Is the Edge Router Identity mandatory?

Hi,

I'm enrolling a new edge router on my Ziti network :

[ziggy@8d4d956193f2 ~]$ ziti edge list edge-routers
╭────────────┬──────────────────────┬────────┬───────────────┬──────┬────────────╮
│ ID         │ NAME                 │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES │
├────────────┼──────────────────────┼────────┼───────────────┼──────┼────────────┤
│ iDjQK5tHCS │ openziti_edge_router │ true   │ true          │    0 │            │
╰────────────┴──────────────────────┴────────┴───────────────┴──────┴────────────╯

But for some reason I can't find the identity for the enrolled router:

[ziggy@8d4d956193f2 ~]$ ziti edge list identities
╭───────────┬───────────────┬─────────┬────────────┬─────────────╮
│ ID        │ NAME          │ TYPE    │ ATTRIBUTES │ AUTH-POLICY │
├───────────┼───────────────┼─────────┼────────────┼─────────────┤
│ qzOGOnrNU │ Default Admin │ Default │            │ Default     │
╰───────────┴───────────────┴─────────┴────────────┴─────────────╯

I'm using terraform to deploy the controller/edge router on a docker server using this doc.

Is the edge router identity mandatory ?

Define "mandatory"? If you want the router to act as a tunneler, and you enable tunneler mode on the router, then yes the identity will be created. If the router is not acting as a tunneler and is not with tunneler mode enabled, then no it's not mandatory.

It'll also be of type "Router" when you have one:

ziti edge list identities 'name contains "router"'
╭────────────┬──────────────────────────────┬────────┬────────────────────────────────┬─────────────╮
│ ID         │ NAME                         │ TYPE   │ ATTRIBUTES                     │ AUTH-POLICY │
├────────────┼──────────────────────────────┼────────┼────────────────────────────────┼─────────────┤
│ eM0NBWcsdI │ ip-172-31-47-200-edge-router │ Router │ acme.challenge.service.dialers │ Default     │
╰────────────┴──────────────────────────────┴────────┴────────────────────────────────┴─────────────╯
results: 1-1 of 1

So If I want my edge router to intercept traffic, I need to enable tunneler mode, right ?

I believe the tunneler mode is set on my router, and It still doesn't create the identity for me :

v: 3

identity:
  cert:             "router.cert"
  server_cert:      "/ziti-router/router.server.chain.cert"
  key:              "/ziti-router/router.key"
  ca:               "/ziti-router/router.cas"
  #alt_server_certs:
  #  - server_cert:  ""
  #    server_key:   ""

ha:
  enabled: false

ctrl:
  endpoint:             tls:vps-202d9b35.vps.ovh.net:1280

link:
  dialers:
    - binding: transport
  listeners:
    - binding:          transport
      bind:             tls:0.0.0.0:1281
      advertise:        tls:vps-202d9b35.vps.ovh.net:1281
      options:
        outQueueSize:   4

listeners:
# bindings of edge and tunnel requires an "edge" section below
  - binding: edge
    address: tls:0.0.0.0:1281
    options:
      advertise: vps-202d9b35.vps.ovh.net:1281
      connectTimeoutMs: 5000
      getSessionTimeout: 60
  - binding: tunnel
    options:
      mode: host #tproxy|host



edge:
  csr:
    country: US
    province: NC
    locality: Charlotte
    organization: NetFoundry
    organizationalUnit: Ziti
    sans:
      dns:
        - localhost
        - vps-202d9b35.vps.ovh.net
        - 8d4d956193f2
      ip:
        - "127.0.0.1"
        - "::1"



#transport:
#  ws:
#    writeTimeout: 10
#    readTimeout: 5
#    idleTimeout: 120
#    pongTimeout: 60
#    pingInterval: 54
#    handshakeTimeout: 10
#    readBufferSize: 4096
#    writeBufferSize: 4096
#    enableCompression: true

forwarder:
  latencyProbeInterval: 0
  xgressDialQueueLength: 1000
  xgressDialWorkerCount: 128
  linkDialQueueLength: 1000
  linkDialWorkerCount: 32```

Yes. That requires the router to be created as as --tunneler-enabled and then the configuration will use tproxy not host.

The identity is created when you make (or update) the router with --tunneler-enabled.

So If I don't use the runneler mode, I won't be able to terminate services on my edge router ?

tproxy implies host. Meaning, if you use tproxy, you can both intercept traffic and offload traffic from the router. If you don't need to intercept traffic, the router only requires "host" mode.

Alright got it !

I'm leaving it host for now. I've made a dummy service to intercept zac.ziti on my windows machine where Ziti Edge Desktop is installed.

Configured the routers policies and so on, but since there's no Router identity, how should I create my Bind Service policy ? I mean my edge router is supposed to "host stuff", but I can't bind it to any service ?

[ziggy@8d4d956193f2 ~]$ ziti edge policy-advisor services --quiet "zac"
OKAY : brand (1) -> zac (1) Common Routers: (1/1) Dial: Y Bind: N

Would you please provide the output to:

ziti edge list edge-routers -j | jq -r '.data[] | [.name, .isTunnelerEnabled] | @csv'
"ip-172-31-47-200-edge-router",true

I expect you do not have tunneler mode enabled.

Or just run:

ziti edge update edge-router ip-172-31-47-200-edge-router --tunneler-enabled

(replace your router name)

[ziggy@8d4d956193f2 ~]$ ziti edge list edge-routers -j | jq -r '.data[] | [.name, .isTunnelerEnabled] | @csv'
"openziti_edge_router",false

ziti edge update edge-router openziti_edge_router --tunneler-enabled

run that. you didn't enable tunneling