Ziti-edge-tunnel data flows

Hiya.

I've been working on an OpenZiti project with some good success so far but i'm new to Ziti and finding it tricky to configure exactly as i require. At the moment this i'm just POC'ing.

I have many Ubuntu servers running on networks behind firewalls. I'm hoping to build a Ziti network where the remote Ubuntu servers expose their SSH service on TCP22 to the Ziti network and i am able to SSH into them from my workstation specific identity also connected to the Ziti network. The Ubuntu servers should not be able to SSH between each other.

My current Ziti configuration achieves this however i've got a few questions about the data flows.

I've got four VM's running on my local network, there are no firewalls to worry about for now.

The Ziti Controller is running on VM ziti-controller:443 and an edge router running on VM ziti-router:443.

Then i've got a ziti-edge-tunnel running on a two separate VM's called ziti-client-a ziti-client-b. They use identities called ziti-client-a.example.ziti and ziti-client-b.example.ziti

The controller and router are speaking to each other. I can enrol the two ziti-edge-tunnel VM''s. Everything is "online".

I use an identity called user_1.example.ziti on my workstation which i connect to the Ziti network with another ziti-edge-tunnel.

My intercept, host and and service policy configurations allow me to SSH from my workstation to ziti-client-a or ziti-client-b via the Ziti network by using their identity names as the subdomain of the FQDN. like so...

ssh user@ziti-client-a.example.ziti

All good so far.

I'm a little confused about the data flows. When i run a tcpdump on one of my servers running ziti-edge-tunnel i can see that it's speaking to both the ziti controller and ziti router on 443. Is that expected ? What i was expecting/hoping is that ziti-edge-tunnel connects to only one public FQDN. Is that possible/logical ?

Following is my Controller install script...

#!/bin/bash

# A script to install OpenZiti controller and router on a VM

# https://openziti.io/docs/guides/deployments/linux/controller/deploy
# https://openziti.io/docs/guides/deployments/linux/router/deploy
# https://openziti.io/docs/guides/deployments/linux/console

_ZITI_CONTROLLER_NAME="ziti-controller"
_ZITI_ROUTER_NAME="ziti-router"
_ZITI_CONTROLLER_LISTEN_PORT=443
_ZITI_ROUTER_LISTEN_PORT=443
_ZITI_USER="admin"
_ZITI_PWD="password"

# OneLiner Ziti Controller installer
curl -sS https://get.openziti.io/install.bash | sudo bash -s openziti-controller

# Install Ziti console.
apt-get update
apt-get install -y openziti-console

# Write the Ziti Controller config
tee /opt/openziti/etc/controller/bootstrap.env &> /dev/null << EOF
ZITI_CTRL_ADVERTISED_ADDRESS='${_ZITI_CONTROLLER_NAME}'
ZITI_CTRL_ADVERTISED_PORT='${_ZITI_CONTROLLER_LISTEN_PORT}'
ZITI_USER='${_ZITI_USER}'
ZITI_PWD='${_ZITI_PWD}'
ZITI_BOOTSTRAP_CONFIG_ARGS=''
EOF

# Run the Ziti controller configure script
/opt/openziti/etc/controller/bootstrap.bash

# Not sure if required....
ziti create config controller
ziti create config environment

systemctl enable --now ziti-controller.service

echo
echo "Run router installer on ziti-router then press enter to continue..."
echo
read

# Set up policies, services, etc
ziti edge login -u ${_ZITI_USER} -p ${_ZITI_PWD} ${_ZITI_CONTROLLER_NAME}:${_ZITI_CONTROLLER_LISTEN_PORT} --yes

ziti edge create service-edge-router-policy all --service-roles '#all' --edge-router-roles '#all'
ziti edge create edge-router-policy all --edge-router-roles '#all' --identity-roles '#all'

ziti edge create config example.ssh.cfg.intercept intercept.v1 '{
    "addresses": ["*.example.ziti"],
    "protocols": ["tcp"],
    "portRanges": [ {"low":22,"high":22} ],
    "dialOptions": { "identity": "$dst_hostname" }
}'

ziti edge create config example.ssh.cfg.host host.v1 '{
    "address": "127.0.0.1",
    "protocol": "tcp",
    "port": 22,
    "listenOptions": { "identity": "$tunneler_id.name" }
}'

ziti edge create service example.ssh \
  --configs example.ssh.cfg.intercept,example.ssh.cfg.host \
  --role-attributes admin,ssh

ziti edge create service-policy example.ssh.dial Dial --identity-roles "#example,#admin" --service-roles "@example.ssh"
ziti edge create service-policy example.ssh.bind Bind --identity-roles "#example,#ssh" --service-roles "@example.ssh"

# Create "identities"
# Create an Admin user identity that can do everything.
ziti edge create identity user_1.example.ziti --role-attributes example,ssh,admin -o user_1.example.ziti.jwt

# Create some device identities.
ziti edge create identity ziti-client-a.example.ziti --role-attributes example,ssh -o ziti-client-a.example.ziti.jwt
ziti edge create identity ziti-client-b.example.ziti --role-attributes example,ssh -o ziti-client-b.example.ziti.jwt

And here is my router config...

#!/bin/bash

# A script to install OpenZiti router on a VM

_ZITI_CONTROLLER_NAME="ziti-controller"
_ZITI_ROUTER_NAME="ziti-router"
_ZITI_CONTROLLER_LISTEN_PORT=443
_ZITI_ROUTER_LISTEN_PORT=443
_ZITI_USER="admin"
_ZITI_PWD="password"

# OneLiner Ziti Router installer
curl -sS https://get.openziti.io/install.bash | sudo bash -s openziti-router

# Router setup https://openziti.io/docs/guides/deployments/linux/router/cli-mgmt/#create-a-router
ziti edge login -u ${_ZITI_USER} -p ${_ZITI_PWD} ${_ZITI_CONTROLLER_NAME}:${_ZITI_CONTROLLER_LISTEN_PORT} --yes

# Create an edge-router
ziti edge create edge-router "ssh-edge-router" --jwt-output-file ssh-edge-router.jwt --tunneler-enabled

tee  /opt/openziti/etc/router/bootstrap.env &>/dev/null <<EOF
ZITI_CTRL_ADVERTISED_ADDRESS='${_ZITI_CONTROLLER_NAME}'
ZITI_CTRL_ADVERTISED_PORT='443'
ZITI_ROUTER_ADVERTISED_ADDRESS='${_ZITI_CONTROLLER_NAME}'
ZITI_ROUTER_PORT='${_ZITI_ROUTER_LISTEN_PORT}'
ZITI_ENROLL_TOKEN='/root/ssh-edge-router.jwt'
ZITI_BOOTSTRAP_CONFIG_ARGS=''
EOF

# SystemD override
tee  /etc/systemd/system/ziti-router.service.d/override.conf &>/dev/null <<EOF
[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
EOF

systemctl daemon-reload

# Run the Ziti Router configure script 
/opt/openziti/etc/router/bootstrap.bash

systemctl enable --now ziti-router.service

Thanks in advance for your help!

Hi @farmhouse, welcome to the community and to OpenZiti!

It seems like you have things well in hand so far. You seem to have two different questions:

Clients always need to communicate to the controller for a myriad of reasons so it is entirely expected to see any given client sending traffic to the controller. Clients send data through routers, so it makes sense that any given client also sends traffic to routers. As for port 443, that's just whatever port you set it to so sure 443 makes sense. I'm not sure if that is what you're looking for or not but if not, follow back up here and I'll add extra details...

You can certainly use on FQDN if you want to use different ports. You can probe my environment if you like, it's setup to use alt server certs too so you can get to:

• controller's apis via private PKI at https://ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8441
• controller's apis via public PKI (LetsEncrypt) at https://ctrl.cdaws.clint.demo.openziti.org:8441/
• controller's control plane (routers communicate to the controller) at TCP ctrl.cdaws.clint.demo.openziti.org:8440
• router's data plane is available at TCP ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8442
• router's link plane is available at TCP ec2-3-18-113-172.us-east-2.compute.amazonaws.com:10080

All the ports are on the same FQDN in this deployment. If you want to use THE SAME PORT (port 443) then you cannot use the same FQDN. You'll need to use SNI behind a proxy at that point. Hopefully that all makes sense?

Hi @TheLumberjack, thanks for your quick and informative response. All makes sense for now !