Ziti as default gateway for all web traffic

I have seen conversations referring to gateways, but I can’t quite tell what the intent was in each case, and I might be mixing up my taxonomy, so I thought I would ask with a graphic for my tiny brain.

Can I direct ALL internet traffic through the fabric?

Why would you want to do that?”, you may ask? I am glad you asked. I would like to control the route of traffic over a known overlay network. Then capture the traffic data using Ziti’s Prometheus support. Is that a good idea? I don’t know. But I can tell you that the commercial SASE/ZTNA tools pretty much all work this way by default, and you have to create an explicit exclusion to make it a split tunnel and not full tunnel.

1 Like

Yes you can. Ziti can be setup to intercept very course, such as 0.0.0.0/0. I know @mike.gorman has some insights and opinion on this. Some work is also being done by @rcsoleng with ZFW which could be relevant to your thoughts.

2 Likes

Yes, we’ve actually had someone do this to deliver traffic to a security tool set. That which wasn’t captured by other services would enter the “default” service 0.0.0.0/0. It is important in this scenario to track resources such as sockets available for NAT, as the traffic model will be very different. It may also require some more thought than just the default service, depending on what other routing may be needed locally. OpenZiti was built to be embeddable and operate from within applications, which is why it is fundamentally different from the SASE/ZTNA space, but is flexible enough for this sort of applicaiton.

2 Likes