Nebula is an open-source project (found here) from the Slack team.

Why use Nebula?

Nebula will allow for secure communications across all nodes in a deployment, even nodes that are behind firewalls and inside of NAT'ed networks. This is possible by using a Lighthouse node on the internet to act as the gateway or router for the Nebula network. The advantage is that all reverse proxies can send traffic through the secure network instead of needing to setup firewall rules or mess with host firewall rules. The Nebula network is able to freely communicate with each other and will ALLOW ALL traffic to and from the Nebula network interface.

Opting out of Nebula

By default, Terry will deploy Nebula to all nodes in a deployment. Nebula can be disabled with the -N / --no_nebula flag.

Configuration

If you plan on using Nebula, it must be installed on your host.

sudo apt install nebula

Locate the executable binary.

which nebula

Add that location to your config.yml

global:
  project_directory: ./deployments
  terraform_path:
  ansible_path: <PATH TO NEBULA>
  nebula_path: 
  nebula_subnet: 10.36.36.0/24

If Nebula is defined for the build, Terry will validate that one Lighthouse node exists in the build. If no Lighthouse is defined, Terry will prompt you to confirm you want to build one.

If you confirm, Terry will create the root certificate and host certificates inside the <project_folder>/nebula/ folder on the server where Terry is running. Terry will first generate the root certificate and then the host certificates.

Once all certificates and keys are built, Terry will install Nebula on each server, deploy the default configuration, and create a nebula service on the host that is started automatically.

That Nebula network will be allowed to freely communicate, without any UFW or Nebula firewall restrictions.