I think addressable terminators can help with this case. Basically you set dialOptions.identity in the intercept configuration to tell the dialing tunneler which terminator to dial. Here’s an example from an ssh service that I use:
ziti edge create config ssh-intercept.v1 intercept.v1 '{
"protocols": ["tcp"],
"addresses": ["zet.shawns-m1-mbp","zde.shawns-m1-mbp","zet.fedora-37-vm"],
"portRanges": [{"low":22,"high":22}],
"dialOptions": {
"identity": "$dst_hostname"
}
}'
And you also need to tell the hosting tunnelers what their terminator name is. You can do this with listenOptions.identity or listenOptions.bindUsingEdgeIdentity. Here’s the remainder of my ssh example. This assumes that the identities are named exactly the same as the hostnames that they are addressed by:
ziti edge create config ssh-host.v1 host.v1 '{
"protocol": "tcp",
"address": "127.0.0.1",
"port": 22,
"listenOptions": {
"bindUsingEdgeIdentity": true
}
}'
At this time the following variables are supported in dialOptions.identity:
$dst_protocol$dst_ip$dst_port$dst_hostname
See support domain substitutions · Issue #540 · openziti/ziti-tunnel-sdk-c · GitHub for some ideas that might be implemented in the future, and of course feel free to comment on the issue with any thoughts.
listenOptions.identity currently only supports $tunneler_id.name, which is effectively the same as setting bindUsingEdgeIdentity to true.