Feasability/requirements/questions for deploying openziti on fly.io

Ziti Overlay
1

Howdy. I’m looking into using openziti + zrok to allow remote access to some services I run in my homelab. I’d like to deploy the openziti controller/router in a few regions to make it HA and close to the people who tend to use my services. My current plan is to attempt to set up a topology that looks like this:

My First Board
My First Board3299×1894 206 KB

I have a few questions about this.

  1. Fly.io has a relatively different deployment model than other clouds, but it has tended to be pretty inexpensive for me and makes deploying to multiple regions very easy. It seems like I could probably work around the deployment model by combining some of the different guides, but is there anything obvious about Fly that I’m missing that would keep this from working?

  2. Should I also be running a controller/router inside my home network? My home network lives at home, which is not necessarily close to users, so it seems to me that the clustered routers/controllers, in addition to HA, provide advantage of faster authorization and faster time to route? Am I gaining anything by having one very close (on the same network) as devices connected to my home network? EDIT: Reading the docs, it seems likely that I am required to run a router on my home network, but I think I’m still curious about the controller.

2

Hi @suhum, welcome to the community and to OpenZiti.

I believe the current recommendation is to have the controllers in the same location. Spreading them out will make mutations take longer, I don't know if there's any other implications to deploying controllers in geographically different areas.

You show a reverse proxy in front of the controller and router. Make sure this proxy does not terminate TLS or you'll find the mTLS nature of OpenZiti to be totally non-functional. You can use the reverse proxy for the rest api if you like, but you won't be able to use cert-based auth in that case (obviously).

You don't need a controller in your home but a router is often useful as it will prevent you from hairpinning out to the open internet and back. it's not required, but it's "a good idea" a lot of time.

I would start with one controller and three routers in the configuration you show and decide how big of a deal the controller blipping off/on is. In practice, the controller starts in like 3-5 seconds so even if it crashes and restarts nobody ever actually notices and your routers will all be HA.

hth