I'm sure this has been covered, but I'm having trouble wrapping my head about the flow of data from identity -> controller -> another controller -> somewhere else.
I have a pretty good handle of identity -> controller -> bound tunneler, but my understanding is limited to the quickstart and the functionality provided in the ZAC ui.
I have two controllers controlled by separate business entities, wherein each controller is ostensibly administered by different teams with their own priorities and private security rules. I'd like to pass traffic from identities created on controller A through controller B.
If someone could give me a few hints on how to do this, or even the terminology necessary, I would appreciate it.
Just for context, I'm building a mobile app that will use the SDKs to communicate through controller A. Still wrapping my head around how I want to work the openziti identity enrollment in with OIDC.
Hi @tempire, what you're looking to do isn't currently supported by OpenZiti. It sounds like you're looking for something like federation, where multiple OpenZiti networks can interoperate. That's a big, complicated feature that we've discussed, but aren't currently working on implementing.
If you can't run everything within one network, the best I can recommend at the moment would be to build a custom proxy. The proxy could have one or more identities in both networks. It could host services on the source network and then proxy them through to a service on the second network. You'd have to define the mapping of identities and services.
If you got thoughts on how you think a future federation feature should work, feel free to share them.
Ah, ok. That's good to know, thanks. Explains why I haven't been able to find anything about it. I kind of assumed it was possible based on the terminology of various types of edge routers.
I'm stretching here, but is there any kind of packet marking on traffic that goes through an openziti overlay - something that can be linked to an identity? I'm thinking something like iptables uses for marking and mangling.
I'm building a mobile app that will use the SDKs to communicate through controller A: Any extra context you can provide helps us to understand the 'why', which means we can suggest ways to achieve it. For example, Ziti edge components can host multiple identities from different overlay controllers so maybe that helps.
flow of data from identity -> controller: So we have the same understanding, data does not flow through the controller. Ziti consist of the 'edge' (SDKs/tunnellers) and the 'fabric' (controllers & routers) the latter in; the edge is the endpoints (SDKs/tunnellers) which act as points of ingress/egress and consume strong identity, they authN/authZ to the controller and are given services and outbound connect to the routers to form the data plane mesh.
any kind of packet marking on traffic: 100%, yes. Ziti uses its identity system for many things, including routing over the overlay. This is why you get a private DNS which does not need to comply to TLDs, as well as knowing exactly which identity is accessing which service, at which time, for how long, and how much data/packets they are sending. Others can share more explicit details and you can grab this information.... BUT, forming full circle to my original comment, understanding the 'why' behind your question helps us to give the best answers and insights.