I am trying to document few things as I understand and would like get the understanding validated.
The idea is to demonstrate how openziti deployment would look like when multiple teams are involved.
Platform team would host the ziti controller, one ( or more ) edge router(s) and one ( or more ) fabric router(s).
Teams can choose to deploy their own private router ( e.g. Team 1 ) or can just use the platform team’s edge router(s) ( e.g. Team 2 ).
As far as I understand, private router can be in a private subnet since it “dials” the other routers and don’t need anything open in the security group for inbound access from outside, but it will accept connections on its edge port from its own VPC.
Edge routers will have 2 inbound ports open in their security group - one for fabric link and another for edge connections.
Fabric routers will have a single inbound port open in security group for fabric link
Controller will have 2 inbound ports open in its security group - one for rest api and another for management.
Any feedback is appreciated. TIA.
No feedback needed. You nailed it. Very succinctly written.
Those four ports are lightly documented on the host it anywhere quick start.
Ok the one small feedback that occurred to me just now. Those “private” edge routers are able to service edge clients from the local network as well. Generally I don’t talk much about that because until someone understands ziti at the level you’re now at, the term “private” can throw people off. That could be useful to know. You then control which identities could use those edge routers for edge connections via policy.
Thank you for the feedback.
I see what you mean. The private router will not only be able to terminate incoming network connections for its VPC, but can also get them into the network.
Yep. Robert made a really neat video showing how people could use an OpenZiti edge router as a lan gateway. Dunno if you’ve seen that but you might enjoy it if you haven’t Using an OpenZiti router as a LAN Gateway - YouTube (I can never remember who I send these links to so if I sent it to you already, my apologies in advance )
I saw it being mentioned in one of the threads but I haven’t watched it yet. Will do now. Thank you.