Ziti edge host configurations

Ziti Overlay
1

Quick note to find out more about the "host.v1" and "host.v2" configurations

this how "host.v1" used in the Postgres demo

ziti edge create config private-postgres-host.v1 host.v1 '{"protocol":"tcp", "address":"postgres-db","port":5432 }'

this is how "host.v1" used to make ZAC dark

ziti edge create config zac.host.v1 host.v1 '{"protocol":"tcp", "address":"localhost", "port":8888, "listenOptions": {"bindUsingEdgeIdentity":true}}'

When you compare these two examples, a few things pop out

different addresses

  • the dark ZAC example uses the address: localhost
  • the dark ZAC postgres example uses the address: postgres-db (name of the postgres db server)

this confused me for a while, though I can see why they are different but don't really understand it 100%

bindUsingEdgeIdentity setting

  • used by the ZAC example
  • not used by the postgres example

main takeaways

  • what is the "host.v2" config used for.. is there anything specific to keep in mind?
  • what other addresses can be used other than localhost, db service name.. or external IP address
2

When making ZAC Dark, I've tried to use the external IP address and it worked.

3

If you're making ZAC dark and you can get to ZAC via the 'external' IP address you might need to turn the firewall ACL back to deny on the ZAC port. You shouldn't be able to do that :slight_smile:

2 Likes
4

The host.v1 config is referring to the server, hostname, IP address to use that it relative to where the traffic leaves ziti". The postgres demo uses docker-compose, and there's a network alias for "postgres-db" for the docker compose file. The traffic leaves the router and a connection is made on the underlay to "postgres-db". Docker DNS resolves "postgres-db" to "whatever" the IP address is, and then docker routes the packets to the proper place. For ZAC - you're deploying everything locally (controller, router, and zac) so relative to the router, you can get to the ZAC at "localhost". I can make a diagram if you need one, in case this still isn't clear.

I would expect NEITHER example to use bindUsingEdgeIdentity. You don't need that at all. It should be set to false for both. This is for the 'addressable terminators' functionality and is used in the zssh demo - not making ZAC dark.

a "host.v2" is just an array of "host.v1" configurations. I'd steer clear of host.v2, you probably won't need that until you know you do.... :slight_smile:

the key question here from me is "for what". To access ZAC? You can use 127.0.0.1 (or really anything in the 127.0.0.0/8 address space), localhost, the private IP of the device, the public IP, the hostname of the device. it all depends on how you start ZAC but by default you could use any of those things. The key is what I wrote above. The value must be addressable from whereever you're exiting the OpenZiti overlay. Hopefully that makes sense

1 Like
5

This was the missing piece.. all clear now :slight_smile:

Thx also for a brief overview of v2.. and comments re bindUsingEdgeIdentity :slight_smile:

I aim to sharpen the saw each day.

6

This topic was automatically closed after 17 hours. New replies are no longer allowed.