Is it possible to configure an edge-router as gateway? For example, i have a few hosts in my network and would like them to communicate with services in Ziti, but without installing a tunneler or edge client on them (Just send the traffic to the “customer edge router”)?
Is there a way to get this done? And i also know that this scenario does not make much sense at all, but i still would like to know if there is a configuration for this.
I answered:
To your question; yes and no …
Lets start with some concepts. Within Ziti (today) there is a difference between Edge and Fabric:
Edge: Secure, Zero Trust entry point into your network (identity-based authorise, authenticate, encrypt) via SDK or tunnels
Fabric: Scalable, pluggable, geo-scale routable mesh network overlay, with smart routing and dynamic healing features
Now to your question and answers:
No: An edge router is part of the fabric. If its ‘link listener’ is turned off it’s officially the ‘edge’, can see all the other routers and thus choose E2E, best performing path, while being outbound only so we do not need inbound ports open. If the ‘link listener’ is on its part of the fabric mesh network (I call them fabric routers). The edge router in question does not actually have an understanding of the Ziti edge and how to offramp from the overlay. This requires an edge SDK (or tunneler which is an encapsulated SDK to run on the OS). So, no, an edge router cannot be natively configured as a gateway offramp.
Yes: However, you can create custom images of edge router and tunneler combined (i.e., yes to your question). This is what NetFoundry does with their SaaS implementation of OpenZiti. This allows an Edge Router image to provide the functionality that you (and other customers) want without needing to know about the conceptual differences.
I actually don't know the answer to this one. I feel like maybe one of our cloud eng people made this happen at one point? I don't recall - I'll see if i can get one of them to comment on this.
this just means that the router is not configured to have other edge routers connect to it. if it has a link dialer it can still dial other edge routers that are setup as 'link listeners'
an edge router can be part of the fabric without having link listener on. see above for how it participates on the mesh. All edge routers are 'fabric routers'. If the router does not have 'edge' enabled it simply cannot handle edge connections from edge sdk clients. it's still part of the mesh. A router that's not part of the mesh is not useful
all 'edge routers' have this understanding but they need to have 'edge' configured on them. so i'm not quite sure I'd agree with this sentiment?
The word offramp confuses me here. It sounds like the question is more about using the edge router for onramp than offramp based on the question. They want to "Just send the traffic to the customer edge router". Sounds like the concept of a "Default Gateway" to me.
This will create an identity that’s tied to the edge-router binary and that will use the edge-router process as its only ingress/egress from the fabric. Services can be terminated on this identity like any other identity thus if you direct traffic to the edge-router where this tunneler is integrated it will act as a gateway to the ziti network for both ingress and egress just like any tunnel can.
if you list identities you will see this identity has a type of “Router” i.e.
root@# /opt/netfoundry/ziti/ziti-controller/ziti edge list identities
id: 0doQUU1bz name: PINGRTR type: Router role attributes: {}
np. make sure to click “more info” under the video and follow the github link it provides all the commands/configs used to setup the edge-routers in the video as well as the ssh service.
Very cool demo. I will need to spend some time to digest all of this. I found it very instructional and really appreciate your effort to put this together.
…