EAA Edge Transport is a novel architecture built on the global distribution of Akamai Connected Cloud delivering significant improvements for latency sensitive applications.

Let us understand the limitation with the EAA Tunnel-type client-access application and how we can address the issue using a Edge Transport based Tunnel Application.

📘

Note

This is a limited-availability (LA) feature and can be enabled in your contract by contacting Akamai Support.

Problem

When you configured EAA Tunnel-Type Client-access applications, you chose an Akamai Cloud Zone located near the application in the Datacenter. However, in today’s world, remote users access the applications from home, branch office, or coffee shops and their distance changes from the Akamai Connected Cloud. This might create a long non-optimal path to the remote user when accessing the tunnel-application, affecting the application performance.

Solution

To solve this problem you can create an Edge Transport enabled Tunnel application and use AZT Client (version 6.X or later version) to access the application.

The connection between the remote user and the application in the data center is established as described below:

1. The AZT Client on the remote user’s laptop locates the closest Akamai Edge PoP and establishes a connection.
2. The built-in EAA policy engine ensures that the authenticated user is authorized to access the application. The Akamai ZT Core within the Akamai Connected Cloud makes a connection to another Akamai Edge PoP close to the customer data center, selecting the most efficient route for the application traffic to the authorized user.
3. The EAA Unified Connector in the customer data center dials out the Akamai Edge PoP that was selected in 2.

Therefore you get enhanced performance with reduced latency while accessing edge transport enabled tunnel applications as compared to legacy tunnel-type client-access applications.

Workflow for Edge Transport enabled Tunnel Application

Here is the workflow for creating an edge transport enabled tunnel application, where a remote user can access the edge transport enabled tunnel application in the data center:

STEP 1: Create a new Connector Pool

1. Log in to the Enterprise Center.
2. Navigate to select Application Access > Clients & Connectors > Connector Pools.
3. Click Add New Connector Pool.
4. Provide these details:
   Name: A name for the connector pool.
   Description. A description for the connector pool.
   Location. Provide a location for your connector pool. This is just a named reference for you and the connector does not physically reside at the location specified.
   Package Type. Select a package for the connector pool.You can only add connectors that match this package type to this connector pool.

Note: You will not be able to add connectors of other package type once the connector pool is created.

5. Click, Create Pool.Your connector pool is created. All of the tiles are empty in a newly created pool. Under the General tab, you will use the Registration Tokens tile, Connectors tile, and Edge Transport Destination CIDRs tile for the rest of the configurations.

STEP 2: Add a Unified connector (BETA tagged Connector) to the Connector Pool

You must create a registration token for the beta connector and do manual registration in your virtual environment.

Alternatively, you can do the automatic registration for the beta connector, where you embed a registration token in the standard connector template, and then download a custom connector template in the virtual environment.

STEP 3: Add the Edge Transport Destination CIDRs to the Connector Pool

Add all of the networks behind the connector pool in the Destination CIDRs tile. All of the Destinations in STEP 5, must be on this network.

1. Go to the Edge Transport Destination CIDRs tile on the Connector Pool details page.
2. Add all of the networks behind the connector pool in the data center using the CIDR notation.

STEP 4: Add and activate the local DNS Servers

Add the DNS resolvers for your datacenter.

The Akamai Edge Transport does DNS resolution on its Edge Transport Platform. After the DNS resolution is done, the Akamai Edge Platform steers the application traffic to the correct connector pool based on Destination CIDR mentioned in the pool.

If you specify any FQDNs for Destinations in STEP 5, these local DNS servers will be used to resolve them.

1. Log in to the Enterprise Center.
2. Navigate to select Application Access > General Settings > Settings.
3. Click DNS Resolvers.
4. For Resolver IPs, add the local DNS servers.
5. For Timeout, add a timeout value in seconds, so that EAA can time out if the DNS server does not respond within this duration.
6. Click Save, to save the list.

STEP 5: Create a Edge Transport enabled Tunnel Application

Create a tunnel-type client-access application with the edge transport mode enabled in it. Add the Destinations for your application. It must be a subset or the same as the Destination CIDRs you entered in the Connector Pool in STEP 3.

1. Log in to Enterprise Center.

2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

3. Click Add Application (+).

4. Populate these fields:

   1. Type select Client-Access App.
   2. Name. Provide an application name.
   3. Description. Provide a description.
   4. Mode select Tunnel mode with Edge Transport.

5. Click Add Application.

6. In App Settings, for Endpoint Host, select Use Akamai Domain. A hostname is created for the application.

7. For Destinations, click Add Destination.
   Provide the following for each destination:
   Protocol. Select TCP, UDP, or all,
   IP or URL. Add the IP addresses in CIDR notation or FQDNs.
   Port. Provide any specific ports between 1 and 65535, or a range of ports.
   Click Save, to save the destination.

📘

Note

1. The IP address must be the same as or a subset of the IP address you entered in the Destination CIDRs in the Connector Pool.
2. If you entered any FQDNs, it is resolved by the DNS resolvers you entered in STEP 4. Also the resolved IP address for the FQDN must be within the list of Destination

8. Repeat step 7 to add more destinations, if your tunnel application accesses other destinations.
9. To add authentication to the application select Authentication.
   1. Enable Authentication.
   2. In Identity provider select an identity provider from the list. The selected IDP must have Enable EAA Client enabled in the Settings tab, Client section.
   3. Click Assign Directory and select one or more directories from the list.
   4. Click Associate.
      The directory appears in Assigned Directories.
10. Click Save and Deploy, to save and deploy the application.

STEP 6: Verify with the AZT Client

Prerequisite. Install the AZT Client (6.0 version) or Access section of Guardicore Platform Agent (7.0 version) on your laptop.

1. Open AZT Client.
2. Click the INFORMATION tab.
3. If the application is communicating with the remote user using the Edge Transport in Akamai Edge network, there is an increase in the number of Private Access connections.