Hi everyone,
I’m currently exploring how OpenZiti and Zrok can help me secure access to an on-premise infrastructure, and I believe I'm close to achieving it — but I still need help understanding the final setup and configuration flow.
What I have so far
-
I've successfully deployed OpenZiti in an EKS cluster.
-
The client API, controller, and management services are already set up and logically segregated.
-
I’ve also installed Zrok (backend and frontend) inside the same EKS cluster.
What I want to achieve
I want users from the public internet (via browser) to access a Zrok frontend, exposed through an Ingress in EKS (behind Cloudflare, with DNS). Later on, I plan to add Keycloak authentication to the frontend.
This Zrok frontend should use OpenZiti to connect to an on-premise architecture, where I have:
-
An Ubuntu 24.04 Linux server acting as the border/edge,
-
That server connects internally to three different RDP gateways (web-based RDP).
What I don’t understand
I'm struggling to grasp the complete logic and flow of how to configure this securely using OpenZiti + Zrok.
Here is how I imagine it should work:
End users (Browser)
↓
https://my-ingress-on-eks.mycompany.com (DNS via Cloudflare)
↓
Ingress → Zrok frontend (in EKS)
↓
OpenZiti Controller
↑
Ziti Edge Router on-premise (on Ubuntu)
↓
Zrok backend exposing RDP gateway(s) via Ziti
But I’m not sure:
-
How the Zrok frontend and backend should be configured in this case,
-
If my assumption about the Ingress + Zrok frontend is correct,
-
How the connection from Zrok (on the EKS side) to the Ziti Edge Router (on-premise) should be handled,
-
How users will ultimately access the RDP web interfaces in a secure, authenticated way.
I'd really appreciate any help clarifying the flow and what components (policies, services, edge routers, etc.) need to be configured and where.
Thanks in advance!