Understand service-policy behavior in 1 controller + 2 router topology

plakdawa · November 21, 2024, 3:50am

I am experimenting with a simple topology that has 1 controller and 2 routers (all on a single WSL2 VM).

One router is a "public" router and runs the edge service on primary-interface:8442 and a link listener on 127.0.0.1:10080. It has the role attribute public-routers.

The other router is a "private router" that runs the edge service on 127.0.0.1:9442 and runs a tunneller in host mode.

A simple http server is running on 127.0.0.1:80 (named wpad.host.zitipoc.com in the /etc/hosts file).

The service configuration is as follows:

./bin/ziti edge create config wpad-intercept-v1 intercept.v1 \
    '{"protocols":["tcp"],"addresses":["wpad.host.zitipoc.com"], "portRanges":[{"low":80, "high":80}]}'

./bin/ziti edge create config wpad-host-v1 host.v1 \
    '{"forwardProtocol": true, "allowedProtocols": ["tcp"], "forwardAddress": true, "allowedAddresses": ["wpad.host.zitipoc.com"], "forwardPort": true, "allowedPortRanges": [{"low" : 80, "high": 80}]}'

./bin/ziti edge create service wpad \
    --configs wpad-intercept-v1,wpad-host-v1 \
    --role-attributes wpad

./bin/ziti edge create service-policy wpad-policy-dial Dial \
    --service-roles "#wpad" --identity-roles '#proxy-clients' --semantic AnyOf

./bin/ziti edge create service-policy wpad-policy-bind Bind \
    --service-roles '#wpad' --identity-roles "#private-routers" --semantic AnyOf

./bin/ziti edge create service-edge-router-policy wpad-service-edge-router-policy \
    --service-roles '#wpad' --edge-router-roles '#public-routers,#private-routers' --semantic AnyOf

./bin/ziti edge create edge-router-policy proxy-clients-edge-router-policy \
    --identity-roles '#proxy-clients' --edge-router-roles '#public-routers' --semantic AnyOf

This configuration does not work. There are no terminators created. The policy advisor complains:

$ ./bin/ziti edge policy-advisor identities
...
ERROR: <private-router-name>
  - Identity does not have access to any services. Adjust service policies.

If I change the bind policy to the following, then things start working (and 2 terminators are created, one for edge using the public router, and other for tunnel using the private router):

./bin/ziti edge create service-policy wpad-policy-bind Bind \
    --service-roles '#wpad' --identity-roles "#all" --semantic AnyOf

I am unable to understand why the #all identity-role is required in the bind policy. I would only expect to include the routers running the tunneller in the bind policy.

TheLumberjack · November 21, 2024, 4:14am

Can you issue:

ziti edge list identities 'name contains "router"'

Let's ensure the router identity has the "private-rotuers" attribute associated to it. My expectation is that it does not.

Topic		Replies	Views
allSvcPublicRouters service Ziti Overlay	1	227	April 4, 2022
Ziti for the Win! - first service with no handholding (sort of)	5	155	August 17, 2023
Reduce number of Service Policies for Monitoring	41	600	August 31, 2023
Best Way for Providing HA Access Ziti Overlay	13	464	May 20, 2023
Taking a closer look at policies	7	407	January 28, 2022

Understand service-policy behavior in 1 controller + 2 router topology

Related topics