Architecture advice for ensuring isolation for multiple apps deployed within multiple private corporate networks

Hi All,

Total newbie here looking to see if OpenZiti can fulfill my requirements for a new project, and would be very grateful of any advice as to whether this is the right path to dive down.

I have contracted a dev team (only amateur myself) to create an app which will be provided to different companies on physical servers to integrate into their network. The servers will run in remote locations facilitating local use by teams onsite, and enable remote access when internet connectivity is available. It's a service industry which relies on a wide pool of freelancers who jump from job to job, working within the service companies acquiring data for various end clients. Each company may have multiple locations, each with it's own server.

We are looking to employ a global database to store the metadata of the deployed server instances and to manage the global pool of users. Managers within the companies will assign users to one or more servers which will trigger a process to enable subsequent local authentication within the app.

I am looking to understand if we are able to reliably control remote user access to different servers using a Ziti overlay, to ensure data security for the companies using the service.

A couple of questions:

  1. Could this be accomplished with a single global Controller with multiple Edge Routers configured for the servers deployed within each company network?

  2. If employing a single Controller, can the Edge Routers be tiered into collections? So as to have a single parent Edge Router as an access point to each company, and then additional Edge Routers as child components for handling internal traffic?

  3. Would it be better to implement a different Controller for each company, to manage their respective servers? If so, is there a way to enable communication between the networks? I.e for end Client users who may need to access servers deployed in different companies they have contracted?

Thanks in advance for any time taken to respond!

Hi @SSGeo, welcome to the community and to OpenZiti (and zrok/BrowZer)!

Do you plan for OpenZiti to be this global database? In my opinion, this fits OpenZiti's model right now completely. You would manage access by effectively adding discrete servers to identities using service policies. Personally, I would do this with attributes but you could assign individual identities more granularly if you prefer.

With the information I have so far, I would certainly believe it to fulfill this requirement easily.

Yup. That's how I'd be doing it, exactly. :slight_smile:

Yes, you CAN do that. As to if you should or not -- I'm not sure but most definitely you can do this with link groups and with service edge router policies. This diagram represents what you're looking for, right?

You would satisfy this by restricting services to the router in the segment you want using a "service edge router" policy (SERP).. SERPs control where traffic can originate or exit the openziti overlay. You can restrict the service to the segment in question that way but be careful you don't open the full network using a permissive SERP.

Then, you would use "link groups" to restrict/steer the segmented traffic to only dial the dmz router.

I don't think I'd start there, no. But that'd be doable if you end up needing to do that.

@TheLumberjack thank you very much for your response!

I imagine a separate database will be needed (likely Postgres as that will be used for the app on the remote servers) as there will be additional data synced to the global server relating to individual project activity, i.e user notifications for internal app events, additional fields for assignment periods to enable a type of user booking system to avoid assignment conflicts, and additional tables for managing the business aspects from my side. But I would look to use OpenZiti to integrate with this to provide the authentication and handle the routing for remote access to the deployed servers.

Yes, thank you, exactly what I was looking for.

In this scenario, after the controller has authenticated the user, can a direct connection be established from the user to the customer DMZ private router? Or will all traffic have to be routed through a public router? Or if OpenZiti is embedded into both Client (PWA) and remote web server apps, can a P2P connection be established?

As far as I understand the concepts, the DMZ exists to prevent deeper penetration within a network if compromised. As lateral movement is restricted by zero trust access policies, this seems redundant and I suppose adds additional complexity. Is this is why you suggest it's possible but not necessarily a recommendation?

This does come down to hair-splitting perhaps, but I would consider the connection "direct", even though the traffic routes through the public edge routers. Unless you are co-located at the facility and on the same network as the router, in general, I would say all traffic is routed through one/more public routers. It's still a direct connection from the client's perspective. Any other encryption (https, ssh, whatever) is not impacted, so OpenZiti is entirely transparent to the client/server.

At this time, it's expected for a router to be "on the open internet" to provide the reach necessary without opening holes in firewalls. Hope that makes sense?

well I was thinking if it were me, i'd just skip the router in the DMZ as it doesn't seem "necessary", going directly to each segment (dmz router removed)

I found another article (Got 5 Minutes? Secure Your Python Website with Zero Trust.) which describes what I was alluding to, but I see your point on splitting hairs.

Yep, that's what I thought.

One more question if you don't mind... :slight_smile:

Can the Ziti Admin Console be utilized by multiple different organizational units? So that for instance, the I.T team in a particular company could monitor the components in their particular segment of the overlay, whilst the components assigned to other units (companies) would remain hidden?

Everything on here looks really awesome, so I'll point the team I'm working with to take a look for their review and see if fits.

At this time - no. There's no granular control over entities in that way, currently. If that's a need, that's when you'd end up having to make 'n' instances for 'n' organizational units. If you're interested in the SaaS offering from NetFoundry, I think orchestrating that is something it can do. It's something we have talked about implementing in the past so it might be added some day, just not currently.

Orthogonally to the Django (Python server listening only on Ziti network), here's a Django zrok example (Python server listening only on Ziti network but configured through zrok).

Thanks for the information guys, much appreciated.

Everything looks fantastic, really amazing tech.The only sticking point in my case would be in providing each company I.T department the access controls for their particular segment. Whether we can put together a simplified portal to enable this, or whether orchestration of multiple controllers is the only way...