Hey,
First of all thanks for building this great open source project and community. I’m new to this and probably my question is dumb but, I want to connect to an ssh server using the overlay network, but I want that connection to be through a deterministic path of routers (like an ssh tunnel), like the diagram below
Is this possible?
Thanks for your help
You're welcome @andrescv! We love building it! Welcome to the community and to OpenZiti! We're happy you're enjoying the project!
Your question is incredibly timely! You certainly can do what you have depicted now that v0.30.0 of OpenZiti came out (You could not do this before). Also funny enough, @plorenz and I just did a Ziti TV TODAY on 'Link Groups' you can watch if you're interested. Paul's working on the doc for this feature, but the v0.30.0 changelog does explain it a bit.
If you MUST have a deterministic path through routers, it'll be kinda complicated. It doesn't feel like something you should do first. I'd recommend you start without trying to influence the pathing, get a hold for the basic concepts (unless you've done this already) and then move from there.
Now I'm sure you have a great reason for wanting to do this, but my next question is: "are you sure"? 
I ask because part of what makes OpenZiti great is this fabric we've built. It routes traffic through the fastest path it knows about, which might go through a different set of routers. So if you don't want to explain why (which is fine), I just wanted to mention that, I'm sure you have a very solid reason.
So here's what you'll have to do:
If you do those things, I think that's what you want. Without building it out and verifying/testing these instructions, you'll forgive me if I miss a step.... I think that's what'd be needed, but since it is so new, I might be off. (if Paul reads this, I'm certain he'll help me out by correcting me)
Ok, so yes, it's doable! It's not maybe not as "easy" as you would hope, but doable is better than impossible!
+1 for OP and deterministic paths -- I'm also interested/curious about this.
Welcome to the community @lefeb! I'm interested in why people are interested!! What's your use-cases where you want to control the pathing? Is it cost? Is it observation? Is it addition underlay security (firewall related)?
I think it is interesting to see two people wanting to control the pathing instead of allowing the mesh to route it on its own.
Thanks for the welcome!
I'm interested in controlling paths for ensuring that the route taken avoids a particular geography. In a perfect world, it'd be at a granular level - i.e,. a specific user<-->service combination must route through a pre-defined route (and/or just avoid certain routers); but all other services can use default routing.
As @TheLumberjack pointed out, it's doable in a very rough fashion currently with a combination of dedicated routers, link groups and edge-router and/or service-edge-router policies.
Longer term we're thinking of evolving service-edge-router polices into service-router polices, where the policy would limit the routers available for the whole path, not just initiating routers. That's work that will likely happen post-HA release and after the first pass of exploratory changes for routing to make sure that router policy can be efficiently incorporated into distributed routing decision making.
Cheers,
Paul
Thanks @TheLumberjack and @plorenz for the reply, I was able to play with link groups on the weekend (good OpenZiti TV video). The reason I asked for this, is because sometimes in mission networks you want to force an amount of "redirectors" (routers in this case) and restrict the zones of this redirectors.
It would be great to do it by just updating the policies, instead of using the router config file, seems like @plorenz mentioned something like this in his reply
