Hello!
I have been reading the documentation and watching a little bit on Ziti TV and I just want to say OpenZiti is amazing.
I would like to ask if it's possible to use an edge router as a middle man for the controller as shown in the diagram below. If it's not possible why not? As I understand it, the controller only needs to enroll the client identity, after that the controller is not needed, therefore, I could enroll the client JWT from the controller and give the credentials.
Hi @MoofyWoofy, welcome to the community and to OpenZiti and thanks for the kind words!
This is a fundamental misunderstanding. The controller is used constantly and is madatory for identities to conenct to directly. So to answer your question, "no". Clients all connect to the controller using mTLS so they are authenticated and authorized with the controller.
The real questoin is "why" are you looking to do this ? My expectation (guess) would be to isolate the management API (the API that can modify the controller configuration) or possibly to isolate the management console (ZAC). You do this right now by "splitting the API". There are multiple discourse posts that cover this along with some videos that show you how to accomplish it as well.
hth
Thank you for the super prompt reply.
Yes that was my intention, I wanted to reduce the attack surface. I will look into splitting the API.
Thank you very much!
