Hey all. I have been taking baby steps in setting up OpenZiti ZTNA in my company's architecture. I don't want to deal with multiple VPNs but only have 1 centralized VPN being OpenZiti. Am I understanding this correctly where in the CORP VPC where the edge router and controller is the hub and where I have the 1 edge router in each other VPC CIDR?
The 1 goal I want to establish is being able to have developers connect to their respective Tunneler on their local workstation and then have Ziti gatekeep RDS access and to internal web services such as GitLab and ArgoCD.
Well, I would say this all just depends on what you want but that design is exceptionally common, yes. In your diagram (btw the boxes per vpc are hard to see for me with the gridlines), the "CORP VPC" would be exposed to the internet and allow incoming links from routers. This would allow the routers to build a full mesh and allow devs from wherever they are to connect through that 'hub' as you are describing it.
What's not very clear to me are your arrows from the corp vpc edge router to the RDS services in DEV and PROD. That's definitely now how I think of them as you show them exiting the edge router from CORP VPC and back 'in again'. That might be your mental model but it confused me. Here's how I think about that. In my head, you would mesh through that public vpc into your private vpcs. Like I said that might be what you have in your head but the diagrm to me doesn't seem like it?
@TheLumberjack Ah ya, I should have color coded the arrows to be more clear.
This is the flow I'm thinking in OpenZiti:
DEV and PROD VPCs communicate internally to the Edge Router in CORP VPC
CORP VPC Edge Router and Controller will have openziti-console where I would create the policies and attach the routers to the "hub"
The "hub" will communicate internally to the other edge routers in my other VPCs where those edge routers would communicate to the respective RDS, GitLab server, etc.
However, the arrows that you placed are pretty much what I'm trying to do.
