Expected Behaviour of 'domain join' design guide deployment/wildcards in intercept config

Hi @Bailey-Coole,

When you forward the address at the far side, you also need to specify the 'allowed' addresses as well. So it could, yes, but it also could not. For example when you toggle the 'forward address' in the ZAC you'll need to specify the allowed addresses. You could choose to constrain this however you wish (or not).

This is exiting the "101 level" of OpenZiti and entering complex levels quickly... :slight_smile: If you have the exact same domain and require it to be routed to different locations, I think that'll be an issue without some other sort of differentiator. Nothing comes to mind as to how you would accomplish this with one single service. With mutliple services, it seems trivial to implement since each service would be bound by a different router. You clearly could not enable both services at the same time from the same 'client' machine. That would make the behavior non-deterministic and not what you want at all. OpenZiti clients don't support turning off individual services at this time, so you'd also need a second identity and you'd enable/disable the identity accordingly... But that should work (i think). I'll offer a caveat too, i have not tested this, but it seems like it'd be fine assuming I understand what you're looking for. I reserve the right to be mistaken! :slight_smile: So while I'm not :100:, I'd think this would be pretty easy to deal with on the whole... I think....

I feel like a diagram would probably help me. I feel like I'm getting a wee bit lost here. I think my prior reply answered many of the questions in this paragraph but not this one...

No, it's not required, but I mean, if you try to offload from a router in SiteB to a server that is only in SiteA, obviously that won't work without some underlay route, right? :slight_smile: I feel like maybe I'm missing something on this question?

This can happen yes. When using tunnelers, we specifically exclude intercepting the exact address specified by routers or the controller so that it's not possible mess up that DNS resolution. You'll see something like:

ziti-tunneler.log:[2025-04-15T13:11:45.524Z]   DEBUG tunnel-sdk:ziti_tunnel.c:127 ziti_tunneler_exclude_route() excluding ec2-3-18-113-172.us-east-2.compute.amazonaws.com from tunneler intercept

in your logs

hth