undefined | Better HN

0 pointshardwaresofton1y ago0 comments

OpenZiti looks so enticing but it is certainly a completely different world.

Are there many big installations of it? With the vast majority of stuff being written for regular networks I do wonder if the amount of proxies/sidecars becomes unreasonable. Probably not though

0 comments

PLG881y ago

The biggest installation is a cyber security unicorn who whitelabels the commercial version of OpenZiti (NetFoundry) which they are selling to many large enterprises. They have hundreds of thousands of endpoints deployed. There is also a massive OT ICS OEM is embedding NetFoundry into its industrial routers, PLCs, etc for all types of connectivity, including machine to machine in factories. The same technology is being used for tactical military networks, with drones connecting to servers. Its being deployed in critical grid infrastructure. A hyperscaler is adopting it to replace hundreds of thousands of VPNs as well as build a multi-cloud zero trust offering for server to server workloads.

So we have not finished our job to make OpenZiti the equivalent to Linux in that every just uses it by default, but we will get there ;)

You raise an interesting point. We provide flexibility for ingress/egress... do not like proxies/sidecars, go in either opposite direction, (1) ZTAA, Zero Trust App access with SDK app embedded via SDLC, (2) ZTNA, Zero Trust Network Access via appliance deployments in DMZ/VP/VNET etc (the one you mention is ZTHA, Host Access). Each of ZTNA/HA/AA have different pros and cons based on your requirements and use case.

hardwaresoftonOP1y ago

> A hyperscaler is adopting it to replace hundreds of thousands of VPNs as well as build a multi-cloud zero trust offering for server to server workloads.

This one is the most compelling to me! A while back I was building a small cloud provider and this was the use case I was looking really closely at OpenZiti for.

Thanks for sharing!

>You raise an interesting point. We provide flexibility for ingress/egress... do not like proxies/sidecars, go in either opposite direction, (1) ZTAA, Zero Trust App access with SDK app embedded via SDLC, (2) ZTNA, Zero Trust Network Access via appliance deployments in DMZ/VP/VNET etc (the one you mention is ZTHA, Host Access). Each of ZTNA/HA/AA have different pros and cons based on your requirements and use case.

Ah so this would work if:

1) all the apps were my own

2) I was sitting on top of a major cloud/managed colo (I'm just sitting on top of infra providers like hetzner)

The project I was working on is not so active right now but it's still chugging along (I use it)... I was looking at things like OpenZiti as a k8s CNI provider, or used along with something like Cilium/Calico (but then they'd both promise network security in-between workloads and overlap)

PLG881y ago

You could use OpenZiti together with Cilium/Calico, there are some distros, eg., https://kubezt.com/ which do that (though in truth, KubeZT has moved to Istio for E-W, uses OpenZiti for N-S. OpenZiti does a lot of things that service mesh technologies do not, for example, extending outside of the cluster (incl. to non-K8S workloads), allowing closing of inbound FW ports, providing a private DNS outside of cluster, removing the need for VPNs, L4 loadbalancers, MPLS, SDWAN, public DNS etc.

Yes, OpenZiti very much focus on private apps, whether COTS or inhouse developed.

Oh, I should note too, while we have a bunch of ways to deploy OpenZiti on K8S today, we are in the process of building/releasing an admission controller and an ingress controller for OpenZiti.

Whats the project you work on?

1 more reply

j / k navigate · click thread line to collapse

0 comments

PLG881y ago

So we have not finished our job to make OpenZiti the equivalent to Linux in that every just uses it by default, but we will get there ;)

hardwaresoftonOP1y ago

> A hyperscaler is adopting it to replace hundreds of thousands of VPNs as well as build a multi-cloud zero trust offering for server to server workloads.

This one is the most compelling to me! A while back I was building a small cloud provider and this was the use case I was looking really closely at OpenZiti for.

Thanks for sharing!

Ah so this would work if:

1) all the apps were my own

2) I was sitting on top of a major cloud/managed colo (I'm just sitting on top of infra providers like hetzner)

PLG881y ago

Yes, OpenZiti very much focus on private apps, whether COTS or inhouse developed.

Oh, I should note too, while we have a bunch of ways to deploy OpenZiti on K8S today, we are in the process of building/releasing an admission controller and an ingress controller for OpenZiti.

Whats the project you work on?

1 more reply

j / k navigate · click thread line to collapse