Knogin
[Developers]

Nebula Overlay Network Management

Get a single, organisation-wide inventory of every node on your Nebula overlay mesh without logging into a single gateway host.

Back to All Modules
Category: ManagementLast Updated: May 26, 2026
managementcompliance

Overview#

Get a single, organisation-wide inventory of every node on your Nebula overlay mesh without logging into a single gateway host.

Nebula Overlay Network Management connects Argus to your Nebula mesh networks so that distributed and tactical teams can see the whole overlay from one place. For each host it records the Nebula overlay address, the public address, lighthouse role, group memberships, certificate expiry, last handshake time and operational status. That picture is held per organisation, refreshed on demand, and presented through a consistent interface alongside the rest of your operational data.

The result is faster troubleshooting and far fewer surprises. Certificate expiry visibility means a lapsed certificate never takes a node offline without warning. Last-handshake timestamps and lighthouse counts let operations staff spot, within seconds, any node that has dropped off the mesh. Clearance-level filtering keeps the same inventory safe to use in environments where some operators must only see the nodes appropriate to their level.

Key Features#

  • Centralised Host Inventory: Every Nebula node belonging to your organisation is collected into one inventory, removing the need to log into individual gateways or lighthouses to understand the state of the mesh.
  • Certificate Expiry Visibility: Each host record carries its Nebula certificate expiry, so expiring credentials are surfaced well before they lapse and cause an outage.
  • Last-Handshake Tracking: The most recent handshake timestamp for every node is retained, giving operations staff an immediate signal when a node stops participating in the mesh.
  • Lighthouse Awareness: Lighthouse role is recorded per host and rolled up into a count, so you always know how many coordination points your overlay depends on.
  • Overlay and Public Addressing: Both the Nebula overlay address and the public address are stored for every node, making it straightforward to map logical mesh identity to real-world connectivity.
  • Group Membership Mapping: Nebula group memberships are captured per host, reflecting the firewall and segmentation policy each node belongs to.
  • Per-Organisation Statistics: Aggregate totals for all hosts, active hosts and lighthouse count are returned per organisation for at-a-glance health reporting.
  • Clearance-Level Filtering: Host listings are filtered by the requesting operator's clearance so people only ever see nodes at or below their own secrecy level.

Use Cases#

Distributed Enterprise Operations#

Organisations running Nebula to connect offices, cloud regions and remote workers gain a single inventory of every overlay node. Operations staff confirm which sites are connected, which certificates are nearing expiry, and how many lighthouses are in service, all without touching individual hosts.

Tactical and Forward Deployments#

Teams operating overlay mesh networks across forward or mobile sites can confirm node reachability from a central point. Last-handshake timestamps quickly distinguish a node that has moved out of coverage from one that has genuinely failed.

Network Operations Centre Monitoring#

NOC operators use lighthouse counts and active-host totals as a continuous health indicator for the overlay. A drop in active hosts or a change in lighthouse count is an immediate prompt to investigate.

Multi-Classification Environments#

In settings where operators hold different clearances, the same inventory serves everyone safely. Clearance-level filtering ensures each operator sees only the nodes their secrecy level permits, so the capability can be deployed broadly without exposing sensitive topology.

Certificate Lifecycle Management#

Security and infrastructure teams track Nebula certificate expiry across the entire estate from one view, planning renewals ahead of time rather than reacting to outages.

Integration#

Argus reads from your existing Nebula management endpoint over its REST/HTTP JSON API. A host is brought into Argus by providing the Nebula management base URL, a bearer token and a host name; the service then retrieves host detail from the Nebula endpoint at /api/v1/hosts/{host} and records it under your organisation.

  • GraphQL API: The capability is exposed through the same GraphQL endpoint as the rest of the platform. A list operation returns host records, a stats operation returns per-organisation totals, and a mesh operation brings a host into the inventory from your management endpoint.
  • REST and Bearer Auth: Argus talks to the Nebula management endpoint using standard HTTP with Authorization: Bearer credentials over TLS, so it works with the management tooling you already run.
  • OAuth2 and JWT: Operator access to the GraphQL endpoint is authenticated with OAuth2 and JWT bearer tokens, and every field requires an authenticated session.
  • Normalised Operational Model: Each host is also published into the shared operational picture as a network node entity, so overlay topology appears alongside data from other connectors in one consistent model rather than as an isolated silo.
  • Audit and Compliance Hooks: Every host refresh writes an audit record, giving you a verifiable history of who pulled which node and when. The customer plugs in their Nebula endpoint once and immediately gains inventory, statistics and an auditable operational feed without bespoke tooling.

Open Standards#

  • Nebula Overlay Mesh (slackhq/nebula): Interoperates with the open-source Nebula overlay mesh, reading host configuration, certificate and handshake state from its management API.
  • HTTP/1.1 and REST: Host listing and host detail are retrieved over standard HTTP REST resource paths such as /api/v1/hosts.
  • JSON: Host detail is exchanged as JSON, the native representation returned by the Nebula management API.
  • OAuth 2.0 Bearer Tokens (RFC 6750): Calls to the Nebula management endpoint carry credentials in the Authorization: Bearer header, the standard bearer-token scheme.
  • JSON Web Token (RFC 7519): Operator sessions on the GraphQL endpoint are carried as JWT bearer tokens.
  • GraphQL: All operator-facing operations are served through a standard GraphQL endpoint.
  • TLS: All connections to the Nebula management endpoint are made over TLS with certificate verification enabled.
  • Noise Protocol Framework: Nebula tunnels themselves are secured with the Noise Protocol Framework handshake, the certificate and handshake lifecycle that Argus surfaces as expiry and last-handshake fields.
  • Curve25519 and Ed25519: Nebula identities and certificates use Curve25519 key agreement and Ed25519 signatures, the credentials whose expiry Argus tracks.
  • IPv4 and CIDR Addressing: Overlay nodes are addressed with IPv4 addresses inside CIDR-defined overlay ranges, recorded per host as the Nebula overlay address.

Security & Compliance#

  • Organisation Scoping: Every host record, statistic and refresh is bound to the calling organisation, so no operator can read or affect another organisation's overlay inventory.
  • Authenticated Access Only: All listing, statistics and mesh operations require an authenticated session; unauthenticated requests are rejected.
  • Clearance Enforcement: Host listings are filtered so operators only see nodes at or below their own secrecy level, making the capability safe in multi-classification settings.
  • Audit Trail: Each host refresh emits an audit record capturing the operator, organisation and host involved, supporting accountability and compliance review.
  • Credential Handling: Nebula management credentials are supplied per request and used only to retrieve host detail over a verified TLS connection.

Last Reviewed: 2026-05-26 Last Updated: 2026-05-26

Ready to Build?

Get started with our APIs or contact our integration team for support.