I’m looking to setup OpenZiti in my AWS environment which will allow DevOps to access EC2 instances and developers to access our self hosted Gitlab, Grafana, and RDS instances.
Our setup has 4 VPCs of dev, stage, production, and corp (i.e. internal-usage). We currently use OpenVPN but I’m looking to branch away into OpenZiti. My questions:
Is OpenZiti the right approach to guard-railing when it comes to accessing database servers in AWS?
Is there documentation to help me out with in setting up OpenZiti for the tasks I spoke on before?
I usually create a separate EC2 instance of a VPN to access our internal services but with OpenZiti, this can be hosted IN the EKS cluster?
hI @MacFee, welcome to the community and to OpenZiti!
Sorry for the delay in anyone responding; it's been a busy time here. We provide community support as we can, and sometimes it's busier than others!
Certainly. Is it "the right approach" - well that's subjective of course and for you to decide but in my opinion it's certainly a fantastic option to do exactly that.
There isn't any doc that will be quite THAT specific. All our doc will focus on machines and networks instead. In your situation it just happens to be in AWS and you're maybe using ubuntu linux or maybe using amazon linux so there might be subtle differences here and there that are just specific to the cloud vendor/deployment model you choose. In general though, I think our doc should cover what you're looking to do. Don't forget to search the forum too - as well as ask your LLM of choice. Since discourse is public, we've trained a lot of models on the questions people have asked through the years just by having this forum.
Sure, it can. Segmenting the EKS cluster itself to prevent access outside of OpenZiti is not something we provide doc for. That's another one of those "it depends on your deployment model". We of course simply recommend that any nodes on a network have a deny-by-default firewall rule. How you implement that is up to you. Then any reach into each node would be provided by OpenZiti. I find that just thinking about it as though all your nodes are on the open internet helps. You also don't HAVE to run OpenZiti in the same EKS. We have many users on the forum who are using OpenZiti to bridge k8s clusters as well so unfortunately OpenZiti is so flexible there's no "you must do this" kind of doc I can point you at.
Thank you for your response @TheLumberjack. We have different use cases currently and I feel OpenZiti is the right approach. I’m of course new to how the architecture works but reading on it on my spare time it looks like something to use.
I’m thinking of different setups but I do have a question if my Use Case can be used in this regards:
I setup Pritunl Wireguard to connect us to 6000+ raspberry pis. It works great and haven’t had any issues recently. However, I would like to know if OpenZiti has the capability of connecting to these many devices and it would be great to read up on any blogs of this being done?
Our apps are on a application load balancer in AWS EKS where our project that we provide to our clients is capable of being used around the world. Is OpenZiti capable of siloing different organizations/clients to access our services in K8s privately where others in the internet cannot access?
Would like to know more on how we can setup the Edge Routers and Controllers in AWS EKS. Nevertheless, after reading more on this. I would assume both Edge Routers and Controllers need to be hosted in a public subnet. I was thinking the Edge Router is in our internal VPC CIDR where we using AWS Transit Gateway sharing internal connection between each VPC CIDR. Do both the Edge Router AND Controller need to be in the same network?
OpenZiti is explicitly designed to provide access to services for identities on a policy basis. So if you want your clients to “see” your services and no one else, absolutely. If you want client A to see service 1 and client B to see service 2, or any such combination, you have all the tools. The “atomic” units are services and identities. You can configure specifically what identities can host or dial what services via policy. There are a lot of other knobs policy and configuration can turn, but that is the most fundamental piece.
Edge Routers can be anywhere, as long as they can reach at least one controller. You could use an Edge Router in each VPC and eliminate the need for transit gateways, but that’s a network design decision based on the real needs.
I’m not a K8s expert, but there are a lot of them around for that part.
For access from the internet, at least one controller and one router have to be publicly addressable. Others can be wherever you need them to be to serve traffic to meet your needs.
fwiw, I know of at least one OpenZiti with up to around 50k endpoints, but one I am thinking of is out of band connectivity, so not sure how many are actively connected at any one point.
Few months back we had one person mentioning a complex deployment here in discourse with 40k endpoints here Terminator creation performance degradation and then there's also zrok itself which has many thousands of identities but most of them are just not always on at the same time. Some are constant but a lot of those just come and go as needed.
Thank you all for your comments. I’ll look into this in setting up. Will take some time but I’ll let you all know how it goes.
I think my first setup would be for developers to access our private dbs and internal websites such as ArgoCD, Gitlab, Redash, Langfuse, etc. Will hit you all up if I need help
