Skip to content
DOCS
User Guide API Guide

Install and Deploy Aembit Edge

Aembit manages the identities of and access from workloads (typically, software applications) to services.

Aembit provides Aembit Edge, software components deployed in your environment that intermediate connections between workloads, gather assessment data from your operating environment, inject credentials into requests, and log interactions between Client Workloads and services.

This page describes for each deployment type the various connections and protocols used to enable Aembit in support of your Workloads.

Aembit Edge - data plane

Section titled “Aembit Edge - data plane”

Aembit Edge Components include:

  • Aembit Agent Proxy
  • Aembit Agent Controller
  • Aembit Agent Injector (Kubernetes Only)
  • Aembit Agent Sidecar Init (Kubernetes Only)

Before describing these components, let’s review conceptually how Workloads communicate and where Aembit fits into this mix. At its most basic level, a Client Workload communicates with a Server Workload using a transport protocol, such as TCP, utilizing a set of IP addresses and ports to exchange data. Aembit is generally based on a Proxy model and will intercept the network communication between Client and Server Workloads, authenticating the connection as configured by an Aembit Access Policy.

Deployment

Section titled “Deployment”

To achieve these capabilities, the Aembit Architecture depends on deploying Agent Controller instances, which Agent Proxy instances can then leverage to bootstrap secure communication with the Aembit Cloud.

From a network/protocol perspective, that deployment is achieved by the following steps:

  1. Deploy Agent Controller with Device Code or Agent Controller ID.

    • Device Code: Authenticates and registers with the Aembit Cloud using the time-bound and single-use Device Code created for a specific Agent Controller.
    • Agent Controller ID: Authenticates and registers with the Aembit Cloud using the TrustProvider with the associated Agent Controller.

  2. Deploy Agent Proxy configured to communicate with an Agent Controller.

    • Agent Proxy registers with the Agent Controller and Aembit Cloud.
    • Optional: The Agent Controller can be configured with a TLS Certificate to enable and enforce HTTPS communication.

Virtual Machine

Section titled “Virtual Machine”
Diagram

Kubernetes

Section titled “Kubernetes”
Diagram

AWS ECS Fargate

Section titled “AWS ECS Fargate”
Diagram

Workload communication

Section titled “Workload communication”

After the Aembit Edge is deployed and registered, we can now begin identifying workloads and managing access for the configured policies.

  1. Client Workloads connect to Server Workloads - the Agent Proxy handles both DNS and application traffic.
    1. DNS: DNS requests and responses are read in order to route application traffic.
    2. Application Traffic: Uses the configured Access Policy and Credentials from the Aembit Cloud for authorized injection.
Diagram