Skip to main content

BlastShield Documentation

Running a Gateway as a container - source + destination NAT mode

The BlastShield Gateway supports running as a container. The image will run on 32-bit arm, 64-bit arm and x86_64 and the Gateway must use src+dest NAT addressing mode.

Running the Gateway as a container will allow you to use it alongside other apps running in the same environment, allowing for a more cost effective use of hardware platforms.

run_gateway_as_container_on_linux.png

Prerequisites

  1. A BlastShield™ Orchestrator with administrator access..

  2. An appliance running 32-bit arm, 64-bit arm or x86_64s Linux with at least one physical NIC and a container environment installed.

  3. The BlastShield™ Gateway requires outbound UDP ports to all required destinations.

To learn how to run a BlastShield Gateway as a container and then create endpoints on it, please read the steps below.

Create the Gateway in the Orchestrator and then run it as a container

  1. Create a new gateway in the orchestrator and set the mode to "Source + destination NAT".

    1. Connect to the Orchestrator and select Gateways from the left Menu.

    2. Select Add New Gateway.

    3. Enter a name for the new Gateway.

    4. Select Addressing Mode for the Gateway to be IP Address (Source+Destination NAT).

      gw_addressing_mode--source_destination_nat.png

    5. Select Save and Download Invitation. You can chose to either download the invitation file or copy it to the clipboard. Keep the invitation data as you will need it in the next step.

      add-new-gw-container-linux-save-bsi.png

  2. Copy the invitation to the clipboard and replace the "REPLACE_ME" value in the yaml file with the invitation.

  3. Copy the yaml file to a new directory on the appliance.

  4. From that directory, run the command: docker compose up.

An example yaml file is given below.

docker-compose.yml

version:  "3.8"
services:
    blastshield-gw:
        image: public.ecr.aws/blastwave/blastshield-gw:1.7.1
        volumes:
            - blastshield-private:/data
        environment:
            INVITATION: 'REPLACE_ME'
        restart: unless-stopped
        cap_add:
            - NET_ADMIN
        sysctls:
            - net.ipv4.ip_local_port_range=16384 32768


volumes:
    blastshield-private:
Create Endpoints on the Gateway

For each of the devices that you want to securely access via the BlastShield™ Gateway, you must create a corresponding Endpoint for it on the Gateway.

Follow this procedure to learn how to create an Endpoint on the Gateway.

  1. In the Orchestrator, select the Gateway and click on the Endpoints tab.

  2. Click the 'Add New Endpoint' button and click on the 'Endpoint Enabled' button.

  3. Enter a name for the Endpoint in the Name field.

  4. In the DNS Hostname field, enter a hostname.

  5. In the Destination field, enter the device's Private IPv4 address or hostname.

  6. Click on 'Save Changes'.

  7. The status of the Endpoint will show as 'Online'.

    endpoint-gw-container-arm32-linux.png

Important

Upgrading the Gateway.

When running as a container, the Gateway must be upgraded by modifying the container to use a newer image.

In this section: