Understanding Resource Connectors

In Cisco Secure Access, there are two ways for traffic from remote users to reach private destinations:  Resource Connectors or Network Tunnels.

Resource Connectors have several advantages over Network Tunnels.

Unlike Network Tunnels - which can route internet bound traffic - Resource Connectors are specifically designed for accessing private resources rather than routing all traffic.  For this reason, Resource Connectors excel in scenarios where you need precise control over resource access while maintaining network segmentation, making them ideal for organizations implementing a true Zero Trust architecture. 

In terms of routing, Resource Connectors have simplified connectivity and intelligent traffic management in comparison to Network Tunnels.  They require only outbound connections from your network with no additional routing configuration necessary, making implementation straightforward.

Scalability is another advantage of Resource Connectors compared to Network Tunnels.  When traffic demands increase, you can easily expand capacity by simply deploying additional connectors within an existing group. This modular approach allows organizations to grow their secure access infrastructure efficiently.

A final point to make note of is the low maintenance nature of Resource Connectors. They are self-maintaining with automatic software upgrades managed by Secure Access, allowing IT teams to focus on other priorities while ensuring security infrastructure remains current.

Resource Connectors can be deployed in AWS, Azure, VMWare, and now in Docker.

In this blog post, I'll walk you through the steps for deploying a Resource Connector in a Docker environment. 

Docker has certain advantages over the other options.

The top reasons for choosing Docker containers for Resource Connector deployment over AWS, Azure, or VMware are cost efficiency and deployment speed. Docker containers typically cost significantly less than maintaining dedicated cloud instances while providing faster startup and implementation times. This combination makes Docker particularly appealing for organizations with budget constraints who need to quickly implement secure access solutions with minimal overhead.

Create a Resource Connector in CSA

Create a Resource Connector in CSA in a few easy steps.

1. Navigate to Connect > Essentials > Network Connections.
   
   
   
2. Add a new Connector Group.
   
   
   
3. Select a Name and Region for the connector.
   
   
   
4. Choose Docker Container and scale appropriately.  For this demo, I am using the minimum amount of resources.
   
   
   
5. Specify your DNS Servers.
   
   
   
6. Copy the provisioning key.
   

Deploy a Docker Container in Linux

Deploying a Docker Container is simple.

1. Login to Terminal on your host.  NOTE: Currently, Secure Access only supports Ubunto Server LTS 22.04 x64. 
   
   
   
2. Run these commands to get the Docker Container setup and installed.  NOTE: to avoid conflicts, I would recommend uninstalling the Docker Engine from your host.  The first command downloads the setup_connector script.  The second command sets permissions on the script.  The third command runs the setup_connector script.  The final command runs the connector script.  Be sure to modify this command to include the name and provisioning key of the Connector.

   curl -o setup_connector.sh https://us.repo.acgw.sse.cisco.com/scripts/latest/setup_connector.sh 

   chmod +x setup_connector.sh

   sudo ./setup_connector.sh

   sudo /opt/connector/install/connector.sh launch --name <connector_name> --key <provisioning_key> 

   
   

Final Steps & Verification

1. The Resource Connect will attempt to communicate with Secure Access.  Confirm the connector in Secure Access.
   
   
   
2. Assign a private resource to the Connector to test it out.
   
   
   
3. Verify connectivity.  In this example, I connected to a Network Device via SSH using Browser-based Zero Trust Access.  Entering the command show user returns the IP address of the Resource Connector (see Step 1 above), indicating user traffic accessed the private resource via the Resource Connector.
   

Conclusion

Resource Connectors in Docker provide a cost-effective, rapid deployment option for organizations implementing Zero Trust architecture with Cisco Secure Access. The simplified setup process demonstrated in this guide allows IT teams to quickly implement secure private resource access while maintaining network segmentation and reducing operational overhead. 

Please reach out if you have any questions or comments.