Context
-
I run a private network with 5–10 servers.
-
Each server runs 2–3 web apps in Docker on various ports (e.g. 3000, 8080, 5601, etc.).
-
Today I publish apps one-by-one to OpenZiti (create a service per app + host/intercept config + policy). That works, but it’s repetitive and slow.
What I’ve tried
-
Publishing individual apps (host.v1 + intercept.v1) — works.
-
Tried creating single host config per host and attaching multiple ports — works, but I’m unsure if there’s a recommended pattern for entire servers or subnets.
Goal
I want to put the entire server (or the entire subnet) behind OpenZiti so that:
-
-
I don’t have to create a service for every app/port.
-
Ziti-connected users can reach anything on that server IP (or subnet) — all ports and apps — while non-Ziti users cannot.
-
Keep the control plane central (single controller + routers). Hosts should be reachable via Ziti-only access.
If you need any more details from us regarding this, Please let us know.
Hi @anshjoshi, what you're describing is a "ZTNA" approach to zero trust where you have some trusted network paths still in your private network. You can do both setups you describe if you like just realize that the more "flexibility" you setup, the broader your attack surface also becomes. Zero trust isn't a single answer, so as long as you understand that and accept any accociated risks for your own needs that's a totally valid deployment mode.
Now since you "only" have 5-10 servers, I would probably tell you to make 5-10 services in OpenZiti, one service for each 'server'. Then for each service when making the 'host.v1' config, you would enable port forwarding. Then you allow certain port ranges, looking like this:
The key is the 'forward port' option that makes this much simpler. Now your clients could connect to "private.server.one:22" or "private.server.one:443" and the port is simply forwarded. Now, you CAN choose to allow ports 1-65535 but since we're a zero trust project/product I'd of course encourage you to not do that.... 
But hey, if that's what you want I'm not judging
As for subnets, you can do that too. In that case you would enable the "forward address" button
Then of course there's forward protocol as well....
On the intercepting side you'd have to add a cidr style intercept and now you're back to dealing with IP addresses and... well... YUCK! OpenZiti makes it easy to NOT deal with those imo.
One other option you have is a "wildcard intercept" along with a "forward address". So you could intercept "*.my.private.domain" and then when used with forward address if a user went to "keycloak.my.private.domain:443" when that traffic gets to the other side a connection is established to "keycloak.my.private.domain:443" (because you told it to forward addresses)...
Hope that all makes sense, I think that's enough for you to figure it out from here
1 Like
Thanks Clint for the reply,
If I happen to reach any issues implementing this, I’ll let you know.
Thanks for your guidance so far.
To add more context — my Ziti controller and edge router are both deployed on an AWS cloud server, and there’s no local router running in my on-prem or private subnet
I’m now trying to publish an entire on-prem test server (192.168.2.1) that runs multiple Docker web apps (e.g., on ports 3000, 8080, 5601, etc.).
Normally, when I publish a single app, I set the address in my host config to the public IP (since the router is in AWS).
But since I want to publish the whole server, I’m unsure what to specify for the address field in host.v1:
-
Should it still be the public IP of the test server (reachable from the AWS router)?
-
Or is it recommended to run a tunneler or edge router on that server and then use its local IP (192.168.2.1) instead?
Essentially, what’s the correct pattern for securely publishing an entire remote private host (or subnet) when all routers and the controller are cloud-based.
This is just a test setup for now, but I’d like to follow the correct model before I expand this to all servers.
I did some troubleshooting and now everything works. I installed a router on my private server which is in my Office location and enrolled it into controller which is in AWS and did the recommended config for subnet. now for the test server, I can only SSH to that private server when a device is enrolled.
Thanks for the help @TheLumberjack
1 Like
