Implementing an overlay network

Hi! I would like to say thank you for implementing such an interesting project like OpenZiti! I am just starting to learn OpenZiti. I have a few questions.
I have a small k8s cluster with an application. Inside the cluster I will add a ziti-tunnel container. This makes sense to me.
But I also want to manage the network devices that k8s nodes are connected to and my server (no ziti-tunnel can be installed).
Can I implement this setup? (ip and dns are given as an example)
How can I reserve public edge router? Is there something like VRRP?
How do I direct traffic to my network devices and server? I would like to implement some sort of static routes through my mikrotik router.
This seems to be done through “manage edge services”.

Hi @hairback, thanks for the kind words and welcome to OpenZiti and the community!

@qrkourier and some other community members have been cultivating a great few helm charts that I think could/would help with a bunch of this setup.

I have a few slight questions about your diagram and project that I think might help me or others give you a better answer.

  • Are all the boxes outside the k8s cluster all on the same network? I assume so, I assume they are all going through the router or the switch but I want to make sure. You don’t show the windows client connecting to the router nor the switch, so it’s not clear to me.
  • you show the mikrotik router being connected to – or connecting to the ‘private edge router’ directly. Is that indicating the “private edge router” is bridged to the mikrotik somehow but the other pods/nodes in the cluster are not or is that more generically supposed to just indicate “k8s to mikrotik”? I assume it’s trying to just show “k8s to router” but want to be clear.
  • do you want to maintain two routers in your k8s cluster? With what you show, there’s no need for that ‘private edge router’ unless you’re using it for learning purposes or pershaps have some other reason?

A final point of clarity. Technically, the controller will at least have to have the “edge api” exposed outside of the cluster if you want to use ziti from outside the cluster (which I expect you do) :slight_smile: . I am pretty sure the helm charts would get you into a really good place to start exploring ziti.

If you want to explore the helm charts, see: OpenZiti Helm Charts | helm-charts

I’m not quite sure I understand this question. If your k8s cluster is deployed in a cloud provider somewhere, you’ll want to expose the endpoint using some form of Kubernetes Ingress (something the helm charts setup fwiw) Also this goes back to the prior question around all the devices on the same network

From ‘where’? From the Windows client? With OpenZiti you specifically authorize one (or many) services at a time so for this one, I think we need a bit more detail. An example would help me understand better what you mean

I think getting an example will help understand if you actually need to do this or not. I am thinking you’re trying to get to the “server without ziti tunneler” from the “Windows Ziti client”? Understanding the network topology is what we probably need here to answer you. For example, if the k8s cluster and mikrotik router are all on the same network, but the windows client were “elsewhere” in the world, you would need that public edge router for the windows client to connect to the OpenZiti overlay, then you would make an OpenZiti service that had a “host.v1” config associated which would offload traffic from the OpenZiti overlay back to the IP-based underlay network from a router you specified in the “host.v1” config.

Thanks for the question, let us know if that information is helpful at all or if it sparks any other discussoin

This link has the Helm charts too, but with a different starting point in Ziti docs to give a little more context and more options: Kubernetes | OpenZiti

Hi guys! Thanks for such a quick response! I probably confused you even more with my diagram. I want to use ziti overlay network for remote management of network devices and servers. But the problem is that you cannot install ziti-tunnel on switches or ilo servers. I have 3 servers in my office that form a k8s cluster. I am planning to deploy ziti network in the cluster. Thanks Clint, the comment about not needing a ‘private edge router’ is very valuable to me. The servers and network devices are on different subnets. Right now the access is implemented via L2TP on mikrotik, but I am very attracted to the ZTNA principles proposed by OpenZiti. And no, I wouldn’t want to open up the ‘edge api’ to an outside network. Only through ziti network, or L2TP(as a backup).

The diagram helps, but I don’t feel like I understand your need perfectly yet.

Are you thinking about static routes on the Microtik because you can’t run a tunneler there? I see there are a couple of servers that don’t have a tunneler installed. Are those the hosts that would use the static routes? If so, can you install a Ziti tunnel on those hosts? That’s probably the easiest way to connect things. The alternative is to run another Linux router with a Ziti tunnel so it can proxy the subnet to Ziti services.

The good news is that remote access to your cluster is a good job for Ziti. You can make the Ziti management API a Ziti service too. That way it’s secret/private, not exposed outside the cluster.

Thanks for the diagram. Like @qrkourier said, that definitely helps. It looks to me like the pods should be able to communicate to "servers without ziti”, is that correct? Will the Cisco router, route traffic from pods to those servers? Assuming yes, then you would just use that edge router as the offload point. You would use ziti to get onto the overlay at the Windows device (or whatever client) and then offload from the private router towards the servers without OpenZiti installed, hopefully that makes sense?

It definitely makes sense. As I pointed out in the diagram. Some servers do not have the ability to install ziti-tunnel. I just want to get routes on the windows client and send all traffic to the edge router through the ziti overlay network. Edge router in my idea should send all traffic to the network core(cisco switch). But how to do it on the edge router side? Or should I use Linux router with a ziti tunnel to proxy traffic to cisco?

When you setup the service in OpenZiti, you just instruct the overlay to offload towards an IP or DNS entry of your choosing. If your pod can send traffic to the service, you just use whatever ip or DNS entry you want. The router will simply try to connect to whatever ip or DNS entry you tell it to, however the underlay is constructed. I feel like I must not understand the problem, I’m not a net eng so perhaps there’s something I’m just overlooking. That or maybe you should try constructing a service and then maybe it’ll make more sense?

You should absolutely be able to do that if you want to map the entire range that way. For this scenario you might choose to “forward address”. That means whatever ip was intercepted at windows, becomes the destination at the far end. Maybe that was what I missed?

Edge Router has an tunnel option built in. Not sure if that what you meant by Ziti Tunnel (there is a separate binary also) You just enable tunnel option on ER and configure as a host mode if you only care about hosting services on it (i.e. service to reach No need to worry about any static routes, since sessions coming from the ER would have that IP as a source.

Thank you so much for your answers! I will try to set up what I have in mind. I can see the picture more clearly now.