Hi @PhilipGriffiths . I'm glad you've pinpointed the crux of the issue so succinctly. Thank you for your attention. The problem is actually quite simple, but the scenario is more complex.
I've drawn a simple schematic to illustrate that I now want to connect the school and its multiple laboratories' networks together through a zero-trust architecture. Let me briefly introduce the scenario I'm facing:
The school network is a hybrid cloud that includes both public and private clouds, isolated from each other by a firewall (the actual network topology is more complex, but the diagram has been simplified to explain the issue at hand). Considering the exposure of risk surfaces and the convergence of hacker intrusion paths, the school's network security regulations stipulate that WEB applications containing sensitive data in the private cloud are not allowed to connect to the Internet. This is understandable, as systems like the campus's educational grading system, teaching material management system, and fire monitoring system should not and do not need to be exposed to the Internet. Meanwhile, the school's official website is hosted on the school's public cloud, accessible to the internet. At the same time, some laboratory organizations also need to access the school's experimental data (public cloud).
As shown in the diagram, the zero-trust design is implemented through ZITI, where Private-web1 is not allowed to connect directly to the Internet. My idea is to use a host that can connect to the Internet (with non-sensitive data, after registration) as an intermediate Agent, manually configuring it as a NAT router or a bridging network node. Other Private-web applications would then configure their routes to point to this Agent, solely to allow the ZITI-SDK on Private-web1 to access the ZITI-Controller.
However, there is a drawback to this approach. It's akin to exploiting a loophole in the school's network security regulations, as it effectively opens up a Layer 3 network channel that is not converged into ZITI's zero-trust architecture. If a hacker were to compromise the Private-web host, they could access the Internet without going through ZITI (for example, by downloading more hacking tools, Trojans, etc.), and even if ZITI policies cut off Private-web or the Ziti router, it would be too late, requiring manual disconnection of the relevant network connections (such as shutting down the Agent).
If ZITI supported a Broker mode, it would be possible to install a ZITI-BROKER-ROUTER on the Agent host, forcing all traffic from terminals connected to the private cloud, such as Private-web and IOT-Router, to go through ZITI's encrypted links. If the Private-web host were compromised, hackers would not be able to bypass ZITI to access the Internet, significantly reducing the exposure surface. Moreover, if a problem is detected, it could be directly cut off from the Controller via the BROKER.
I am a newcomer to the fields of network security, zero trust, and PKI encryption, and I apologize if my questions seem basic or naive, or if they have already been discussed. However, I believe that hybrid cloud scenarios or similar security domain partitioning scenarios are quite common. Are there better solutions that do not require opening up a Layer 3 network, yet allow isolated hosts to access the Controller?
Thank you again.