@TheLumberjack hey again. I would like to come back to this post I spoke on before: Is this AWS architecture correct for OpenZiti ZTNA?
I have been able to setup OpenZiti ZTNA but I'm having issues. I setup the following:
I setup a Ziti Controller and Ziti Edge Router with public subnets which are separated in their own servers using docker compose. (These are in VPC CIDR CORP)
Ziti Controller has 1280 TCP 0.0.0.0/0 in it's AWS SG
Ziti Edge Routers has 3200 TCP 0.0.0.0/0 in it's AWS SG
I can communicate to my dbs in CORP so no issues there.
It's only when I want to have Edge Router from DEV VPC CIDR communicate to my CORP VPC CIDR.
To my question, what do I need to configure on the Ziti Edge Router in DEV to internally ZITI_ROUTER_MODE to none?
Thank you for reading my post and awesome project. Had fun setting this up
Documentation I followed for the setup:
UPDATE:
Weirdly enough it shows it's connected:
ssm-user@ip-10-50-33-55:~$ ziti fabric list links
╭────────────────────────┬─────────────┬──────────────┬─────────────┬─────────────┬─────────────┬───────────┬────────┬───────────┬───────────────────────────────────────────────────────────────╮
│ ID │ DIALER │ ACCEPTOR │ STATIC COST │ SRC LATENCY │ DST LATENCY │ STATE │ STATUS │ FULL COST │ CONNECTIONS │
├────────────────────────┼─────────────┼──────────────┼─────────────┼─────────────┼─────────────┼───────────┼────────┼───────────┼───────────────────────────────────────────────────────────────┤
│ 3j43333kjk4j3kk3l │ dev-router0 │ corp-router0 │ 1 │ 4.3ms │ 4.4ms │ Connected │ up │ 9 │ link.default: tcp:172.18.0.2:41602 -> tcp:18.19.55.145:3022 │
│ │ │ │ │ │ │ │ │ │ link.default: tcp:172.18.0.2:43126 -> tcp:18.19.55.145:3022 │
│ │ │ │ │ │ │ │ │ │ link.ack: tcp:172.18.0.2:43138 -> tcp:18.19.55.145:3022 │
│ │ │ │ │ │ │ │ │ │ link.default: tcp:172.18.0.2:43140 -> tcp:18.19.55.145:3022 │
╰────────────────────────┴─────────────┴──────────────┴─────────────┴─────────────┴─────────────┴───────────┴────────┴───────────┴───────────────────────────────────────────────────────────────╯
results: 1-1 of 1
Disregard. I got it to work. I just placed a fake placeholder for the Edge Router ZITI_ROUTER_ADVERTISED_ADDRESS since it's not communicating outbound and updated the AWS SGs to intercommunicate between each other.
Hi @MacFee . I'm not 100% sure I followed what the problem is/was but I'm glad you got it sorted and had fun doing it! :). I suspect ZITI_ROUTER_ADVERTISED_ADDRESS was what you used when installing the router? Maybe that's what you mean?
You might enjoy having a look into "link dialers" and "link listeners". A link listener is a router that accepts incoming links from other routers, a link dialer only dials outbound links... So you could have your corp routers have "link listeners" (no dialers, just beware they won't dial between corp router to corp router if you remove all dialers) and then your internal router would just have link dialers (no listeners).
MacFee
May 28, 2026, 12:26am
4
Yes, ZITI_ROUTER_ADVERTISED_ADDRESS is what I used in the router and worked. It was more of how I wanted the DEV router to speak to CORP router privately. I did make configurations of the Dial mechanism with the help of trusty AI and it did work. There are some modifications I still need to clean up but this is what I have:
ssm-user@ip-10-40-50-60:~$ ./ziti-diagnostics.sh
==========================================================
OpenZiti Network State Diagnostic Script
==========================================================
---> Listing Identities...
╭────────────┬───────────────┬─────────┬────────────────────┬─────────────╮
│ ID │ NAME │ TYPE │ ATTRIBUTES │ AUTH-POLICY │
├────────────┼───────────────┼─────────┼────────────────────┼─────────────┤
│ RtrDev0001 │ dev-router0 │ Router │ dev-backend-hosts │ Default │
│ UsrId00001 │ user-01 │ Default │ staff │ Default │
│ UsrId00002 │ user-02 │ Default │ staff │ Default │
│ AdmId00000 │ Default Admin │ Default │ │ Default │
│ UsrId00003 │ user-03 │ Default │ staff │ Default │
│ UsrId00004 │ user-04 │ Default │ staff │ Default │
│ RtrCrp0001 │ corp-router0 │ Router │ corp-backend-hosts │ Default │
│ UsrId00005 │ user-05 │ Default │ staff │ Default │
│ UsrId00006 │ user-06 │ Default │ staff │ Default │
╰────────────┴───────────────┴─────────┴────────────────────┴─────────────╯
results: 1-9 of 9
---> Listing Services...
╭────────────────────────┬────────────────────────┬────────────┬─────────────────────┬───────────────╮
│ ID │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│ │ │ REQUIRED │ │ │
├────────────────────────┼────────────────────────┼────────────┼─────────────────────┼───────────────┤
│ SvcXXXX000000000000001 │ dev-gitlab-ssh │ true │ smartrouting │ dev-services │
│ SvcXXXX000000000000002 │ dev-base-valkey │ true │ smartrouting │ dev-services │
│ SvcXXXX000000000000003 │ dev-core-postgres │ true │ smartrouting │ dev-services │
│ SvcXXXX000000000000004 │ corp-core-valkey │ true │ smartrouting │ corp-services │
│ SvcXXXX000000000000005 │ dev-sitechat-postgres │ true │ smartrouting │ dev-services │
│ SvcXXXX000000000000006 │ dev-warehouse-redshift │ true │ smartrouting │ dev-services │
│ SvcXXXX000000000000007 │ dev-sitechat-valkey │ true │ smartrouting │ dev-services │
│ SvcXXXX000000000000008 │ dev-authv2-valkey │ true │ smartrouting │ dev-services │
│ SvcXXXX000000000000009 │ dev-redash-postgres │ true │ smartrouting │ dev-services │
│ SvcXXXX000000000000010 │ dev-auth-valkey │ true │ smartrouting │ dev-services │
╰────────────────────────┴────────────────────────┴────────────┴─────────────────────┴───────────────╯
results: 1-10 of 16
---> Listing Service Policies...
╭────────────────────────┬──────────────────────┬──────┬──────────┬────────────────┬─────────────────────┬─────────────────────╮
│ ID │ NAME │ TYPE │ SEMANTIC │ SERVICE ROLES │ IDENTITY ROLES │ POSTURE CHECK ROLES │
├────────────────────────┼──────────────────────┼──────┼──────────┼────────────────┼─────────────────────┼─────────────────────┤
│ PolXXXX000000000000001 │ dev-dial │ Dial │ AnyOf │ #dev-services │ #staff │ │
│ PolXXXX000000000000002 │ corp-dial │ Dial │ AnyOf │ #corp-services │ #staff │ │
│ PolXXXX000000000000003 │ corp-backend-binding │ Bind │ AnyOf │ #corp-services │ #corp-backend-hosts │ │
│ PolXXXX000000000000004 │ prod-dial │ Dial │ AnyOf │ #prod-services │ #staff │ │
│ PolXXXX000000000000005 │ dev-bind │ Bind │ AnyOf │ #dev-services │ #dev-backend-hosts │ │
│ PolXXXX000000000000006 │ prod-bind │ Bind │ AnyOf │ #prod-services │ #prod-backend-hosts │ │
╰────────────────────────┴──────────────────────┴──────┴──────────┴────────────────┴─────────────────────┴─────────────────────╯
results: 1-6 of 6
---> Listing Configs...
╭────────────────────────┬──────────────────────────────────┬──────────────╮
│ ID │ NAME │ CONFIG TYPE │
├────────────────────────┼──────────────────────────────────┼──────────────┤
│ CfgXXXX000000000000001 │ dev-sitechat-valkey-host │ host.v1 │
│ CfgXXXX000000000000002 │ dev-mqtt-valkey-intercept │ intercept.v1 │
│ CfgXXXX000000000000003 │ corp-core-valkey-host │ host.v1 │
│ CfgXXXX000000000000004 │ dev-redash-valkey-host │ host.v1 │
│ CfgXXXX000000000000005 │ dev-gitlab-web-intercept │ intercept.v1 │
│ CfgXXXX000000000000006 │ dev-warehouse-redshift-intercept │ intercept.v1 │
│ CfgXXXX000000000000007 │ dev-redash-valkey-intercept │ intercept.v1 │
│ CfgXXXX000000000000008 │ dev-redash-postgres-intercept │ intercept.v1 │
│ CfgXXXX000000000000009 │ dev-core-postgres-host │ host.v1 │
│ CfgXXXX000000000000010 │ dev-base-valkey-intercept │ intercept.v1 │
╰────────────────────────┴──────────────────────────────────┴──────────────╯
results: 1-10 of 32
---> Listing Edge Routers...
╭────────────┬──────────────┬────────┬───────────────┬──────┬────────────────────╮
│ ID │ NAME │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES │
├────────────┼──────────────┼────────┼───────────────┼──────┼────────────────────┤
│ RtrDev0001 │ dev-router0 │ true │ true │ 0 │ dev-backend-hosts │
│ │ │ │ │ │ dev-routers │
│ RtrCrp0001 │ corp-router0 │ true │ true │ 0 │ corp-backend-hosts │
│ │ │ │ │ │ corp-routers │
╰────────────┴──────────────┴────────┴───────────────┴──────┴────────────────────╯
results: 1-2 of 2
---> Listing Edge Router Policies (ERPs)...
╭────────────────────────┬───────────────────────────────┬──────────────────────────────────────────┬─────────────────────╮
│ ID │ NAME │ EDGE ROUTER ROLES │ IDENTITY ROLES │
├────────────────────────┼───────────────────────────────┼──────────────────────────────────────────┼─────────────────────┤
│ ErpXXXX000000000000001 │ prod-router-bind │ #prod-routers │ #prod-backend-hosts │
│ ErpXXXX000000000000002 │ dev-router-bind │ #dev-routers │ #dev-backend-hosts │
│ ErpXXXX000000000000003 │ edge-router-RtrDev0001-system │ @dev-router0 │ @dev-router0 │
│ ErpXXXX000000000000004 │ corp-router-bind │ #corp-routers │ #corp-backend-hosts │
│ ErpXXXX000000000000005 │ staff-to-router │ #corp-routers #dev-routers #prod-routers │ #staff │
│ ErpXXXX000000000000006 │ edge-router-RtrCrp0001-system │ @corp-router0 │ @corp-router0 │
╰────────────────────────┴───────────────────────────────┴──────────────────────────────────────────┴─────────────────────╯
results: 1-6 of 6
---> Listing Service Edge Router Policies (SERPs)...
╭────────────────────────┬───────────────────────┬────────────────┬───────────────────╮
│ ID │ NAME │ SERVICE ROLES │ EDGE ROUTER ROLES │
├────────────────────────┼───────────────────────┼────────────────┼───────────────────┤
│ SrpXXXX000000000000001 │ prod-services-on-corp │ #prod-services │ #corp-routers │
│ SrpXXXX000000000000002 │ dev-services-on-corp │ #dev-services │ #corp-routers │
│ SrpXXXX000000000000003 │ corp-routers │ #corp-services │ #corp-routers │
│ SrpXXXX000000000000004 │ prod-routers │ #prod-services │ #prod-routers │
│ SrpXXXX000000000000005 │ dev-routers │ #dev-services │ #dev-routers │
╰────────────────────────┴───────────────────────┴────────────────┴───────────────────╯
results: 1-5 of 5
---> Listing Fabric Links...
╭────────────────────────┬──────────────┬──────────────┬─────────────┬─────────────┬─────────────┬───────────┬────────┬───────────┬───────────────────────────────────────────────────────────────╮
│ ID │ DIALER │ ACCEPTOR │ STATIC COST │ SRC LATENCY │ DST LATENCY │ STATE │ STATUS │ FULL COST │ CONNECTIONS │
├────────────────────────┼──────────────┼──────────────┼─────────────┼─────────────┼─────────────┼───────────┼────────┼───────────┼───────────────────────────────────────────────────────────────┤
│ LnkXXXX000000000000001 │ corp-router0 │ dev-router0 │ 1 │ 2.6ms │ 65000.0ms │ Connected │ up │ 65003 │ link.default: tcp:192.168.100.10:43354 -> tcp:203.0.113.50:3022 │
│ │ │ │ │ │ │ │ │ │ link.default: tcp:192.168.100.10:43364 -> tcp:203.0.113.50:3022 │
│ │ │ │ │ │ │ │ │ │ link.ack: tcp:192.168.100.10:43374 -> tcp:203.0.113.50:3022 │
│ │ │ │ │ │ │ │ │ │ link.default: tcp:192.168.100.10:43388 -> tcp:203.0.113.50:3022 │
│ LnkXXXX000000000000002 │ dev-router0 │ corp-router0 │ 1 │ 4.4ms │ 4.5ms │ Connected │ up │ 9 │ link.default: tcp:192.168.100.10:60496 -> tcp:203.0.113.50:3022 │
│ │ │ │ │ │ │ │ │ │ link.default: tcp:192.168.100.10:43824 -> tcp:203.0.113.50:3022 │
│ │ │ │ │ │ │ │ │ │ link.ack: tcp:192.168.100.10:43830 -> tcp:203.0.113.50:3022 │
│ │ │ │ │ │ │ │ │ │ link.default: tcp:192.168.100.10:43842 -> tcp:203.0.113.50:3022 │
╰────────────────────────┴──────────────┴──────────────┴─────────────┴─────────────┴─────────────┴───────────┴────────┴───────────┴───────────────────────────────────────────────────────────────╯
results: 1-2 of 2
---> Listing Ziti Terraformers...
╭────────────────────────┬────────────────────────┬──────────────┬─────────┬────────────────────────┬──────────┬──────┬────────────┬──────────────╮
│ ID │ SERVICE │ ROUTER │ BINDING │ ADDRESS │ IDENTITY │ COST │ PRECEDENCE │ DYNAMIC COST │
├────────────────────────┼────────────────────────┼──────────────┼─────────┼────────────────────────┼──────────┼──────┼────────────┼──────────────┤
│ TtfXXXX000000000000001 │ dev-warehouse-redshift │ dev-router0 │ tunnel │ TtfXXXX000000000000001 │ │ 0 │ default │ 0 │
│ TtfXXXX000000000000002 │ dev-gitlab-ssh │ dev-router0 │ tunnel │ TtfXXXX000000000000002 │ │ 0 │ default │ 0 │
│ TtfXXXX000000000000003 │ dev-sitechat-postgres │ dev-router0 │ tunnel │ TtfXXXX000000000000003 │ │ 0 │ default │ 0 │
│ TtfXXXX000000000000004 │ dev-redash-valkey │ dev-router0 │ tunnel │ TtfXXXX000000000000004 │ │ 0 │ default │ 0 │
│ TtfXXXX000000000000005 │ dev-sitechat-valkey │ dev-router0 │ tunnel │ TtfXXXX000000000000005 │ │ 0 │ default │ 0 │
│ TtfXXXX000000000000006 │ dev-authv2-valkey │ dev-router0 │ tunnel │ TtfXXXX000000000000006 │ │ 0 │ default │ 0 │
│ TtfXXXX000000000000007 │ dev-gitlab-web │ dev-router0 │ tunnel │ TtfXXXX000000000000007 │ │ 0 │ default │ 0 │
│ TtfXXXX000000000000008 │ dev-mqtt-valkey │ dev-router0 │ tunnel │ TtfXXXX000000000000008 │ │ 0 │ default │ 0 │
│ TtfXXXX000000000000009 │ dev-core-postgres │ dev-router0 │ tunnel │ TtfXXXX000000000000009 │ │ 0 │ default │ 0 │
│ TtfXXXX000000000000010 │ corp-core-postgres │ corp-router0 │ tunnel │ TtfXXXX000000000000010 │ │ 0 │ default │ 0 │
╰────────────────────────┴────────────────────────┴──────────────┴─────────┴────────────────────────┴──────────┴──────┴────────────┴──────────────╯
results: 1-10 of 16
Am I doing this right where the Dial is being routed to the corp-router from the dev-router? I'm able to connect to DEV services.
Also 2 more questions
Is there a method using docker compose to have HA Ziti controller so if 1 server goes down another can take it's place?
Same thing with docker-compose but what about snapshots? I have read here but still confused: Controller Backup and Recovery | NetFoundry Documentation
It's hard to know for sure tbh - but if it works it sure seems like it to me.
"another server" meaning a fully different VM right? Not just another docker container? I'm not sure if there's a docker compose recipe for a single VM at this time. I'm actually starting to look into this for the docs/getting started guides/testing but i'll keep this in mind as I go through that process
We had that doc in the queue and it was published yesterday. I think you'll find what you need here but if not let us know Operating a Controller Cluster | NetFoundry Documentation .
The doc will be getting rearranged soon so if anyone finds this thread in the future, find the "snapshot" or "restore" keywords using search
