Skip to main content

Access Requirements

Understanding The Required Advertise Addresses

note

A Ziti network cannot pass traffic without active connections to the Ziti controller and at least one edge router. These connections don't necessarily need to be public on the internet, but they need to be reachable wherever the Ziti clients need to use the Ziti network.

In order to have a functional Ziti network, two key addresses need to be reachable by any client for that network:

  • A controller client advertise address - This is used by clients of the network to establish API sessions and determine available services. When a service dial occurs, the controller also used to establish the fastest path through the mesh and establishes a complete circuit.
  • At least one edge router with an accessible edge advertise address - Clients must also be able to establish a connection to at least one edge router in order to pass traffic. The edge router does not have to run in the same place as the controller, but NetFoundry On-Prem installs an initial router by default for convenience. Additional edge routers can be installed at other locations to optimize performance and improve network durability.

The quickstart.sh script will attempt to install both the ziti-controller and an initial edge router with an edge listener enabled. The installer will create load-balanced Kubernetes services that will need to be mapped with DNS. For example, the ziti-controller helm chart will create a service like the following:

kubectl get services -n ziti

NAME                                     TYPE           CLUSTER-IP       EXTERNAL-IP                                                               PORT(S)         AGE                                                            443/TCP         14d
ziti-controller-client                   LoadBalancer   172.20.176.136   a6190904c366c4c69882d46069e44e28-12345678.us-east-1.elb.amazonaws.com

If the desired advertise address of the controller is ziti-clients.example.com, a DNS entry will need to be added to map ziti-clients.example.com to a6190904c366c4c69882d46069e44e28-12345678.us-east-1.elb.amazonaws.com.

The above step is dependent on the environment, and the operator must set up DNS manually using whatever DNS registry is available.

Once the ziti-controller address is reachable, the installer script can be resumed and will prompt for edge router installation, as well as additional installation options.