Digibee Documentation
Request documentationBook a demo
English
English
  • Quick start
  • Highlights
    • Release notes
      • Release notes 2025
        • May
        • April
        • March
        • February
        • January
      • Release notes 2024
        • December
        • November
        • October
        • September
        • August
          • Connectors release 08/20/2024
        • July
        • June
        • May
        • April
        • March
        • February
        • January
      • Release notes 2023
        • December
        • November
        • October
        • September
        • August
        • July
        • June
        • May
        • April
        • March
        • February
        • January
      • Release notes 2022
        • December
        • November
        • October
        • September
        • August
        • July
        • June
        • May
        • April
        • March
        • February
        • January
      • Release notes 2021
      • Release notes 2020
    • AI Pair Programmer
    • Digibeectl
      • Getting started
        • How to install Digibeectl on Windows
      • Digibeectl syntax
      • Digibeectl operations
  • Digibee in action
    • Use Cases in Action
      • Improving integration performance with API pagination
      • Automating file storage with Digibee
      • Reprocessing strategy in event-driven integrations
      • Key practices for securing sensitive information in pipelines with Digibee
      • OAuth2 for secure API access
      • Secure your APIs with JWT in Digibee
      • Integration best practices for developers on the Digibee Integration Platform
      • How to use Event-driven architecture on the Digibee Integration Platform
      • Dynamic file download with Digibee
      • Microservices: Circuit Breaker pattern for improving resilience
      • Error handling strategy in event-driven integrations
    • Troubleshooting
      • Integration guidance
        • How to resolve common pipeline issues
        • How to resolve Error 409: “You cannot update a pipeline that is not on draft mode”
        • How to resolve the "Pipeline execution was aborted" error
        • Integrated authentication with Microsoft Entra ID
        • How to resolve the "Failed to initialize pool: ONS configuration failed" error
        • How to perform IP address mapping with Progress database
        • How to build integration flows that send error notifications
        • How to send pipeline logs to external monitoring systems
        • How JSONPath differs in connectors and the Execution panel
        • Using JSONPath to validate numbers with specific initial digits
        • How to analyze the "Network error: Failed to fetch" in the Execution panel
        • How to handle request payloads larger than 5MB
        • How to configure Microsoft Entra ID to display groups on the Digibee Integration Platform
        • How to build an HL7 message
      • Connectors behavior and configuration
        • Timeout in the Pipeline Executor connector
        • How to use DISTINCT and COUNT in the Object Store
        • Understanding @@DGB_TRUNCATED@@ on the Digibee Integration Platform
        • How to resolve names without a DNS - REST, SOAP, SAP (web protocols)
        • How to read and write files inside a folder
        • AuthToken Reuse for Salesforce connector
        • How to resolve the "Invalid payload" error in API Integration
        • Supported databases
          • Functions and uses for databases
      • Connectors implementation and usage examples
        • Google Storage: Usage scenarios
        • DB V2: Usage scenarios
        • For Each: Usage example
        • Template and its uses
        • Digibee JWT implementation
        • Email V1: Usage example (Deprecated)
      • JOLT applications
        • Transformer: Getting to know JOLT
        • Transformer: Transformations with JOLT
        • Transformer: Add values to list elements
        • Transformer: Operations overview
        • Transformer: Date formatting using split and concat
        • Transformer: Simple IF-ELSE logic with JOLT
      • Platform access and performance tips
        • How to solve login problems on the Digibee Integration Platform
        • How to receive updates from Digibee Status Page
        • How to clean the Digibee Integration Platform cache
      • Governance troubleshooting guidance
        • How to consume Internal API pipelines using ZTNA
        • How to use Internal API with and without a VPN
        • How to generate, convert, and register SSH Keys
        • mTLS authentication
          • How to configure mTLS on the Digibee Integration Platform
          • FAQs: Certificates in mTLS
        • How to connect Digibee to Oracle RAC
        • How to connect Digibee to SAP
        • How to connect Digibee to MongoDB Atlas using VPN
        • How to manage IPs on the Digibee Integration Platform
        • Configuring the Dropbox account
        • How to use your Gmail account with the Digibee email component (SMTP)
        • How to use the CORS policy on the Digibee Integration Platform
      • Deployment scenarios
        • Solving the “Out of memory” errors in deployment
        • Warning of route conflicts
    • Best practices
      • JOLT and Double Braces on Digibee: Choosing the right method for data transformation
      • Best practices for building a pipeline
      • Best practices on validating messages in a consumer pipeline
      • Avoiding loops and maximizing pipeline efficiency
      • Naming: Global, Accounts, and API Keys
      • Pagination tutorial
        • Pagination tutorial - part 1
        • Pagination tutorial - part 2
        • Pagination tutorial - part 3
        • Pagination tutorial - part 4
      • Pagination example
      • Event-driven architecture
      • Notification model in event-driven integrations
      • OAuth2 integration model with Digibee
      • Best practices for error handling in pipelines
      • Highly scalable ETL model for Digibee
    • Digibee Academy
      • Integration Developer Bootcamp
  • Reference guides
    • Connectors
      • AI Tools
        • LLM Connector
      • AWS
        • S3 Storage
        • SQS
        • AWS Secrets Manager
        • AWS Athena
        • AWS CloudWatch
        • AWS Elastic Container Service (ECS)
        • AWS Eventbridge
        • AWS Identity and Access Management (IAM)
        • AWS Kinesis
        • AWS Kinesis Firehose
        • AWS Key Management Service (KMS)
        • AWS Lambda
        • AWS MQ
        • AWS Simple Email Service (SES)
        • AWS Simple Notification System (SNS)
        • AWS Security Token Service (STS)
        • AWS Translate
      • Azure
        • Azure CosmosDB
        • Azure Event Hubs
        • Azure Key Vault
        • Azure ServiceBus
        • Azure Storage DataLake Service
        • Azure Storage Queue Service
      • Enterprise applications
        • SAP
        • Salesforce
        • Braintree
        • Facebook
        • GitHub
        • Jira
        • ServiceNow
        • Slack
        • Telegram
        • Twilio
        • WhatsApp
        • Wordpress
        • Workday
        • Zendesk
      • File storage
        • Blob Storage (Azure)
        • Digibee Storage
        • Dropbox
        • FTP
        • Google Drive
        • Google Storage
        • OneDrive
        • SFTP
        • WebDav V2
        • WebDav (Deprecated)
      • Files
        • Append Files
        • Avro File Reader
        • Avro File Writer
        • CSV to Excel
        • Excel
        • File Reader
        • File Writer
        • GZIP V2
        • GZIP V1 (Deprecated)
        • Parquet File Reader
        • Parquet File Writer
        • Stream Avro File Reader
        • Stream Excel
        • Stream File Reader
        • Stream File Reader Pattern
        • Stream JSON File Reader
        • Stream Parquet File Reader
        • Stream XML File Reader
        • XML Schema Validator
        • ZIP File V2
        • ZIP File
        • NFS
      • Flow
        • Delayer
      • Google/GCP
        • Google BigQuery
        • Google BigQuery Standard SQL
        • Google Calendar
        • Google Cloud Functions
        • Google Mail
        • Google PubSub
        • Google Secret Manager
        • Google Sheets
      • Industry solutions
        • FHIR (Beta)
        • Gupy Public API
        • HL7
        • HubSpot: Sales and CMS
        • Mailgun API
        • Oracle NetSuite (Beta)
        • Orderful
        • Protheus: Billing and Inventory of Cost
      • Logic
        • Block Execution
        • Choice
        • Do While
        • For Each
        • Retry
        • Parallel Execution
      • Queues and messaging
        • Event Publisher
        • JMS
        • Kafka
        • RabbitMQ
      • Security
        • AES Cryptography
        • Asymmetric Cryptography
        • CMS
        • Digital Signature
        • JWT (Deprecated)
        • JWT V2
        • Google IAP Token
        • Hash
        • Digibee JWT (Generate and Decode)
        • LDAP
        • PBE Cryptography
        • PGP
        • RSA Cryptography
        • Symmetric Cryptography
      • Structured data
        • CassandraDB
        • DB V2
        • DB V1 (Deprecated)
        • DynamoDB
        • Google Big Table
        • Memcached
        • MongoDB
        • Object Store
        • Relationship
        • Session Management
        • Stored Procedure
        • Stream DB V3
        • Stream DB V1 (Deprecated)
        • ArangoDb
        • Caffeine Cache
        • Caffeine LoadCache
        • Couchbase
        • CouchDB
        • Ehcache
        • InfluxDB
      • Tools
        • Assert V2
        • Assert V1 (Deprecated)
        • Base64
        • CSV to JSON V2
        • CSV to JSON V1 (Deprecated)
        • HL7 Message Transformer (Beta)
        • HTML to PDF
        • Transformer (JOLT) V2
        • JSLT
        • JSON String to JSON Transformer
        • JSON to JSON String Transformer
        • JSON to XML Transformer
        • JSON to CSV V2
        • JSON to CSV Transformer (Deprecated)
        • JSON Path Transformer V2
        • JSON Path Transformer
        • JSON Transformer
        • Log
        • Pipeline Executor
        • QuickFix (Beta)
        • SSH Remote Command
        • Script (JavaScript)
        • Secure PDF
        • Store Account
        • Template Transformer
        • Throw Error
        • Transformer (JOLT)
        • Validator V1 (Deprecated)
        • Validator V2
        • XML to JSON Transformer
        • XML Transformer
        • JSON Generator (Mock)
      • Web protocols
        • Email V2
        • Email V1 (Deprecated)
        • REST V2
        • REST V1 (Deprecated)
        • SOAP V1 (Deprecated)
        • SOAP V2
        • SOAP V3
        • WGet (Download HTTP)
        • gRPC
    • Triggers
      • Web Protocols
        • API Trigger
        • Email Trigger
        • Email Trigger V2
        • HTTP Trigger
        • HTTP File Trigger
          • HTTP File Trigger - Downloads
          • HTTP File Trigger - Uploads
        • REST Trigger
      • Scheduling
        • Scheduler Trigger
      • Messaging and Events
        • Event Trigger
        • JMS Trigger
        • Kafka Trigger
        • RabbitMQ Trigger
      • Others
        • DynamoDB Streams Trigger
        • HL7 Trigger
        • Salesforce Trigger - Events
    • Double Braces
      • How to reference data using Double Braces
      • Double Braces functions
        • Math functions
        • Utilities functions
        • Numerical functions
        • String functions
        • JSON functions
        • Date functions
        • Comparison functions
        • File functions
        • Conditional functions
      • Double Braces autocomplete
  • Development cycle
    • Build
      • Canvas
        • AI Assistant
        • Smart Connector User Experience
        • Execution panel
        • Design and Inspect Mode
        • Linter: Canvas building validation
        • Connector Mocking
      • Pipeline
        • How to create a pipeline
        • How to scaffold a pipeline using an OpenAPI specification
        • How to create a project
        • Pipeline version history
        • Pipeline versioning
        • Messages processing
        • Subpipelines
      • Capsules
        • How to use Capsules
          • How to create a Capsule collection
            • Capsule header dimensions
          • How to create a Capsule group
          • How to configure a Capsule
          • How to build a Capsule
          • How to test a Capsule
          • How to save a Capsule
          • How to publish a Capsule
          • How to change a Capsule collection or group
          • How to archive and restore a Capsule
        • Capsules versioning
        • Public capsules
          • SAP
          • Digibee Tools
          • Google Sheets
          • Gupy
          • Send notifications via email
          • Totvs Live
          • Canvas LMS
        • AI Assistant for Capsules Docs Generation
    • Run
      • Run concepts
        • Autoscalling
      • Deployment
        • Deploying a pipeline
        • How to redeploy a pipeline
        • How to promote pipelines across environments
        • How to check the pipeline deployment History
        • How to rollback to a previous deployment version
        • Using deployment history advanced functions
        • Pipeline deployment status
      • How warnings work on pipelines in Run
    • Monitor
      • Monitor Insights (Beta)
      • Completed executions
        • Pipeline execution logs download
      • Pipeline logs
      • Pipeline Metrics
        • Pipeline Metrics API
          • How to set up Digibee API metrics with Datadog
          • How to set up Digibee API metrics with Prometheus
        • Connector Latency
      • Alerts
        • How to create an alert
        • How to edit an alert
        • How to activate, deactivate or duplicate an alert
        • How to delete an alert
        • How to configure alerts on Slack
        • How to configure alerts on Telegram
        • How to configure alerts through a webhook
        • Available metrics
        • Best practices about alerts
        • Use cases for alerts
      • VPN connections monitoring
        • Alerts for VPN metrics
  • Connectivity management
    • Connectivity
    • Zero Trust Network Access (ZTNA)
      • Prerequisites for using ZTNA
      • How to view connections (Edge Routers)
      • How to view the Network Mappings associated with an Edge Router
      • How to add new ZTNA connections (Edge Routers)
      • How to delete connections (Edge Routers)
      • How to view routes (Network Mapping)
      • How to add new routes (Network Mapping)
      • How to add routes in batch for ZTNA
      • How to edit routes (Network Mapping)
      • How to delete routes (Network Mapping)
      • How to generate new keys (Edge Router)
      • How to change the environment of Edge routers
      • ZTNA Inverse Flow
      • ZTNA Groups
    • Virtual Private Network (VPN)
  • Platform administration
    • Administration
      • Audit
      • Access control
        • Users
        • Groups
        • Roles
          • List of permissions by service
          • Roles and responsibilities: Governance and key stakeholder identification
      • Identity provider integration
        • How to integrate an identity provider
        • Authentication rules
        • Integration of IdP groups with Digibee groups
          • How to create a group integration
          • How to test a group integration
          • How to enable group integrations
          • How to edit a group integration
          • How to delete a group integration
      • User authentication and authorization
        • How to activate and deactivate two-factor authentication
        • Login flow
      • Organization groups
    • Settings
      • Globals
        • How to create Globals
        • How to edit or delete Globals
        • How to use Globals
      • Accounts
        • Configuring each account type
        • Monitor changes to account settings in deployed pipelines
        • OAuth2 Architecture
          • Registration of new OAuth providers
      • Consumers (API Keys)
      • Relationship model
      • Multi-Instance
        • Deploying a multi-instance pipeline
      • Data Streaming
        • How to use Data Streaming with Datadog
    • Governance
      • Policies
        • Security
          • Internal API access policy
          • External API access policy
          • Sensitive fields policy
        • Transformation
          • Custom HTTP header
          • CORS HTTP header
        • Limit of Replicas policy
    • Licensing
      • Licensing models
        • Consumption Based model
      • Capacity and quotas
      • License consumption
    • Digibee APIs
      • How to create API credentials
  • Digibee concepts
    • Pipeline Engine
      • Digibee Integration Platform Pipeline Engine v2
      • Support Dynamic Accounts (Restricted Beta)
    • Introduction to ZTNA
  • Help & FAQ
    • Digibee Customer Support
    • Request documentation, suggest features, or send feedback
    • Beta Program
    • Security and compliance
    • About Digibee
Powered by GitBook
On this page

Was this helpful?

In today's digital world, where information security is a priority, innovative technologies such as Zero Trust Network Access (ZTNA) have become indispensable by offering a more secure and efficient way of connecting users and devices to corporate networks.

This article aims to simplify the concept of ZTNA and demonstrate its practical applications, exemplifying how ZTNA technology can optimize the connectivity and security of your network.

What is ZTNA?

ZTNA is a security architecture based on the principle of “never trust, always verify”. This means that, unlike traditional models that rely on users or devices within the network, ZTNA requires constant authentication and authorization to access resources, regardless of their location.

It offers greater control, flexibility and protection, especially in cloud environments and distributed networks, making it ideal for companies that operate with critical data in multiple locations or that need to securely allow remote access.

The origin of ZTNA

The need for ZTNA has grown due to the limitations of VPNs, such as:

  • Lateral movement: After joining a VPN, users can access different parts of the network, creating risks if their credentials are compromised.

  • Latency: The centralization of traffic in VPNs can lead to significant delays.

  • Scalability: Modern networks need solutions that meet the complexity of hybrid and distributed environments.

In addition, ZTNA meets more stringent security demands, such as identity-based authentication and policy-based access control.

Applications of ZTNA

ZTNA is ideal for companies that:

  • Operate in hybrid or multi-cloud environments.

  • Need rigorous security in sectors such as banking and healthcare.

  • Want to improve remote access for employees in a secure and scalable way.

  • Are looking to reduce the risk of cyber attacks, such as ransomware and credential hijacking.

Benefits of ZTNA

  • Greater security: Lateral movement is eliminated, as access is segmented and based on identity. With robust access policies and continuous authentication, you can be sure that only authorized users can access your resources.

  • Reduced latency: Distributed architectures optimize traffic by eliminating unnecessary network jumps. ZTNA's architecture minimizes latency, ensuring that communication between devices and resources is fast and efficient.

  • Flexibility: It can be implemented in hybrid environments, with multiple clouds and data centers.

  • Simplified management: There's no need to set up complex entry rules. Administration is done autonomously through the Digibee Integration Platform.

  • High availability: With an SLA of 99.99%, ZTNA offers reliability for critical operations.

How does ZTNA work?

The ZTNA architecture integrates several components, creating a secure, scalable, and high-performance corporate network. These are:

Access Policies and App WANs

Access policies are rules that determine who can access what within the network, limiting access based on identity.

Practical example: If a user needs to access a financial system, the access policy will ensure that they only have access to the system if they are authenticated and authorized according to the defined rules.

Fabric

Fabric is the network infrastructure that connects all the devices and resources within the ZTNA architecture. It allows communication to take place securely and efficiently, managing traffic between different parts of the network dynamically.

Practical example: When a user accesses a resource or application, the Fabric will ensure that the data flows securely and optimally, choosing the best route for the traffic according to the network conditions.

Edge Routers

Edge Routers are a key component within the ZTNA architecture, acting as connection points between network resources. They ensure that only authorized sources can access network resources, and they do this by applying the access policies defined in the system.

Edge Routers not only guarantee security, but also help optimize traffic and minimize latency by dynamically adjusting communication according to the network situation.

Network Mappings

Network Mappings are the protected resources within the network environment, such as APIs, servers, or applications. The ZTNA architecture creates a private network for these services, ensuring that only authenticated users and devices can access them.

Practical example: If your company offers an API for consulting financial data, ZTNA architecture ensures that this API is only accessible to users with the right permissions, without exposing it to security risks.

First steps in ZTNA

Check below the steps that must be taken to migrate to ZTNA on the Digibee Integration Platform:

Step 1: Map the resources that need protection, such as APIs and critical applications

Before setting up ZTNA, it’s essential to identify and categorize the resources that need to be protected. This ensures that the scope is clear and that the security measures are adequate.

List critical resources

  • Externally exposed APIs, such as: api.mycompany.com/v1/login.

  • Internal applications, such as an ERP system or a financial database.

  • Cloud services, such as CRM or project management platforms.

Sort resources by sensitivity

  • High sensitivity: Financial data, authentication APIs.

  • Medium sensitivity: Non-public internal documents.

  • Low sensitivity: Training resources or public materials.

Identify users and systems that need access

  • Internal teams, such as developers or financial analysts.

  • Automated applications, such as bots that consume APIs.

  • External partners who need access to specific systems.

Map the location of resources

  • On-Premises: Local servers or data centers.

  • Cloud: Amazon AWS, Microsoft Azure, Google Cloud.

  • Hybrid: Resources distributed between cloud and on-premises.

Understand communication flows

  • Which users access which resources?

  • How do applications interact with each other?

Step 2: Configure Edge Routers in strategic locations to optimize traffic

The Edge Router is the central component for establishing secure communication in ZTNA. As we saw earlier, its configuration and positioning are crucial.

Choose the environment

  • On-Premises:

    • Position the Edge Router inside the Data Center, close to the resource to be protected.

    • Example: Protecting a local database server.

  • Cloud:

    • Use the AWS Marketplace to deploy the Edge Router directly in the API region.

    • Example: APIs hosted on AWS.

Plan for redundancy

  • Always configure at least two Edge Routers to ensure high availability.

  • Example: One in US East (AWS US-East) and another in US West (AWS US-West).

Register the Edge Router

  1. Access the connectivity section for ZTNA in the Digibee Integration Platform.

  2. Generate a key and register the Edge Router in the chosen environment. Example of a name: EdgeRouter-Prod-US-East.

Configure Outbound Rules

  • No inbound rules are required in the firewall.

  • Make sure to open required outbound ports, such as:

    • Port 443 (HTTPS): Secure communication.

    • Specific ports for the ZTNA controller.

Grant access

One of the most important premises of ZTNA is to grant access only to what is necessary, limiting excessive privileges.

  1. Restrict ports and endpoints:

  • Limit access to specific ports and endpoints.

  • Example:

    • Internal users: Only port 22 (SSH) and 443 (HTTPS).

    • External partners: Only api.partner.myorganization.com.

  1. Enable microsegmentation:

  • Example: An Edge Router can allow only one application to interact with the financial database, for example a financial dashboard.

Migration can be done gradually, allowing existing infrastructure (such as VPNs) to coexist while ZTNA is implemented.

Integrated example

Scenario

A company operates a financial application that allows customer queries. This application is distributed between a local data center and an AWS cloud.

Solution with ZTNA

  1. Map the api.financial.com API and the local database as critical resources.

  2. Configure an Edge Router in AWS (for the API) and another in the local data center (for the database).

  3. Create access policies to allow:

    • Only authenticated users query the API.

    • Only the API has access to the database.

  4. Test communication with a simulated user and validate latency.

Final thoughts

ZTNA represents a significant advance in the security and connectivity of modern networks. Its model based on zero trust, continuous authentication and microsegmentation offers a robust solution to today's cybersecurity challenges.

For those starting out, ZTNA may seem complex, but its implementation brings benefits that far outweigh the initial efforts. Whether for small or large companies, ZTNA is a powerful tool for protecting data and ensuring secure operations in the digital environment.

Last updated 2 months ago

Was this helpful?

Read the for step-by-step instructions on how to generate new keys.

If you're looking to transform your network security, ZTNA could be the next step in the evolution of your infrastructure, and .

  1. Digibee concepts

Introduction to ZTNA

A new era in security and connectivity

PreviousSupport Dynamic Accounts (Restricted Beta)NextDigibee Customer Support
  • What is ZTNA?
  • The origin of ZTNA
  • Applications of ZTNA
  • Benefits of ZTNA
  • How does ZTNA work?
  • Access Policies and App WANs
  • Fabric
  • Edge Routers
  • Network Mappings
  • First steps in ZTNA
  • Step 1: Map the resources that need protection, such as APIs and critical applications
  • Step 2: Configure Edge Routers in strategic locations to optimize traffic
  • Integrated example
  • Final thoughts
full documentation
Digibee is ready to support you