Host.v2 config does not create terminators for service despite online tunneler and valid policies

zhilyaev · December 22, 2025, 8:17pm

no logs for ziti-edge-tunnel
no logs for ziti-router
no ideas, what is going on.
chatgpt is hallucinating
I tried restarting the routers and the ziti-edge-tunnel, but it didn’t help.

How to reproduce?

I will use vault for example. It doesn’t matter.

host v2

ziti edge create config "vault.ziti@host2" host.v2 '{"terminators": [{"protocol":"tcp","address":"vault-active.vault.svc.cluster.local","port":8200}]}'
New config vault.ziti@host2 created with id: 6UN2wD8S6ef6ERulSruau3

host v1

For host.v1 everything is ok. Terminators will create automatically!

ziti edge create config "vault.ziti@host" host.v1 '{"protocol":"tcp","address":"vault-active.vault.svc.cluster.local","port":8200}'
New config vault.ziti@host created with id: ll8GaeRL4pJG4LQqgOGNv

intercept

ziti edge create config "vault.ziti@intercept" intercept.v1 '{"protocols":["tcp"],"addresses":["vault.ziti"],"portRanges":[{"low":8200,"high":8200}]}'
New config vault.ziti@intercept created with id: 7bM20F6CFAIHYonNnXymFv

Service


ziti edge create service "vault.ziti" --configs 'vault.ziti@host2,vault.ziti@intercept'
New service vault.ziti created with id: 6g3qxQFMN3nJjadv0WJ4Gi

Dial

ziti edge create service-policy "vault.ziti@dial" Dial --service-roles '@vault.ziti' --identity-roles '#all'
New service policy vault.ziti@dial created with id: 36qa1hThM9Mrn82oDStnbA

Bind

ziti edge create service-policy "vault.ziti@bind" Bind --service-roles '@vault.ziti' --identity-roles '#prod-xxx'
New service policy vault.ziti@bind created with id: 5SbRbfaekqUStnZqOs1lwq

Results

Host V2

Host V1

Lets try to switch to Host V1. For host.v1 everything is ok. Terminators will create automatically!

plorenz · December 24, 2025, 3:31pm

Hi @zhilyaev

I'm pretty sure ZET doesn't support host.v2 yet. This is because host.v2 is most useful for ER/T (edge-router running the tunnel module) installs.

Picture a scenario where you've got a service that is horizontally scaled out, maybe a stateless web front-end.

If you're running tunnelers, you'd most likely have a tunneler co-located on each of those hosts, with a host.v1 config pointing to the same localhost address. If each ZET bound to 3 routers, and you had 10 web servers, you'd end up with 30 terminators for the service.

If you were running ER/Ts, you'd probably not have them co-located, rather you'd have 2-3 ER/Ts in front of those web servers. In order to reach all of the web servers, you'd need to tell each ER/T about each of the web servers. You'd do that with a host.v2 config, with a terminator for each web server. If you had 3 ER/Ts, and 10 web servers, you'd again end up with 30 terminators.

The goal is for the ZET to support host.v2 at some point, just to reduce confusion, but because it doesn't fit in with how it's used most of the time, it hasn't been a high priority.

Hopefully that makes sense.
Paul

zhilyaev · December 29, 2025, 12:38pm

Thanks for the detailed explanation – this clears up a lot!

Topic		Replies	Views
Do host.v2 configs create the required terminators? Support	3	59	June 8, 2025
How to bind each entry of host.v2 to an edge router? Ziti Overlay	15	117	October 28, 2024
Adding port to Intercept or Host adds another terminator General Questions	5	281	November 7, 2022
Question about terminator General Questions	30	798	August 30, 2023
Error Creating Terminator Ziti Overlay	7	540	October 25, 2022