Types of Router

Hi team,

I'm currently exploring OpenZiti and have successfully implemented it using the quickstart guide. now I'm eager to gain a deeper understanding of its individual components. While reviewing various documents and videos, I've encountered a few unanswered questions:

  1. What are the different types of router configurations available in OpenZiti?
  2. Can you elaborate on the distinctions between Edge routers, Fabric routers, Transit routers, and Private routers?

I'm not sure of the first question, but the reply to the second may make it clearer. If ti doesn't answer the question, let me know.

All the routers are the same software process. Fabric routers are defined by only serving tunneled traffic, not intercepting or emitting service traffic nor do they have an Edge Listener configured. Edge Routers have an Edge Listener configured to allow tunneler clients to dial services. They can also intercept off a LAN or WAN interface (raw TCP or UDP) or emit towards a host that does not have a tunneler configured. Transit routers is an old term that roughly equates to Fabric Routers, they have publicly addressable IPs and are part of the mesh used to deliver the actual services by taking traffic in on one link and sending it out on another. Private Routers are the complement to Transit Routers, they are not publicly addressable, and for the edges of the network under most circumstances. (Theoretically, you could have multiple routers inside a network that use one or two to reach the rest of the mesh, but that is highly unlikely)

1 Like

Hi @anshPathak, welcome to the community and to OpenZiti!

To build on what Mike wrote... Realistically, all routers are the same. They all have the same functionality, but depending on how you configure the router it has different functions. There are a few common deployment modes though. You'll often see them referenced like this:

  • "Fabric" Routers. These are routers that are dedicated exclusively to the fabric mesh network. They are not servicing SDK clients. These routers won't have a binding:edge listener, they'll only have link listeners/dialers configured.
  • "Edge" Routers. This should be the preferred deployment model. Routers configured with listeners of binding:edge have the "edge" enabled on them. These routers service SDK clients but are also capable of participating as part of the overlay as well, and do by default.
  • "Private" Routers. These are routers usually placed in "trusted" networks for "ZTNA" situations, or for edge clients to onboard to the fabric as quickly/closely as possible. In general, I would not recommend you enable these types of routers to be "link listeners" until you understand how to provision the overlay expertly.
1 Like

@TheLumberjack have some follow up questions:

1- So in what scenario can we use fabric routers , is it possible to work with network with just one fabric router ?? (I don't know think so because I think it will give errors saying it cant create terminators so we would be even use it , to just talk to controller for some purpose ?)
That was the error @qrkourier solved for me in a session

2 - If the private router does not have listener , how does it listen because the network works with just with private router also and in what cases they might not work ?

3 - Can we configure egress tunnels with the same tunnel using as a service in linux or device installation is compulsory

4 - if I have 1000 different network and keep one public router and just deploy egress tunnels on all other different networks will that work and should I do that in production ?
@PhilipGriffiths has a related explanation at start during the call, but now I'm able to reason and question the concepts well

  1. If you don't want edge connections, you can disable edge connections and use the router for nothing but data transit from one router to another. every overlay network needs at least one edge router for it to "do" anything (else you'll have no way for clients/sdks to use/connect to the overlay)

  2. There are two types of listeners: link and edge. If you turn both off, your router is entirely useless. If you turn off link, other routers can't link to this router (but that router could dial other routers to form links). If you turn off the edge listener, the router is not usable for edge connections.

  3. This should be a different question probabaly. I also don't understand the question. Could you try to reword it?

  4. It's impossible for me to say "it'll work" but you can have 1000 private edge routers all connect to one single public edge router but that's obviously not "a great idea". If the services are configured correctly, yes it'll 'work'. Should you do it in production? I mean, I wouldn't, I'd have "numerous" public routers but that's up to you.

thanks for clearup .

2 - ok no worries , I just went through Service Topologies | OpenZiti and saw its just an another tunnel


Let's say I create some bunch of private and public routers , can I control which router should dial to which one ?
I think we do it via edge-router-policy ?

You control which routers can link-dial or link-listen and you can further refine/control which routers dial which routers through link groups.

edge router policies and service edge router polieis are not used to control router linking, it's entirely in the router config file