Zero-Trust Mesh Networking
EmberNet uses a zero-trust mesh networking architecture to secure all communications between edge nodes, cloud services, and user access points. This model eliminates the need for traditional VPNs, exposed ports, or static firewall rules.
Zero-Trust Principles
EmberNet's networking model is built on three core principles:
1. Never Trust, Always Verify
Every connection request is authenticated and authorized, regardless of the source network. There is no concept of a "trusted network" — all traffic is treated as potentially hostile.
2. Least-Privilege Access
Services and users are granted the minimum level of access required. Access policies are defined per-service, per-user, and per-tenant.
3. Assume Breach
The architecture assumes that any component can be compromised. Lateral movement is prevented by enforcing identity-based access on every connection, not just at the perimeter.
Mesh Architecture
How It Works
- Identity Enrollment — Each node and service is issued a unique cryptographic identity during registration
- Outbound-Only Connections — Nodes establish outbound connections to the mesh fabric; no inbound ports are opened
- Mutual TLS — All connections use mutual TLS (mTLS) with automatically managed certificates
- Identity-Based Routing — Traffic is routed based on cryptographic identity, not IP addresses or network location
- Policy Enforcement — Access policies determine which identities can communicate with which services
Network Topology
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Edge Node A │ │ Edge Node B │ │ Edge Node C │
│ ┌────────┐ │ │ ┌────────┐ │ │ ┌────────┐ │
│ │ Mesh │──┼─────┼──│ Mesh │──┼─────┼──│ Mesh │ │
│ │ Agent │ │ │ │ Agent │ │ │ │ Agent │ │
│ └────────┘ │ │ └────────┘ │ │ └────────┘ │
└──────────────┘ └──────────────┘ └──────────────┘
│ │ │
└────────────────────┼────────────────────┘
│
┌────────────────┐
│ Mesh Control │
│ Plane │
└────────────────┘
Key Benefits
| Feature | Description |
|---|---|
| No Inbound Ports | Eliminates the need for firewall exceptions or port forwarding |
| No VPN Required | Direct, identity-based connectivity without VPN infrastructure |
| Automatic Certificates | Certificates are provisioned and rotated automatically |
| NAT Traversal | Works across NAT boundaries without configuration |
| Network Agnostic | Functions on any network — cellular, satellite, WiFi, or ethernet |
Access Policies
Policy Structure
Access policies define which identities can access which services:
Allow:
Source: @engineering-team
Target: @edge-dashboard
Protocol: HTTPS
Ports: 443
Policy Types
| Type | Description |
|---|---|
| Service-to-Service | Controls which platform services can communicate |
| User-to-Service | Controls which users can access which services |
| Tenant-to-Tenant | Prevents cross-tenant traffic (deny by default) |
| External Access | Controls inbound access from external networks |
Certificate Management
EmberNet automatically manages TLS certificates across the mesh:
- Automatic Issuance — Certificates are issued when nodes enroll
- Automatic Rotation — Certificates are rotated before expiration
- Revocation — Compromised certificates can be instantly revoked
- Short-Lived — Certificates have short validity periods to limit exposure
Monitoring & Troubleshooting
Mesh Health
Monitor mesh connectivity from the dashboard:
- Node connectivity status and latency
- Certificate validity and rotation schedule
- Policy evaluation logs
- Connection attempt history
Common Issues
| Issue | Possible Cause | Resolution |
|---|---|---|
| Node not joining mesh | Outbound port 443 blocked | Verify firewall allows outbound HTTPS |
| High latency | Network congestion or routing | Check network path and bandwidth |
| Certificate errors | Clock skew | Synchronize system clock (NTP) |
| Access denied | Missing access policy | Review and update access policies |
Next Steps
- Device Connectivity — Connect industrial devices
- Architecture — Platform architecture overview
- Configuration Reference — Network configuration options