In my first post here recently I asked questions and got some fantastic help from you all on migrating from the following basic network architecture to a Ziti overlay network- here is that basic diagram for reference in the context of this question:
One of the basic tenets of this lab network is to be as fully self-hosted as possible. My plan is to use the new hardware I’ve acquired to install a ziti controller in the DMZ where that reverse proxy previously served and redirected all of my externally available services. I’ve done some experimentation with using CloudZiTi, but the overall intent here is to self-host, so I’m now going with that approach.
My question(s) are about how to best go about migrating from my current state to a Zitified version, specifically regarding the previous functions of my reverse proxy and the way I would like DNS to work in this environment, both on the “internal” network and externally from the Internet. I’ve watched and read all I can on understanding the private DNS aspects of a ZiTi environment, and that’s great and I believe I understand that topic, but I also need to represent hosts outside to the Internet at large.
At the moment, for the sake of discussion, let’s say I have a few hosts running about 25 different services. Each of these services runs on only 3 IP addresses (VM’s and Docker containers) with each service using its own port to differentiate the web app addressing. I represent each web app with a unique DNS hostname and the reverse proxy provides the redirection to a specific port on a shared IP address. My question is, do I still need to run my reverse proxy to do this DNS redirection, or can the edge router intercept this without a separate reverse proxy and take a request for a DNS hostname and redirect it to a shared IP and port combo for a user downstream? In general I’m trying to understand which of my traditional pre-ZiTi services are unnecessary and how to re-architect DNS overall in this environment. I use a number of public top level domains and this particular network is represented by a subdomain with all traffic for that subdomain pointing to a single Internet IP address. Without a reverse proxy past that point, can some ZiTi component take over and handle redirecting and resolving for me? It’s fine if the reverse proxy is still worth having for redirection, but I would rather drop that layer of complexity if it’s no longer needed and I haven’t gotten my head around this aspect yet.
I tend to feel like I don’t state these questions well the first time and may have to edit this to make more sense, so please ask for clarification if I’m not making sense here in the first go.
Can we start with a fundamental question: Are you willing (and able) to install an OpenZiti tunneler on every machine that needs to access your services? It might be best to take this one step at a time, one use case at a time. Maybe we can start with one single, prototypical type service you want to access and go from there?
In my opinion, once you do one, the pattern is almost always the same for the other services… Sure, there are times when you’ll want to tweaking things here/there… But I think if we just start with one and nail that design, it’ll be educational and things might ‘click’?
Would that work for you, if we start with those first two clarifiying questions?
Are you planning/willing to install “client side” software or not?
Can we start with just one service, nail the architecture/design and go from there?
Hi and thanks for the response. Yes, that approach makes sense to walking through this for the purposes of helping me grasp things better! On the other hand, unfortunately, I think the answer to your question is that most of these will be accessed by users with the ZDE client, but a few I would really REALLY love to offer through BrowZer, although I know I’m getting ahead of myself on that one as a noob.
By “installing an OpenZiti tunneler on every machine that needs access to your services”, is the ZDE or Android / iPhone client what you mean? If so, we can definitely start there. Here are the potential exceptions and issues with that for this use case:
Some of the “users” of these services will be accessing them through IoT devices which can’t run the client, such as, for example, a roku streaming stick pointing to a Jellyfin server I host on this network.
A follow-on question, if we’re going to get this up and running in the first iteration starting with users who can run a ZDE client on a device, is what my self-hosted open source best options for an OIDC IDP solution should be. The good news is that I can choose that solution and architect it in this environment based on what is best and easiest for OpenZiti- the bad news is that I don’t have one yet so I may need to back off on this and start with that. (?)
I have a talent for unsimplifying anything, as you can see. Thanks in advance for your patience, my experience with the NetFoundry folks has been really great so far and I appreciate you.
Yes exactly. Sounds like "usually fine, with exceptions". The clients with a tunneler app installed (Ziti Desktop Edge for Mac/Windows or Ziti Mobile Edge for Android/iOS) those will be easy... You'd just install that and use ziti's private dns features... That would be the "zero trust host access" model - meaning some locally installed software will intercept the traffic and get it onto ziti, after that the overlay will do it's thing...
For things like a roku streaming stick and the like, can you install an OpenZiti edge router at that network location? I would HOPE so... And if so, then you'd want to use OpenZiti as a local gateway. You can read about that here: Local Gateway | OpenZiti or watch Robert talk / demonstrate those pages on youtube here: https://www.youtube.com/watch?v=H0qGRBMGNIA
Right now, none of the tunneling clients will allow you to access the overlay network via an OIDC flow. We've talked about enabling it, but it's never been a priority for anyone. Instead, there's a one-time enrollment process one follows. Personally, I think that's better but... I can understand the allure of allowing an OIDC type flow... If you're talking about the apps you want to enable over OpenZiti, well then it won't matter at all. You can use whatever OIDC provider you like, I generally use KeyCloak since they have good doc and it's popular but there are there good ones to pick from (I'll try to find the other two, their names escape me right now)
I think that answers the questions for now and might give you the information you need. But I'll stop here, let you read/follow up and we'll keep going from here. (I'm gonna be in a meeting for a bit but will check back in a few)
OK that’s helpful and interesting. Let’s dive a little deeper into this exception scenario first, just for my own education at this stage before we get back to the larger and more relevant questions for the rest of these services. If I have services which would be accessed from the Internet by IoT devices which cannot run Ziti tunnelers/clients locally and I also can’t run an edge router on their networks, is that the end of the road for that service? Jellyfin client streaming to various IoT endpoints is a perfect example to understand this limitation as a concept. I also have similar use cases for business clients which this example could represent (although not for media streaming, of course) so I’m curious to understand whether or not something like BrowZer could mitigate this need and bring it into the fold. There are many cases where a client or edge router on a client network are simply not possible. Does that mean that I will have a list of services which I still need to use some sort of old-world non Ziti access process, like my existing reverse proxy and firewall only setup? I’m just trying to understand the conceptual limitations for an example use case which has real-life business implications as well, although for this lab and education project it’s easy to discount the importance of keeping your media streaming zero trust. Or is there some way to intercept this at my own edge router and make work, even if the IoT to edge router session is less secure? (which is basically what I’d have to do with a separate reverse proxy)
Let’s call this a fork of the conversation and I’ll get back to the main topic in a separate reply. No hurry on this. My goal is to learn and minimize time wasted on futile experiments for now. Thanks!
Not the end of the road, no but you'd "probably" want to use zrok for that since this is exactly what zrok accomplishes. It allows you to make public url that takes you to a private resource. Quick demo I did for a different discourse post that shows it in action. It's built on top of OpenZiti but not quite "integrated" fully with OpenZiti just yet. There are backlog items to allow zrok to play more tightly with OpenZiti but it gives you the idea... It's basically pretty close to the same thing as the reverse proxy you already have setup, kinda mostly.... I dunno if that will add confusion to your learning, it might! But maybe it'll just click with you... The big difference is you could keep your proxy in the dmz and STILL keep inbound firewall rules closed. You don't have to have an inbound 'hole' in the firewall to allow the proxy to send data to the target service... Maybe a couple of diagrams help
...
Classic approach (inbound hole from DMZ to private service)
"DMZ" established, hole in firewall forwarding traffic to proxy. Hole in "private network" firewall allowing traffic in from DMZ to specified apps
"DMZ" established, hole in firewall forwarding traffic to zrok front end. NO Hole in "private network" firewall allowing traffic in from DMZ to specified apps. zrok attaches outbound to edge router
You should be able to accomplish this with zrok v0.4 (not 0.3). You'll also have to have one instance of zrok running per service (right now, another backlog item to do 'n' services per zrok instance exists)
BrowZer
BrowZer definitely changes the equation, but I'm not sure if it'd run on a Roku... Here you have no proxy, no zrok frontend but instead BrowZer is able to communitcate to the 'public' edge router (I'm intentionally leaving out some BrowZer bits for simplicity's sake) Here though, anything running a simple web browser should be able to access web content without the need to install client-side software.
I think I answered this by now? I hope? If not, lemme know... So "yes and no"...
Yes you can do this too! @NicFragale does exactly this on his home network if you have the right kind of router... Nic, did you write that up somewhere? This is also exactly what that video I showed before can do. We'd refer to that as "zero trust network access" meaning, you still trust the local netowork to a decent extent.
@NicFragale I’m actually running pfsense on dedicated hardware in this lab, but most of my commercial use cases are running AWS Network Firewall and WAF, so I’m trying to make sure I learn what’s necessary in all scenarios from an education perspective and don’t focus too much on the lab use case areas that are not going to be used in non-experimental implementations in the future. But anyway, in the lab for this at my office in this first trial it runs pfsense.
OK, Clint, so how do I get in the closed beta to take your advice above and try out zrok 0.4 as instructed!? I see that it shows as closed beta unless we go back to 0.36 or earlier.
Thanks in advance for your patience, my experience with the NetFoundry folks has been really great so far and I appreciate you.
