What is OpenZiti?
OpenZiti is a zero trust network (ZTN) framework that allows secure communication between services and users without relying on traditional network perimeters. It abstracts connectivity into an identity-based model, ensuring only authorized entities can access specific resources.
Key Features
- Zero Trust Architecture (ZTA)
- No implicit trust based on IP addresses or network location.
- Authentication and authorization are enforced for every connection.
- Identity-Based Networking
- Uses digital identities (certificates, JWTs) to authenticate devices, users, and services.
- Policies define who/what can connect to which services.
- Overlay Networking
- Creates a secure overlay network over any existing infrastructure (public cloud, private data centers, edge, etc.).
- Service Abstraction
- Applications communicate with logical “services” rather than IPs/ports.
- Services can be load-balanced, hidden, or dynamically scaled.
- Cross-Platform Support
- SDKs for Go, C, Python, Java, and more.
- Runs on Linux, Windows, macOS, Kubernetes, IoT devices, and embedded systems.
- Edge-Friendly
- Lightweight footprint suitable for edge computing and resource-constrained environments.
- API-Driven Management
- Fully programmable via REST APIs and CLI tools.
Core Components
- Controller : The control plane managing identities, policies, and network topology.
- Router : The data plane that forwards encrypted traffic between endpoints.
- Enrollers : Tools/services to issue credentials to new identities.
- SDKs/Clients : Used by applications to connect securely to the Ziti network.
Use Cases
- Secure remote access without traditional VPNs.
- Microservices communication in distributed systems.
- Securing IoT device communications.
- Multi-cloud and hybrid cloud networking.
- Zero trust application access for employees or partners.
Getting Started
- Install OpenZiti
- GitHub: https://github.com/openziti
- Download binaries or build from source.
- Deploy a Controller and Routerbash12ziti controller runziti router run <config-file>
- Enroll Identities
- Use
zitiCLI to create and enroll identities for clients and services.
- Use
- Create Services and Policies
- Define services and authorize which identities can access them.
- Connect Clients and Hosts
- Use SDKs or tunneler apps to connect to the Ziti network.
Prerequisites for OpenZiti Installation
To successfully deploy and use OpenZiti , you need to meet certain prerequisites depending on your use case (e.g., development, testing, or production deployment). Below is a breakdown of the key prerequisites for getting started with OpenZiti:
π§ 1. System Requirements
For Running the OpenZiti Controller and Router:
- Operating System : Linux (preferred), Windows, or macOS
- Architecture : x86_64 or ARM64
- RAM :
- Minimum: 2GB
- Recommended: 4GB or more (especially for production)
- CPU :
- Minimum: 1 core
- Recommended: 2+ cores
- Disk Space :
- At least 500MB free (more if running in production or storing logs)
Note: Routers can be run on low-footprint devices like Raspberry Pi for edge deployments.
π¦ 2. Software Dependencies
General Tools:
curlorwgetβ for downloading filesgitβ if cloning from GitHubmake,gcc, and other build tools β if building from source
Runtime Dependencies:
- Go (for building from source) :
- Go version 1.20 or newer
- Docker (optional) :
- If using Docker-based deployment or development containers
βοΈ 3. Networking Prerequisites
For Public Access (Production):
- A public IP address or DNS name for the controller and routers (if exposed externally).
- Open ports:
- Controller :
- TCP port for API (default: 1280)
- WebSocket port (default: 1281)
- Router :
- TCP/UDP port for tunneling traffic (default: 3022)
- Controller :
You may need to configure firewalls, cloud security groups, or NAT rules accordingly.
π 4. Security & Identity Management
- Public Key Infrastructure (PKI) :
- OpenZiti uses mTLS (mutual TLS) for secure communication.
- You should have a CA (Certificate Authority) configured, or let OpenZiti generate its own during setup.
- Identity Enrollment :
- Enrolling identities (clients, services, routers) requires access to the controllerβs enrollment endpoints.
π οΈ 5. Development Prerequisites (Optional)
If you’re contributing to or customizing OpenZiti:
- Go Language Environment
- Protobuf Compiler (
protoc) β used for gRPC and message definitions - Node.js / NPM β for web-based UIs (if applicable)
- Rust toolchain β for some SDKs and components
π§ͺ 6. Testing & Demo Setup Prerequisites
For local testing/demo purposes:
- Docker Desktop or Podman
- Vagrant (optional, for VM-based testing)
- Minikube or Kind (Kubernetes in Docker) β if testing K8s integration
You can also use pre-built Docker images:
docker pull openziti/ziti-controller
docker pull openziti/ziti-router
β 7. Optional but Recommended
- DNS Name β for easier access instead of IPs
- TLS Certificate β for securing controller/router APIs (can be self-signed)
- Time Sync β Ensure all nodes are synced via NTP (important for certificate validation)
π Summary Checklist
| Requirement | Description |
|---|---|
| OS Support | Linux (preferred), Windows, macOS |
| Hardware | 1β2 CPU, 2β4 GB RAM |
| Ports Open | Controller (1280, 1281), Router (3022) |
| Certificates | mTLS support (self-signed OK for testing) |
| CLI Tools | Git, curl/wget, make, Docker (optional) |
| Network Access | Public IP or DNS name (for external access) |
Documentation & Community
- Official Docs: https://openziti.io/docs
- Community Forum: https://openziti.discourse.group
- Slack: Join via https://netfoundry.io