I have a controller running in AWS and a website also running on a different instance in AWS. I have set up a tunneler on the server hosting the website and can access the service with openziti. However it also still accessible if I go directly to it by dns name.
Im confused about how I make it go dark - do I have to turn off local ports on the server itself e.g. port 80 etc ? I tried this and could not access the site with openziti then either. Can it be made Dark with a simple site like this or does it need to be built into the host ?
Sure! You can publish a website with Ziti. One way to avoid confusion is to use different domain names for Ziti and non-Ziti.
For example, if you're migrating the site www.example.com to publishing the site with Ziti, you can create your Ziti service config with www.ziti.example.com. Then, when everything is working correctly, you can change it to www.example.com and delete the non-Ziti DNS record.
That way, there's only one way to get to the Ziti-published site, avoiding the confusion of having the same name for both ways of getting to the site (Ziti and non-Ziti).
You've got the right idea. The Ziti tunneler on the server host will provide an exit point from the Ziti network to the web server. You could also create a Ziti service config for the SSH server.
When both of these work with distinct domain names (so you can be certain you're accessing them with Ziti), you can block incoming ports from the internet.