I want to leverage the addressable terminators to access 2 or more AKS clusters in different Azure regions using one ziti service. Is this doable today?
Service Architecture:
ZDE1 → fabric → Edge Router with T option Region1 → Private AKS API Server (dns name)
ZDE1 → fabric → Edge Router with T option Region2 → Private AKS API Server (dns name)
etc
If it is, can sample configs be provided? Preferably using the dns name to address each API server separately.
Addressable terminators work best with ziti-aware client applications like zssh. If you’re not using a ziti-aware client, such as a tunneler, then you’ll lose the benefits of addressable terminators. Zssh has been purpose-built to understand and interact natively with an OpenZiti overlay. Tunnelers were specifically built to interact with the underlay and “non-ziti-aware” traffic…
That means that tunnelers are not currently able to do the sort of translations necessary to use addressable terminators. If you used addressable terminators, you’ll have to make two services for that to work in a tunneler, and at that point, you’ve lost the beauty of addressable terminators so it’s not worth it. It might be an interesting tunneler feature to add onto tunnelers to add “identities” to the internal DNS server, or something like that…
It looks like you’re trying to use some “api server” (http or other) so I doubt you’re trying to use ssh/zssh. If you were trying to use ssh, then you can use zssh instead and then you would get the benefit of addressable terminators.
I think there might be an interesting feature request in here though…
I may be wrong here. Correct me if I am, but I thought ZDE is a ziti-aware client. For VOIP, we had to use identity name as IP address to leverage the addressable terminator and dial by intercepted IP/PORT. I want to dial by intercepted DNS name, but I don’t want to name my hosted identity as the dialed DNS name. I want to add it as a tag or app data {key: value} if that make any sense ? Is this possible today?
"identity": {
"description": "Associate the hosting terminator with the specified identity. '$tunneler_id.name' resolves to the name of the hosting tunneler's identity. '$tunneler_id.tag[tagName]' resolves to the value of the 'tagName' tag on the hosting tunneler's identity.",
"type": "string"
},
I don’t see anywhere in the code where tags are processed like that. I’m gunshy now to say ‘no’ since I had forgotten about the other variables that it does support, but I didn’t see anything like that in the source code scrounging i did. @scareything will probably have to comment on this, if nobody else does.
I had to rename my ERs to the dns name though, not ideal. Also, had to restart them as well at least in my case. I rather to use tag or app-data to advertise it as listenOptions. It would be @plorenz, since it is ER on the hosting side.
PublicMEC$ kubectl config use-context dariusz-kube01
Switched to context "dariusz-kube01".
PublicMEC$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
aks-agentpool-13536061-vmss000000 Ready agent 5h22m v1.22.6
PublicMEC$ kubectl config use-context dariusz-kube02
Switched to context "dariusz-kube02".
PublicMEC$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
aks-agentpool-37721437-vmss000000 Ready agent 12h v1.22.6
PublicMEC$
[2022-09-08T00:38:48.520Z] INFO tunnel-cbs:ziti_dns.c:465 format_resp() found record[100.64.0.66] for query[1:dariusz-kube01-dns-f14c920d.21dc697f-f076-4df2-8220-90210ffbe23c.privatelink.westus.azmk8s.io]
[2022-09-08T00:38:53.942Z] INFO tunnel-cbs:ziti_dns.c:465 format_resp() found record[100.64.0.65] for query[1:dariusz-kube02-dns-66779d65.984d9e6e-39e6-4a62-be6c-9563b41fe154.privatelink.eastus2.azmk8s.io]
This looks like a great use case. Can I request a blog / detailed steps to do this? I am hoping this is transferable to other hosted Kubernetes like EKS.