Introduction
Edge View provides secure, on-demand remote access to your edge nodes for hands-on troubleshooting and maintenance. It allows access to devices behind a firewall and establishes a direct connection to the node, enabling both system-level diagnostics and secure access to application services (via VNC, SSH, web, and port-forwarding). Edge View sessions can be launched from a standalone container on a local PC or initiated directly through an integrated UI within ZEDEDA Cloud.
Access is governed by a robust security model that includes:
- Explicit project-level policies.
- Time-limited sessions authenticated with a JWT token.
- TLS-protected traffic with optional end-to-end encryption.
- The ability to restrict command execution to users with pre-registered SSH keys.
This multi-layered approach ensures that remote access is both powerful and strictly controlled.
Benefits of Edge View
Edge View provides a remote access capability to edge nodes that are behind a firewall. Users who are troubleshooting their edge node from a remote location can access the device as if they had a direct connection. Benefits of Edge View include:
- Remote Terminal Access: Edge View allows you to interact with your edge node through your terminal, as if you were logged in directly into it.
- Maintenance & Troubleshooting: Ideal for hands-on debugging, without requiring physical access to the node.
- Secure Connectivity: Uses JSON Web Tokens (JWTs) and policy-based access to ensure only authorized users can connect to the node.
Note: The Edge View policy must be enabled at the project level, and the project must be applied to your edge nodes, before you can use the Edge View feature.
Edge View Topology
This figure below illustrates the topology and data flow for the Edge View feature. In this diagram, Edge View connects a user’s laptop to a remote edge node running EVE-OS.
The components of Edge View are as follows:
- User Laptop (running client container): The client machine is used by an operator to remotely access the edge node. Edge View uses a client-server model, so the container on the laptop is running the client software.
- Edge Node (running server container): This is the NUC, or node, that will be remotely managed. The Edge View feature uses a client-server model, so the container on the edge node is running the server software. Edge nodes are often running behind a firewall, so they typically cannot be directly accessed.
- Dispatcher (running in ZEDEDA Cloud): This is the central intermediary service that securely relays traffic between the user’s laptop and the edge node. This allows them to communicate without a direct connection.
- Controller (ZEDEDA GUI dashboard at right): This is used for the initial setup and provisioning of the EVE-OS node. (Note the JWT security token below).
Two main processes are shown in the topology diagram:
- Provisioning: This provisioning process starts with the controller (running on the ZEDEDA GUI dashboard) and shown at right in the diagram. The controller sends the initial configuration to the edge node. The initial config file includes the JWT token for authentication and authorization.
-
Operational data flow: The operational data flow shows the live communication path. This is essentially the step-by-step journey of your data after the initial setup is done. This path works similarly to a hub-and-spoke model, with the dispatcher, running in ZEDEDA Cloud, at the center.
- When you send a query from your laptop, it does NOT go directly to the edge node but is instead sent over a WebSocket Secure (WSS) connection (encrypted with TLS) to the dispatcher.
- The dispatcher then relays your query to the edge node.
- The edge node sends its reply and it travels back along the exact same path. First, it leaves the node, goes through the dispatcher, and arrives back at your laptop. The entire journey is secured with encryption.
For more about Edge View’s architecture, refer to the LF Edge Edge View Architecture documentation.
Edge View Security
Edge View is built with security measures to protect your remote access sessions. You can limit access so that only specific users can establish a remote session to the edge node using the Edge View feature. This ensures that remote access is restricted to authorized personnel.
When you initiate a remote session, a JSON Web Token (JWT) is created and signed by the ZEDEDA Cloud controller. This token is then verified by the Edge View container running on the edge node, ensuring the request is legitimate and has not been tampered with. To prevent misuse, this JWT has a limited lifespan, which you can modify via the ZEDEDA CLI or GUI. You can also manually terminate a session at any time by disabling Edge View in the ZEDEDA Cloud for a specific edge node.
If the Edge View dispatcher were to be compromised, your session would remain secure. The dispatcher itself does not have access to the JWT token and cannot examine or modify the traffic flowing between you and the remote edge node. You can choose to enable encryption (within the Edge View policy), so the payload in your Edge View session will be protected, if desired.
Finally, security controls extend to the ZEDEDA command-line level. Every command issued by the Edge View client is logged, and a corresponding event will be generated in ZEDEDA Cloud (and accessible on the 'Events' tab for the edge node). This provides a full audit trail of all remote actions taken on the edge node, ensuring accountability and transparency.
Edge View Policies
Edge View policies allow you to remotely access your edge nodes. You can define a default policy for your enterprise using a specific project, which contains an Edge View policy. When the project gets applied to an edge node, the node will inherit the Edge View policy within that project. So your edge nodes will receive the remote access permissions from the Edge View policy contained within the project assigned to the node.
The Edge View policy allows you to configure several important settings, such as:
- set the maximum duration for Edge View sessions.
- configure the maximum number of simultaneous connections.
- enable or disable the ability to connect with edge apps.
- enable the ability to collect and download log files, to help with troubleshooting efforts.
For details on these and other Edge View policy settings, see Configure the Edge View Policy Settings.
Using Edge View
There are two ways to use Edge View:
-
GUI-based method: This method is best for new users, and is similar to following a standard GUI wizard. See Configure Edge View with ZEDEDA GUI for details.
-
Edge View client script-based method: This method is for experienced users who are comfortable using the command line to perform configurations, and have Docker running on their laptop. See Configure Edge View (Advanced Method) for details on this approach.
Access Methods
You can access your edge node and its applications in the following ways:
- SSH: Provides command-line access to both the main node and the applications running on it. For more info about securing SSH, see access control with SSH key pairs.
- VNC: Offers remote access to an application's graphical console
- Kubectl: Allows you to use the standard Kubernetes command-line tool to perform read-only troubleshooting operations on edge nodes. This is available using the container approach discussed in the article “Advanced Method for configuring Edge View” (see Edge View Kubernetes Commands for Edge Node Cluster)
For more information about these access methods, or any general questions about Edge View, see the LF Edge FAQ.
Next Steps
This is a series of articles. There are different paths to configuring Edge View, so you can follow them in the order below, but it is not necessary to do so.
- Edge View Overview - You are here!
- Configure Edge View using the ZEDEDA GUI
- Use the ZEDEDA CLI to Configure Edge View
-
Configure Edge View (Advanced Method)
After you’ve completed the series, you might be interested in the following articles.
-
Read about Edge Access.