Secure access to ziti services from public clouds

Hi , I have deployed an application in private subnet accessible inside ziti network .

The user access that application via ziti tunnel , sometimes the user might want to external saas services to connect to that application securely , in that case what are the options available to me ?

How do I get the user access that application from other public saas in secure way

Sometimes it's possible to use OpenZiti with a SaaS, sometimes it won't be. If the SaaS provider allows you to deploy a router into the private network space of your app, that's the recommended way to allow the SaaS offering to access a resource protected by OpenZiti. If it's a BI type SaaS making database requests, then you could use ZDBC which allows you to embed zero trust access into the SaaS itself by using the Java SDK. See ziti-sdk-jvm/ziti-jdbc at main · openziti/ziti-sdk-jvm · GitHub

Lastly, the "worst case"/other way would be to setup a router/ziti-edge-tunnel on a known machine and expose a port to the internet, but restrict access to that machine/ip/port to just the SaaS exit IP, which isn't "great" but that is probably your only option if the SaaS doesn't let you put that OpenZiti tech in it's private networking space

Is there a way to write some rules within controller to accept ? e.g. this is screenshot of Hex SQL IDE. It has these following parameters and option to add session params. Is there a way to use any of this to write any admission exceptions that combine the last option u provided with something else

Hi @bazooka720, welcome to the community and to OpenZiti!

at this time, no it's not possible to inject any logic into the controller in that way. OpenZiti operates at the connection level, not at the application layer.

Thanks! The public SaaS examples are data engineering solutions like dbt or BI SaaS or Browser based SQL / Python IDEs. Most likely they have a domain name to connect to if we need to whitelist. Can you confirm what is the "exit ip" you refer to above? Not sure if this is something we can get? (We assume that SaaS provider won't allow open ziti tech inside private networking space). Are there folks who used this approach? Are there any other approaches? Eg. there is a secure browser through tunnel as well. Would it work ?

@bazooka720 @TheLumberjack correct me if I'm wrong .

The ip's that those saas shows is for making sure our database allows connections on them .

Regarding ziti browser , its browser tab that we can join the ziti network as client and in this case its tunnel . basically I mean we will be able to request *.ziti.internal sort of urls on that browser tab.

This browser tab cant be used to open external saas urls and connect to ziti private domains .

Yes. I would expect the SaaS to have a pool of IPs that their traffic comes from, which you could whitelist. It's not ideal because any traffic exiting from that SaaS would have access to the service. That's obviously not what you want, but it might be the best you can get. Some SaaS allow you to install a container that would be in your private address spaces (I'm thinking the AWS/Azure/GCP type SaaS providers for example).

I don't know of any other approaches, myself. None are coming to mind.

That's definitely the reverse/other side of the example above, where you steer your traffic through a given exit so that the SaaS can whitelist for access TO that service.

Just my opinion, but SaaS providers without the ability to deploy a container into your 'private address space' are generally not considering the benefits of a zero trust paradigm worth it to their business. You can try to encourage them to adopt OpenZiti though! :slight_smile: