Hey KittySammy123, welcome!
-
We have some benchmark tests; here is a sizing guide which includes concurrent data sessions - https://support.netfoundry.io/hc/en-us/articles/360025875331-NetFoundry-Gateway-Sizing-Guide. What is important to note that OpenZiti is built to be highly scalable, so you can scale up (bigger VMs) or scale out (deploy more machines). OpenZiti’s smart routing will balance sessions across the data-plane for scale-out while determining the lowest latency paths.
-
Going to split this into sub-sections:
- To be clear, do you want to make the administration plane ‘dark’ to the network with no inbound ports? If yes, this has been discussed in other threads - Making ZAC dark - #20 by markamind - and was demonstrated on ZitiTV - Ziti TV - Making ZAC (and the Management API) DARK! - YouTube.
- I believe your work/desire to implement SPA (single-packet authentication) could be useful for communication between ziti-client and the ziti-controller.
- Currently, the controller only ‘listens’ on ports 443 and 80, and only accepts connections from authenticated endpoints (which have bootstrapped trust), but it still processes requests from anyone. Thus, it is not protected from DDoS attacks as much as we would like to right now. We are actively developing HA control plane which reduces the risk of this type of attack. Someone in the community has mentioned developing AI/ML for service assurance to implement self-healing if an underlying component is compromised (e.g., DDoS against control or data plane).
- Therefore, it could be very interesting to implement SPA between the ziti-client and the ziti-controller as some type of cryptographic “knock knock” on the door to open it.