load_assignment:
      cluster_name: postgres_cluster
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: $address
                port_value: 5432
EOF


# Configure systemd service
cat << EOF > /etc/systemd/system/envoy-proxy.service
[Unit]
Description=Envoy Proxy
After=network.target


[Service]
ExecStart=/usr/local/bin/envoy-contrib-1.24.1-linux-x86_64 --config-path /usr/local/bin/envoy-postgres.yaml
Restart=always
User=nobody


[Install]
WantedBy=multi-user.target
EOF


# Reload systemd daemon
sudo systemctl daemon-reload
# Enable automatic start on boot
sudo systemctl enable envoy-proxy
# Start the Envoy Proxy service
sudo systemctl start envoy-proxy
# Stop the Envoy Proxy service
# systemctl stop envoy-proxy
# Command to stop the Envoy Proxy service
echo "To stop the Envoy Proxy service, run: sudo systemctl stop envoy-proxy"

This script automates downloading and configuring Envoy Proxy on the LightBeam Jumpbox. It first fetches the Envoy Proxy binary from the official repository, sets appropriate permissions, and then prompts the user to input the address of the target (e.g., RDS endpoint). The script generates a envoy-postgres.yaml configuration file with the provided address, which specifies the listener and cluster settings for the TCP proxy. A systemd service unit file is created to manage the Envoy Proxy service, enabling automatic startup at boot and continuous operation. The script also provides instructions to stop the Envoy Proxy service if needed.

Onboarding RDS to LightBeam on EKS

Install and authenticate the Twingate client on the jumpbox, and ensure Twingate status is online.
Configure Envoy Proxy as per Script to download and configure Envoy Proxy on LightBeam Jumpbox
Add the Postgres datasource to LightBeam. Specify the public IP address of the jumpbox as the host for the Postgres database.

Onboarding RDS to LightBeam on EC2

Perform Twingate client setup and configure the client.
After the Twingate client is online, find the IP assigned to RDS by Twingate running nslookup on the RDS endpoint.
Go To LightBeam UI -> Datasources -> Add a Datasource Postgres
Update the instance details and use the RDS nslookup IP address as the host and run Test Connection.

Note:

The IP address assigned to RDS by Twingate is dynamic and changes when the Twingate session is re-established. To ensure stable connectivity, it is not recommended to onboard the datasource with the dynamic IP address. Instead, consider using a static IP address or a domain name for the RDS instance. Always verify the address before adding it as a datasource in LightBeam.

Troubleshooting

Known Issue: After restarting the Twingate client, the session may not be automatically established, and the user might need to re-establish the session with Twingate status.
Default Authentication Requirement: Twingate requires user authentication at least once every 30 days.

Useful Commands:

Twingate Logs: To view Twingate logs, use the following command: sudo journalctl -u twingate -f
Envoy Service Status: Check the status of the Envoy Proxy service with: systemctl status envoy-proxy
Enable Debug Logging: To enable debug logging for Twingate, run: sudo twingate config log-level debug

If you encounter any issues or have trouble with the Twingate client or the Envoy Proxy integration, refer to the logs and enable debug logging if necessary to gain insights into the underlying processes and aid in troubleshooting.

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.

For any questions or suggestions, please get in touch with us at: [email protected].

PreviousSetting Up AWS PrivateLink for RDS-EKS Interaction NextData Subject Request Web Application Server

Last updated 2 years ago