- The Device42 Cloud Connector Overview
The Device42 Cloud Connector Overview
Certain Device42 integrations allow users to pull data from their Device42 appliance, thus populating another application with CIs (Configuration Items) from Device42, powering a 3rd party CMDB with Device42 discovery, etc.
Configuration data from Device42 is often defined to these external application integrations as one or more data sources, and the specific CI details from these defined data sources are mapped to the target application via transformation maps.
List of external integrations that utilize the Cloud Connector:
Why was the Cloud Connector built?
To accomplish the transfer of data from customers’ Device42 instances to an external integration, requests originating from the external integration must be routed to a customers’ Device42 appliance.
This presents a challenge in that Device42 installations often exist in local, isolated environments, behind firewalls and without any externally reachable IP address. In many cases Device42 instances are unreachable from the internet at large, and are therefore also unreachable by cloud applications that we want to integrate with, as well.
Facilitating communcation without opening the firewall
The Cloud Connector is utilized to route traffic from an given external integration directly to the customers’ normally unreachable Device42 appliances via a secure, internally (from the Device42 appliance) initiated websocket connection.
The D42 Cloud Connector was built as a secure alternative to asking Device42 users to open their firewalls to allow this communication, which would have the side effect of needlessly exposing Device42 instances to the internet. The Cloud connector thus facilitates secure communication with the 3rd party software hosted in any cloud platform, while maintaining a minimum attack surface area and avoiding any need to expose customer’s Device42 appliances to the internet at large.
Cloud Connector / Websocket Security Architecture
The Cloud Connector handles routing requests from each external integration instance to the proper D42 appliance endpoint via 3 GUID keys:
- The “appliance GUID”
- The “verification token GUID”
- The “am_guid”
The verification token is used to search a database on the cloud connector for an account that matches the given verification token. Once it finds a verification token that matches, the request is forwarded to that appliance by the WebSocket Server as identified by the appliance GUID.
Example / Diagram: ServiceNow DOQL Query Executed by Cloud Connector
The above graphic details communication between Device42, the Cloud connector, and an external integration. ServiceNow is used as an example, but the general flow applies to any integration that uses the CC.
Note that the Device42 cloud connector is hosted by CloudFlare, and takes advantage of all of their industry-leading security features (cloudflare security overview), as well as general best practices.
If you have a question that isn’t answered here, please email firstname.lastname@example.org and we’ll be glad both to answer your question, and to include the answer here.