Lets say we have multiple routers and clients in our ziti network.
I want to define one group of routers as "red group" and another group of routers as "blue group".
I have clients that can be in either "red group" or "blue group".
Is there a way to define policies such that, when a client part of "blue group" makes a request to a ziti service. His traffic only travels through routers that are also part of the "blue group".
Hello again, @sadath-12. Yes, it's done by placing each router's link listeners or dialers or both into distinct "link groups" (reference) in each router's configuration YAML file.
Then, you must partition the edge policies by identities or services or both, granting them permission to use routers known by roles attributes.
In summary, identities will select a router for services' data path by matching an edge router policy, and routers will find a data path by "link group."
Using your example, let's assume there are four routers:
#red-routers#red-routers#blue-routers#blue-routersYou'll need two edge router policies:
#red-identities / #red-routers#blue-identities / #blue-routersIf you're "steering" the traffic by edge router policy (ERP), then you may have a global service edge router policy (SERP) like #all / #all, or you may also wish to partition by services, in which case you must have a SERP for each:
#red-services / #red-routers#blue-services / #blue-routersHere's the links snippet from red1's config YAML.
link:
dialers:
- binding: transport
groups:
- red-routers
listeners:
- binding: transport
bind: tls:0.0.0.0:3022
advertise: tls:red1.ziti.example.com:3022
groups:
- red-routers
Here's the links snippet from blue3's config YAML.
link:
dialers:
- binding: transport
groups:
- blue-routers
listeners:
- binding: transport
bind: tls:0.0.0.0:3022
advertise: tls:blue3.ziti.example.com:3022
groups:
- blue-routers
This will partition the data plane at both layers: identity-to-router edge (or service-to-router edge), and router-to-router fabric links.