Network Access Control

Overview

Arrow automatically manages VPN access control to ensure that only authorized consultants can connect to Arrow devices and virtual machines. This security feature restricts device access to specific team members, enhancing security and compliance.

Access control is managed automatically by VTEM Labs based on your consultant assignments. When consultants are assigned to devices in Arrow, the system automatically synchronizes these permissions to the VPN.

How It Works

When you assign consultants to a device in the Arrow Console, the following happens automatically:

Consultant Assignment: You add consultants to a device request
Automatic Sync: Arrow creates appropriate VPN groups and access policies
VPN Access Granted: Assigned consultants can now connect to the device via VPN
Removal Sync: When consultants are removed, their VPN access is revoked

flowchart LR
    A[Assign Consultant<br/>to Device] --> B[Arrow Creates<br/>VPN Groups]
    B --> C[Access Policy<br/>Created]
    C --> D[Consultant Can<br/>Connect via VPN]

    E[Remove Consultant<br/>from Device] --> F[VPN Access<br/>Revoked]

One-Way Access Model

VPN access policies are configured as one-way for security:

Direction	Allowed
Consultants to Devices	Yes - SSH, VNC, management access
Devices to Consultants	No - Blocked by policy

This security model ensures that even if a device is compromised, it cannot be used to attack consultant workstations or other infrastructure.

What You See in the Console

When viewing VPN details in the Arrow Console (VPN > NetBird > View Details):

Policies Tab

The Policies tab shows access control policies in effect. These are managed by VTEM Labs and cannot be modified directly. Policies you may see include:

Policy Type	Purpose
users-to-infrastructure	Allows consultants to access Arrow devices
Device-specific policies	Per-device access for assigned consultants
VM access policies	Access control for virtual machines

Groups Tab

The Groups tab shows VPN peer groups:

Group	Description
users	User workstations authenticated via IDP
pve	Physical Arrow devices (Proxmox hosts)
pvm	Virtual machines on physical Arrow hardware
vm	Virtual machines on other infrastructure

Managing Access

Adding Access

To grant a consultant access to a device:

Navigate to the device in the Arrow Console
Edit the device request or device settings
Add the consultant to the assignment list
Save changes

VPN access is updated automatically within minutes.

Removing Access

To revoke a consultant’s access:

Navigate to the device in the Arrow Console
Edit the device request or device settings
Remove the consultant from the assignment list
Save changes

VPN access is revoked automatically.

VM-Specific Access Control

Virtual machines provisioned through Arrow follow the same access control model:

Automatic Setup

When VMs are provisioned:

Device Group: Created for the VM
Consultant Group: Created for assigned users
Access Policy: One-way policy allowing consultants to reach the VM

VM Completion Cleanup

When VMs are completed, access control resources are automatically removed:

VPN peer registration removed
Device and consultant groups deleted
Access policies removed

Requirements

For automatic access control to work correctly:

Consultants must have VPN user accounts
Email addresses must match between Arrow and the VPN system
Users authenticate via your organization’s identity provider

Best Practices

Regular Review: Periodically review consultant assignments to ensure they’re current
Prompt Removal: Remove consultant access when team members leave projects
Document Assignments: Note why specific consultants are assigned in device requests

VPN Management - VPN connection and status
Device Management - Managing devices and assignments