Bring cloud hosted service onto ziti network

Say I have a fully hosted cloud database that doesn't know anything about OpenZiti that I want to bring onto the OpetZiti mesh. The only network control I have over this service is to whitelist IP ranges. Is there a common strategy for bringing cloud services like this onto the OpenZiti network?

My thought is to spin up a machine that serves simply as a load balancer in front of the cloud service. Put the tunneler on this load balancer and allow the cloud service to only be able to talk to this machine. That way when I wanted to use the cloud service I connect to the load balancer via the ziti mesh and the load balancer connects to the cloud service via the regular internet.

Does OpenZT have a piece that does something like this automatically? Is there a more common way to solve this problem?

That is the most common pattern. When connecting to something that you can't embed or install a tunneler on it, controlling the ability of the service to only speak to the Ziti component, or maybe in this case the load balancer, which in turn can only be reached by the Ziti network is a solid solution.

Hi @greg, welcome to the community and to OpenZiti!

As Mike said, yes, that's a very valid way of doing things. If you can install a tunneller in the same network as the cloud database, and if the cloud database offers some kind of "private" mode (such as Amazon RDS for example) you could put that tunneler into the same VPC. That's another very common pattern many cloud vendors support.