Endpoint questions

Request from the field.

  • I know a tunneler can have multiple identities. Does this mean that an Edge Router deployed with a tunneler on it could be given multiple identities to effectively provide a multi-tenant ER - i.e., rather than needed an ER per customer (which would consume more compute+memory than desired).
  • If someone wanted to embed an OpenZiti SDK inside a linux based agent, which SDK would it be? C? I assume (correct if wrong), it would be Kotlin and Swift respectively for Android and iOS.

I’d expect that it’s most likely it’d be C or golang. and yes android/iOS would want kotlin/switf

ERs and Controllers are not multi-tenant. The tunnelers (e.g., Desktop/Mobile Edge apps) are multi-tenant, as you call out. Controllers/ERs are currently part of a single tenancy. Only if the identities are on the same Ziti network will they share controller/ERs.

So you could have a single (or more for HA) Edge Router as part of the fabric while deploying tunnelers on the hosts in the server environment. Using ABAC and policy, this would allow the extension of multi-tenancy on the same overlay network right?

“yes” if I understand you correctly. On a single network, you can use policies to segregate endpoint access to services. The NetFoundry product (based on OpenZiti) has the concept of “AppWANs” on a single network - basically what you describe. “AppWANs” are created using the standard OpenZiti policies and attributes (basically “this set of users are allowed to access this set of services”)