The OpenZiti Controller is the central function of the OpenZiti Network. The OpenZiti Controller provides the configuration plane. It is responsible for configuring OpenZiti services as well as being the central point for managing the identities used by users, devices and the nodes making up the OpenZiti Network. Lastly but critically, the OpenZiti Controller is responsible for authentication and authorization for every connection in the OpenZiti Network.
The OpenZiti Controller must be configured with public key infrastructure (pki). The configured pki is used to create secure, mutually authenticated TLS (mTLS) network connections between any two pieces of the OpenZiti Network. The OpenZiti Controller does not provide its own pki but for the OpenZiti Controller to sign certificate requests (CSR) the OpenZiti Controller will need to be configured with a key and certificate used for signing. (Optionally, the OpenZiti CLI can be used to generate a pki if needed)
The OpenZiti Controller also supports using a third-party pki should the operator of the OpenZiti Network have an existing pki they wish to reuse. Utilizing a third-party CA pushes the burden of obtaining and distributing properly signed certificates to the operator of the OpenZiti Network but for sophisticated customers this might make overall management of the network easier. The OpenZiti Controller uses a local database based on bbolt to store the information needed to manage the network.
OpenZiti Fabric Router
OpenZiti Fabric Routers are the fundamental building blocks of the OpenZiti Network. These routers are responsible for securely and reliably delivering traffic from one OpenZiti Network node to the traffic’s destination.
Ziti Fabric Routers are linked together to form a mesh network. This mesh is constantly being monitored for latency and the fastest paths are used when routing traffic to the destination. The monitoring also allows for active failover to ensure a reliable network connection even in the case of a node failure.
OpenZiti Edge Router
Another fundamental building block of the OpenZiti Network is the OpenZiti Edge Router. The OpenZiti Edge Router is the entry point for Edge Clients connecting to the OpenZiti Network. The OpenZiti Edge Router is a specialized OpenZiti Router incorporating the functionality of an OpenZiti Router to enable it to route traffic over the OpenZiti Network as an OpenZiti Router would to a given destination.
The OpenZiti Edge Router in combination with the Ziti Controller is responsible for authenticating and authorizing OpenZiti Edge Clients.
OpenZiti Edge Clients
Connecting to the OpenZiti Network requires an OpenZiti Edge Client. Edge Clients are designed to work with both brownfield and greenfield applications.
If the solution being developed includes developing new software OpenZiti offers SDKs targeting various languages and runtimes to provide fast, reliable and secure connectivity. These SDKs provide the capabilities needed to securely connect to the OpenZiti Network and are designed to be easily incorporated into the target application.
When adding secure connectivity to an already existing solution OpenZiti offers specialized Edge Clients called tunnelers which provide seamless, secure connectivity and do not require changes to the target application.
Once the OpenZiti Network is established and deployed the next step is to configure the software-powered network. The three main concepts necessary to configure an OpenZiti Network are: Identities, Services, and Policies.
A service encapsulates the definition of any resource that could be accessed by a client on a traditional network. An OpenZiti Service is defined by a strong, extensible identity, rather than by an expression of an underlay concept. This means that services defined on an OpenZiti Network have an almost limitless "namespace" available for identifying services. An OpenZiti Service is defined by a name and/or a certificate, rather than by a DNS name or an IP address (underlay concepts). Services also declare a node where traffic that exits the OpenZiti Network needs to be sent do before exiting. It’s possible for the node traffic enters to be the same it exits and it’s possible for traffic needing to traverse the OpenZiti Network Routers to reach the correct node. Simply specifying the node is all the end-user need do, the OpenZiti Network handles the rest.
Identities represent individual endpoints in the OpenZiti Network which can establish connectivity. All connections made within the OpenZiti Network are mutually authenticated using X509 Certificates. Every Identity is mapped to a given certificate’s signature. OpenZiti Edge Clients present this certificate when initiating connections to the OpenZiti Network. The presented certificate is used by the OpenZiti Network to authorize the client and enumerate the services the Identity is authorized to use.
Policies control how Identities, Services and Edge Routers are allowed to interact. In order to use a service the identity must be granted access to the service. Also, since all access to a service goes through one more edge routers, both the service and the identity must be granted to access to the same edge router or edge routers.
Entities such as identities, services and edge routers can be added to
policies explicity, either by id or name. Entities can also be tagged
with role attributes. Role attributes are simple strings like
support. Their meaning is decided by the
administrator. Policies can include entities by specifying a set of role
attributes to match.
Service Policies encapsulate the mapping between identities and services in a software-powered network. In the simplest terms, Service Policies are a group of services and a group of identities. The act of adding a service to a Service Policy will grant the identities in that Service Policy access to the given service. Similarly, adding an identity to a Service Policy will grant that identity access to the services mapped in that Service Policy.
Service policies controls both which identities may dial a service (use the service) and which identities may bind a service (provide or host the service). Each Service Policy may either grant dial or bind access, but not both.
Edge Router Policies
Edge Router Policies manage the mapping between identities and edge routers. Edge Router Policies are a group of edge routers and a group of identities. Adding an edge router to an Edge Router Policy will grant the identities in that Edge Router Policy access to the given edge router. Similarly, adding an identity to an Edge Router Policy will grant that identity access to the edge routers mapped in that Edge Router Policy.
Service Edge Router Policies
Service Edge Router Policies manage the mapping between services and edge routers. Service Edge Router Policies are a group of edge routers and a group of services. Adding an edge router to a Service Edge Router Policy will grant the services in that Service Edge Router Policy access to the given edge router. Similarly, adding a service to a Service Edge Router Policy will grant that service access to the edge routers mapped in that Service Edge Router Policy.