can I use ziti controller/router with network load balancers ? . Just a bit doubt because network load balancer do not support mTLS .
I think ziti does its mTLS internally without needing the load balancer to support it .
Please clear the confusion
Sure you can, you just need to use a TCP-based load balancer, not an HTTP-based load balancer. You cannot terminate the tls, or nothing will work.
Generally speaking though, like you said, I don't think there's much use to it and you probably don't want to use it because ziti does take care of it on its own via the fabric.
It's correct that a TCP (layer 4) load balancer will work, and it's also true that it will work with loadbalancers and reverse proxies that route traffic by server name indication (SNI), so they don't necessarily have to ignore everything above layer 4. Some proxies call this "SSL passthrough" or "TLS passthrough." Those should work just fine. The crucial factor is the proxy must not terminate TLS because it will break the mTLS that Ziti uses for almost everything.
Thanks for bringing that clarity . So what do you suggest (even though its clear we can use any of the 2) should I use network loadbalancer or classic (which seems to be used commonly in the community) .
Also given our controller is the single point for all routers across users , looking for scalibility terms for controller.
CLB is simpler, but you should use NLB if you want the expense and features. ALB is not applicable to ziti unless you're using BrowZer bootstapper for agentless web browser clients.
You'll get significant Dados protection with any AWS LB through AWS Shield Standard, with the premium option available in case of a severe incident.
At a glance, most WAF features don't apply to a typical Ziti controller because they operate at layer 7 or involve TLS.