Hi
This allows the services and routers in your private networks to make only outbound connections, so no holes have to be opened for inbound traffic.
In the Docker compose example, who establishes an outbound connection with whom. I am puzzled about this
Hi @alleniverson33, you're merging two sections of doc together and expecting them to align... The section you highlighted comes from the Key Concepts section and is under "dark services". Key Concepts | OpenZiti. It's attempting to explain what a "dark" service means in our terms as it's not a commonly used phrase. USUALLY , this means with respect to the internet. However, when you look at it through the lens of docker, what this means is that anything within the docker network is not addressable by processes outside of the docker network.
Using the complex docker compose example quickstart, the topology looks like this:
In this situation the blue network is entirely private. It's not exposed via docker's port mapping functionality. The same is true for the red network. These "private networks" only dial outbound of their private network to form a link to the two routers in the purple network.
Hopefully that helps clear things up, cheers
ziti-private-blue outbound connection to public router ?
In that picture, both tunnelers behind both firewalls dialed outbound connections to edge routers, allowing the browser on the left to connect to the webserver on the right
When I was using the Docker Quick Start example, I found that the public router can still access the sample service by disabling the tunnel option. I want to know if this is correct?
Yeah, this is an artifact of how docker works... It's why the network is called the purple network... It's red+blue. The only way to allow the blue router to connect to the public edge router, both need to be in the same network... It's just how docker works...
If you want to PROVE it to yourself, you can make one more network and place the private blue router and web server in that network (but not the edge router) and remove the web server from the blue network... Does that make sense? If you do that, it'll behave like you are thinking it should. It complicates the network diagram and compose file though... It's a balance.
Hope that helps
I seem to have a better understanding now. Things on the internet are really a headache. Thank you very much
