Using gRPC Dial-Out for Secure Telemetry Collection
Understanding gRPC Dial-Out
Starting with Junos OS Release 22.4R1, JTI supports remote gRPC dial-out support on ACX Series routers, MX Series routers, PTX Series routers, and QFX Series switches. With gRPC dialout, the target device (server) initiates a gRPC session with the collector (client). When the session is established, the target streams the telemetry data that is specified by the sensor-group subscription to the collector. This is in contrast to the gRPC network management interface (gNMI) dial-in method, in which the collector initiates a connection to the target device.
gRPC dial-out simplifies streaming telemetry statistics. Configuring the target device to stream statistics and export them to a collector IP address removes the burden of access being placed on the collector (client). (see Figure 1).
gRPC dial-out provides several benefits as compared to gRPC dial-in:
Reduces target device exposure to threats outside of their topology.
Simplifies access to a target device. The gRPC Dial-In method requires a collector to overcome a series of complex firewall configurations to gain access to the target device. gRPC Dial-Out does not.
Collectors can be stateless; without the need to initiate a session, they simply listen, subscribe, and store collected data.
Support mutual encryption for heightened security.
To enable export of statistics, include the export-profile
and sensor
statements at the [edit services analytics
] hierarchy level. The export profile must include the reporting
rate, the transport service (for example, gRPC), and the format (for
example, gbp-gnmi). The sensor configuration should include the name
of the collector (the server’s name), the name of the export
profile, and the resource path. An example of a resource path is /interfaces/interface[name='fxp0'.
Configure an IP Source Address for Legacy gRPC Dial-Out Connections
Starting with Junos OS Evolved Release 24.2R1, JTI supports configuring a source IP address for legacy gRPC service dial-out connections on ACX Series routers, PTX Series routers, and QFX Series switches. In earlier releases that support legacy gRPC dial-out, the outgoing interface IP address is used as the source address without an option to configure a source IP address. This feature supports FLEX Deployments, providing the ability to send dial-out from the router's specified IP address or interface address (such as a loopback0 address).
If you do not configure a local address, the default local address is used.
To configure a local address:
See Also
Configure a Routing Instance for Legacy gRPC Dial-Out Connections
Starting with Junos OS Evolved Release 24.2R1, JTI supports configuring a routing instance for legacy gRPC service dial-out connections on ACX Series routers, PTX Series routers, and QFX Series switches.
If you do not configure a routing instance, the default routing instance is used.
To configure a routing instance:
See Also
gRPC Tunnels Overview
A gRPC tunnel acts as a client-server protocol that dials out a session from the target to the TCP client through the default routing instance or configured routing instance. If you do not choose to configure a routing instance, the gRPC tunnel uses the default routing instance.
You can configure the source address for each gRPC tunnel session to dial out a connection to the tunnel server. If you do not configure the source address, the kernel picks the source address that can reach the tunnel server.
For more information about gRPC tunnels, see https://github.com/openconfig/grpctunnel.
A gRPC tunnel has three main entities:
-
Target— Represents the network device. The target is a gRPC client.
-
Tunnel Server— A software entity that is an off-box application that manages the subscription and target registrations. The tunnel server is a gRPC server.
-
Tunnel Client— A software entity that performs client tasks. The tunnel client may be self-contained within the tunnel server. The tunnel client is also a gRPC client.
Benefits of using a gRPC tunnel session:
-
Overcomes a series of complex firewall configurations as the connection is established from the server-side.
-
Access various TCP server applications such as gNMI-gNOI, SSH, or NETCONF-SSH without any operational requirements.
gRPC Tunnel Architecture
A gRPC tunnel is a generic infrastructure for TCP-based applications to communicate within gRPC messages.
In general, the TCP client initiates a connection to the TCP server or target. Junos devices act as target that runs TCP server applications such as gNMI-gNOI, SSH, and NETCONF-SSH. If a client is unable to reach the server, common reasons could be:
-
The server runs into complex firewall configurations with firewalls preventing inbound connections.
-
The server runs into a router implementing network address translation (NAT).
-
The server comes across any other operational requirements, which prevents outside connections.
When a TCP client is not able to reach a target, you can configure a gRPC tunnel session to establish a connection between the TCP client and the target. A gRPC tunnel session establishes a connection in the reverse direction where a target dials out to a TCP client.
To use a gRPC tunnel session, a tunnel client is added to the target-side where the grpc-tunnel process runs and all the gRPC tunnel-related configurations are performed. On the TCP client-side, a tunnel server is added.
You must include the grpc-tunnel
configuration statement in the
[edit system services
] hierarchy to configure a gRPC tunnel session.
gRPC Tunnel Security
The gRPC tunnel is a dial-out model where a device initiates a connection based on the configuration. The gRPC tunnel is on a secure gRPC channel that uses TLS certificates.
See Also
Example: Configure a gRPC Tunnel
Overview
This section covers the steps needed to configure the target for this example. The focus is on the target because that is the Junos device where the gRPC tunnel is configured.
Requirements
This example uses the following software and hardware components:
-
Junos OS or Junos Evolved Release 22.4 or later for routing and switching devices
-
One host device as the tunnel client
-
One host device as the tunnel server
Topology
Figure 1 shows the topology used in this example.
Based on the Junos configuration of the target device, it dials-out a grpc-tunnel to the tunnel server. The target device registers itself with the tunnel server through the Register stream RPC.
When a client requests a TCP session to a specific target, the tunnel server acts as an intermediary and connects to the above registered target session on tunnel server.
If the target supports the requested target type, the device will dial-out a new tunnel called the Tunnel stream RPC. This establishes a gRPC tunnel between the client and the target through the tunnel server. The tunnel client can now access the intended TCP applications on the target.
There can only be one Register stream between a tunnel server and the network device but multiple Tunnel streams for the same pair.
Configure a gRPC tunnel
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set system services grpc-tunnel servers server server1 address 10.205.0.1 set system services grpc-tunnel servers server server1 port 50301 set system services grpc-tunnel servers server server1 credentials tls certificate-id client-cert1 set system services grpc-tunnel servers server server1 targets ssh
Step-by-Step Procedure
Follow these steps to configure the gRPC tunnel in the target device.
-
Configure the servers under gRPC-tunnel.
-
Configure the IPv4 or IPv6 address or hostname of the tunnel server.
[edit system services] user@host# set grpc-tunnel servers server server1 address 10.205.0.1
-
Configure the port number through which the tunnel server listens.
[edit system services] user@host# set grpc-tunnel servers server server1 port 50301
-
Configure the credentials using the tls statement.
[edit system services] user@host# set grpc-tunnel servers server server1 credentials tls certificate-id client-cert1
-
Specify the target applications you want to access. The options available are ssh, netconf-ssh and gnmi-gnoi.
[edit system services] user@host# set grpc-tunnel servers server server1 targets ssh
-
-
(Optionally) Set the retry-interval (in seconds). If the tunnel-server is unreachable, the target device retries to connect after the retry-interval.
[edit system services] user@host# set grpc-tunnel servers retry-interval 30
-
(Optionally)
Set the routing instance. If you do not set the routing instance, the gRPC tunnel uses the default routing instance.[edit system services] user@host# set grpc-tunnel servers server ts1 routing-instance routing-instance
-
(Optionally)
Set the source address. If you do not set the source address, the kernel picks the source address that can reach the tunnel server.[edit system services] user@host# set grpc-tunnel servers server ts1 source-address 69.70.31.677
-
(Optionally) Configure the target-string-option under grpc-tunnel.
-
Use the pattern statement to create an ordered list of supported options.
[edit system services] user@host# set grpc-tunnel target-string-option pattern hostname custom
-
Use the custom-string statement to define a custom string that is sent when the statement pattern contains custom as one of the options.
[edit system services] user@host# set grpc-tunnel target-string-option custom-string device1
-
Use the delimiter statement when more than one option is selected in the pattern. By default, the | (pipe symbol) is used.
[edit system services] user@host# set grpc-tunnel target-string-option delimiter |
-
A maximum of 10 tunnel servers can be configured.
Results
Display the results of the configuration on the target device. The output reflects only the functional configuration added in this example.
user@host> show configuration system services
grpc-tunnel { servers { retry-interval 30; server server1 { address 10.205.0.01; port 50301; credentials { tls { certificate-id client-cert1; } } targets [ ssh ]; routing-instance routing-instance; source-address 69.70.31.677; } server server2 { address 10.205.0.02; port 50302; credentials { tls { ca-profiles [ serverRootCA1 serverRootCA2 ]; } } targets [ gnmi-gnoi netconf-ssh ]; routing-instance routing-instance; source-address 69.70.31.677; } } target-string-option { pattern [ hostname vendor model version custom ]; custom-string device1; delimiter |; } }
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.