Help: UDP Tunneling Support via ziti-edge-tunnel?

am3y · April 20, 2025, 9:43pm

Hey team,

I’ve been setting up OpenZiti on EKS and everything is working great for TCP-based services. Now I’m trying to test a UDP workload between two EC2 instances connected via OpenZiti tunnelers, and I have some questions.

Setup Overview

I have two EC2 instances acting as identities:

EC2-udp-app: runs a UDP-based app
EC2-GS: needs to connect to EC2-udp-app over UDP

1. Identities

ziti edge create identity device EC2-udp-app --role-attributes "EC2-udp-app" -o EC2-udp-app.jwt
ziti edge enroll EC2-udp-app.jwt -o EC2-udp-app.json

ziti edge create identity device EC2-GS --role-attributes "EC2-GS" -o EC2-GS.jwt
ziti edge enroll EC2-GS.jwt -o EC2-GS.json

Tunnelers are running on both EC2s:

screen ziti-edge-tunnel run -i EC2-udp-app.json
screen ziti-edge-tunnel run -i EC2-GS.json

2. UDP Service Definition

ziti edge create config udp-app-intercept intercept.v1 '{
  "protocols": ["udp"],
  "addresses": ["10.100.100.111"],
  "portRanges": [{"low": 61880, "high": 61880}]
}'

ziti edge create config udp-app-host host.v1 '{
  "protocol": "udp",
  "address": "127.0.0.1",
  "port": 61880
}'

ziti edge create service UDPAPP \
  --configs udp-app-intercept,udp-app-host \
  --role-attributes 'counter-strike'

3. Policies

ziti edge create service-policy all-service-dial-policy Dial \
  --service-roles '#counter-strike' \
  --identity-roles '#EC2-udp-app'

ziti edge create service-policy all-service-bind-policy Bind \
  --service-roles '#counter-strike' \
  --identity-roles '#EC2-GS'

ziti edge create service-edge-router-policy all-services-all-router \
  --edge-router-roles '#all' \
  --service-roles '#all'

TCP Works Great

When I use this setup for TCP-based workloads, it works perfectly. The edge routers are exposed via AWS NLB, and I just allow inbound TCP 443 in the security group — tunnelers connect fine and services are reachable.

Questions Regarding UDP

Now that I’m trying to use a UDP service:

Does ziti-edge-tunnel currently support UDP services?
If yes, where do I expose the UDP port in the router Helm chart?
- Should I define UDP ports under linkListeners or edge sections?
- Should I open UDP in the NLB's security group?
Or is ziti-edge-tunnel limited to TCP only?
Is there any way at all to work with UDP-based services using OpenZiti right now? Even with SDKs?

Would really appreciate any guidance on how to approach UDP workloads in Ziti. Thanks in advance!

TheLumberjack · April 21, 2025, 12:45pm

Yes

You don't. It's in the host/intercept config definitions.

No

I see from your configs you already are trying to use UDP. Are you trying to indictate that UDP is not working within the kubernetes ecosystem? That'd surprise me.

Topic		Replies	Views
Intermittent Connectivity Issues: ziti-edge-tunnel Support	4	42	November 21, 2024
Need Guidance on Setting Up Multiple OpenZiti Routers and Identity Devices in EKS	4	53	August 9, 2024
Android Tunneler UDP Tunneler Apps	5	257	August 25, 2023
Ziti Tunneler Configuration: Resolving Identical ziti0 IPs and Enabling Cross-EC2 Communication Ziti Overlay	4	47	December 28, 2024
Troubleshooting OpenZiti Tunnel: Edge Router and Service Configuration Issues	27	199	January 7, 2025