Best practice for separating ZAC and management API while keeping edge clients online

larry1788 · March 26, 2026, 1:40pm

Hi all, quick question about Ziti architecture

I'm trying to move ZAC and the management API to internal-only access (private network / via Ziti), but keep edge clients and routers working normally.

Is it supported to:

keep client/edge API public
but move management + ZAC internal only?

Also, which endpoints MUST stay public so existing clients don’t disconnect?

Thanks!

TheLumberjack · March 26, 2026, 2:37pm

Hi @larry1788, welcome to the community and to OpenZiti!

The only apis that MUST remain public are edge-oidc and edge-client.

There are many discourse posts and a fair number of videos on YouTube that discuss this if you're interested but that's the short of it - JUST those two.

Topic		Replies	Views
Question ZAC whitelist Ziti Administration Console	2	48	August 21, 2025
Unable to configure Controller with split API General Questions	5	114	March 12, 2025
Client API exposes json payload with all API endpoints in public Support	3	58	July 2, 2025
How to properly setup ZAC and management API General Questions	8	57	February 28, 2026
Making ZAC and management API accessible only through service General Questions	7	147	February 18, 2025

Best practice for separating ZAC and management API while keeping edge clients online

Related topics