Last active
March 11, 2024 20:09
-
-
Save nenkoru/c63f026658c315e2f47e433c07b2df0f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@startuml | |
!theme materia-outline | |
set separator none | |
top to bottom direction | |
actor User | |
package Internet { | |
node "User's Laptop" as laptop { | |
component "Ziti Desktop Agent" as ziti_desktop_agent | |
} | |
package "Cloud Provider A" as clouda { | |
package ZoneA as clouda_zonea{ | |
package VPC as clouda_zonea_vpc1 { | |
component VPC_GW as clouda_zonea_vpc1_vpcgw | |
package Subnet as clouda_zonea_vpc1_subnet1 { | |
node "VM" as clouda_zonea_vpc1_subnet1_vm1 { | |
component APP as clouda_zonea_vpc1_subnet1_vm1_app1 | |
} | |
node VM as clouda_zonea_vpc1_subnet1_vm2 { | |
component "Ziti Private Router" as clouda_zonea_vpc1_subnet1_vm2_ziti_private_router | |
} | |
} | |
package Subnet as clouda_zonea_vpc1_subnet2 { | |
node "VM" as clouda_zonea_vpc1_subnet2_vm1 { | |
component APP as clouda_zonea_vpc1_subnet2_vm1_app1 | |
} | |
node VM as clouda_zonea_vpc1_subnet2_vm2 { | |
component "Ziti Private Router" as clouda_zonea_vpc1_subnet2_vm2_ziti_private_router | |
} | |
} | |
} | |
} | |
clouda_zonea_vpc1_subnet1_vm2_ziti_private_router <--> clouda_zonea_vpc1_subnet1_vm1_app1 : 1 | |
clouda_zonea_vpc1_subnet1_vm2_ziti_private_router <--> clouda_zonea_vpc1_vpcgw : 2 | |
clouda_zonea_vpc1_vpcgw <--> clouda_zonea_vpc1_subnet2_vm1_app1 : 2 | |
clouda_zonea_vpc1_subnet2_vm2_ziti_private_router <--> clouda_zonea_vpc1_subnet2_vm1_app1 : 1 | |
clouda_zonea_vpc1_subnet2_vm2_ziti_private_router <--> clouda_zonea_vpc1_vpcgw : 2 | |
clouda_zonea_vpc1_vpcgw <--> clouda_zonea_vpc1_subnet1_vm1_app1 : 2 | |
} | |
package "Cloud Provider B" as cloudb { | |
package ZoneA as cloudb_zonea{ | |
package VPC as cloudb_zonea_vpc1 { | |
component VPC_GW as cloudb_zonea_vpc1_vpcgw | |
package Subnet as cloudb_zonea_vpc1_subnet1 { | |
node "VM" as cloudb_zonea_vpc1_subnet1_vm1 { | |
component APP as cloudb_zonea_vpc1_subnet1_vm1_app1 | |
} | |
node VM as cloudb_zonea_vpc1_subnet1_vm2 { | |
component "Ziti Private Router" as cloudb_zonea_vpc1_subnet1_vm2_ziti_private_router | |
} | |
} | |
package Subnet as cloudb_zonea_vpc1_subnet2 { | |
node "VM" as cloudb_zonea_vpc1_subnet2_vm1 { | |
component APP as cloudb_zonea_vpc1_subnet2_vm1_app1 | |
} | |
node VM as cloudb_zonea_vpc1_subnet2_vm2 { | |
component "Ziti Private Router" as cloudb_zonea_vpc1_subnet2_vm2_ziti_private_router | |
} | |
} | |
} | |
} | |
cloudb_zonea_vpc1_subnet1_vm2_ziti_private_router <--> cloudb_zonea_vpc1_subnet1_vm1_app1 : 1 | |
cloudb_zonea_vpc1_subnet1_vm2_ziti_private_router <--> cloudb_zonea_vpc1_vpcgw : 2 | |
cloudb_zonea_vpc1_vpcgw <--> cloudb_zonea_vpc1_subnet2_vm1_app1 : 2 | |
cloudb_zonea_vpc1_subnet2_vm2_ziti_private_router <--> cloudb_zonea_vpc1_subnet2_vm1_app1 : 1 | |
cloudb_zonea_vpc1_subnet2_vm2_ziti_private_router <--> cloudb_zonea_vpc1_vpcgw : 2 | |
cloudb_zonea_vpc1_vpcgw <--> cloudb_zonea_vpc1_subnet1_vm1_app1 : 2 | |
} | |
package "Cloud Provider C" as cloudc { | |
package ZoneA as cloudc_zonea { | |
package VPC as cloudc_zonea_vpc1 { | |
package Subnet as cloudc_zonea_vpc1_subnet1 { | |
node VM as cloudc_zonea_vpc1_subnet1_vm1 { | |
component "Ziti Controller" as cloudc_zonea_vpc1_subnet1_ziti_controller | |
} | |
node VM as cloudc_zonea_vpc1_subnet1_vm2 { | |
component "Ziti Private Router" as cloudc_zonea_vpc1_subnet1_ziti_private_router_1 | |
} | |
} | |
} | |
} | |
cloudc_zonea_vpc1_subnet1_ziti_private_router_1 --> cloudc_zonea_vpc1_subnet1_ziti_controller : api | |
cloudc_zonea_vpc1_subnet1_ziti_private_router_1 <--> cloudc_zonea_vpc1_subnet1_ziti_controller : tunnel | |
} | |
package "Cloud Provider D" as cloudd { | |
package ZoneA as cloudd_zonea { | |
package VPC as cloudd_zonea_vpc1 { | |
package Subnet as cloudd_zonea_vpc1_subnet1 { | |
node VM as cloudd_zonea_vpc1_vm1 { | |
component "Ziti Edge Router" as cloudd_zonea_vpc1_vm1_ziti_edge_router_1 | |
} | |
} | |
} | |
} | |
package ZoneB as cloudd_zoneb { | |
package VPC as cloudd_zoneb_vpc1 { | |
package Subnet as cloudd_zoneb_vpc1_subnet1 { | |
node VM as cloudd_zoneb_vpc1_vm1 { | |
component "Ziti Edge Router" as cloudd_zoneb_vpc1_vm1_ziti_edge_router_1 | |
} | |
} | |
} | |
} | |
} | |
cloudd_zonea_vpc1_vm1_ziti_edge_router_1 <--> cloudd_zoneb_vpc1_vm1_ziti_edge_router_1 : 1st | |
cloudd_zonea_vpc1_vm1_ziti_edge_router_1 <--> cloudd_zoneb_vpc1_vm1_ziti_edge_router_1 : 2nd | |
} | |
'Cloud A with one zone and two subnets with private router each connect to each edge routers | |
clouda_zonea_vpc1_subnet1_vm2_ziti_private_router --> cloudd_zonea_vpc1_vm1_ziti_edge_router_1 | |
clouda_zonea_vpc1_subnet1_vm2_ziti_private_router --> cloudd_zoneb_vpc1_vm1_ziti_edge_router_1 | |
clouda_zonea_vpc1_subnet2_vm2_ziti_private_router --> cloudd_zonea_vpc1_vm1_ziti_edge_router_1 | |
clouda_zonea_vpc1_subnet2_vm2_ziti_private_router --> cloudd_zoneb_vpc1_vm1_ziti_edge_router_1 | |
'Cloud A with one zone and two subnets with private router each connect to controller | |
clouda_zonea_vpc1_subnet1_vm2_ziti_private_router --> cloudc_zonea_vpc1_subnet1_ziti_controller | |
clouda_zonea_vpc1_subnet2_vm2_ziti_private_router --> cloudc_zonea_vpc1_subnet1_ziti_controller | |
'Cloud B with one zone and two subnets with private router each connect to each edge routers | |
cloudb_zonea_vpc1_subnet1_vm2_ziti_private_router --> cloudd_zonea_vpc1_vm1_ziti_edge_router_1 | |
cloudb_zonea_vpc1_subnet1_vm2_ziti_private_router --> cloudd_zoneb_vpc1_vm1_ziti_edge_router_1 | |
cloudb_zonea_vpc1_subnet2_vm2_ziti_private_router --> cloudd_zonea_vpc1_vm1_ziti_edge_router_1 | |
cloudb_zonea_vpc1_subnet2_vm2_ziti_private_router --> cloudd_zoneb_vpc1_vm1_ziti_edge_router_1 | |
'Cloud B with one zone and two subnets with private router each connect to controller | |
cloudb_zonea_vpc1_subnet1_vm2_ziti_private_router --> cloudc_zonea_vpc1_subnet1_ziti_controller | |
cloudb_zonea_vpc1_subnet2_vm2_ziti_private_router --> cloudc_zonea_vpc1_subnet1_ziti_controller | |
note top of cloudc_zonea_vpc1_subnet1_ziti_controller | |
(Note) Ziti Controller only has client API exposed | |
to the Internet. Management API is closed onto the host. | |
end note | |
note top of cloudc_zonea_vpc1_subnet1_ziti_controller | |
(Note) If Ziti Controller is taken off the network, | |
and the management API is closed down from the Internet. | |
They only way to administer the network is by using | |
ziti cli locally on a VM with a controller | |
end note | |
note left of cloudd_zonea_vpc1_vm1_ziti_edge_router_1 | |
(Note) Ziti Edge Router has a port exposed | |
to accept traffic and route it to the mesh | |
end note | |
note top of clouda_zonea_vpc1_subnet1_vm2_ziti_private_router | |
1. Private Router initiates a connection to | |
edge router. | |
end note | |
note top of cloudd_zonea_vpc1_vm1_ziti_edge_router_1 | |
2. Ziti Edge Router then establishes a | |
bi-directional connection with the private | |
router. | |
(not really establishes, more like reuses) | |
end note | |
@enduml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@startuml | |
left to right direction | |
set separator none | |
title OpenZiti Components Breakdown RC 2 | |
component "Edge Client" | |
component "HSM" | |
"Edge Client" .. "Ziti Identity CA": cert's CA | |
package "Ziti Edge Router Private" { | |
component "private:8442" | |
} | |
"private:8442" .. "Ziti Identity CA": cert's CA | |
package "Ziti Edge Router Public" { | |
component "public:10080" | |
component "public:8442(:3022 default)" | |
} | |
"public:10080" .. "Ziti Identity CA": cert's CA | |
"public:8442(:3022 default)" .. "Ziti Identity CA": cert's CA | |
package "Ziti Controller" { | |
component "public:8440(:6262 default)" | |
component "public:8441(:1280 default)" | |
} | |
"public:8440(:6262 default)" .. "Ziti Controller CA": cert's CA | |
"public:8441(:1280 default)" .. "Ziti Edge CA": cert's CA | |
package "Ziti Identity CA" { | |
component "Ziti Identity CA cert" | |
component "Ziti Identity CA pkey" | |
"Ziti Identity CA cert" -- "Ziti Identity CA pkey" | |
} | |
package "Ziti Edge CA" { | |
component "Ziti Edge CA cert" | |
component "Ziti Edge CA pkey" | |
"Ziti Edge CA cert" -- "Ziti Edge CA pkey" | |
} | |
package "Ziti Controller CA" { | |
component "Ziti Controller CA cert" | |
component "Ziti Controller CA pkey" | |
"Ziti Controller CA cert" -- "Ziti Controller CA pkey" | |
} | |
note top of "public:8442(:3022 default)" | |
an edge enabled port | |
which is a tcp port | |
with TLS enabled | |
and cert is from 'Ziti Edge CA' | |
used by clients | |
this communication goes | |
into 'data plane' realm | |
end note | |
note top of "public:10080" | |
a fabric data port, just like :8442 | |
but used by other routers to create a mesh like connection | |
this communication goes into 'data plane' realm | |
end note | |
note top of "Ziti Edge Router Private" | |
also called private router, and by not having | |
an incoming connection for other routers | |
to connect to | |
this communication goes into 'data plane' realm | |
end note | |
note top of "public:8441(:1280 default)" | |
an HTTPs based port, edge enabled | |
which serves either(or both*) client api | |
or an admin api also called management api | |
* - by default the client and admin apis | |
are served on the same port, however it is pretty | |
much recommended to split that into two different ones | |
and bind the port for admin api explicitly to localhost | |
or a private subnet that you are going to perform admin actions | |
from | |
end note | |
note top of "public:8440(:6262 default)" | |
a tcp port used by routers | |
to communicate with the controller | |
this communication goes into 'control plane' realm | |
end note | |
note top of "HSM" | |
HSM or hardware security module | |
is here solely to show that controller | |
doesn't have to posses all the keys | |
to all the CAs. | |
end note | |
note top of "private:8442" | |
an edge enabled port | |
used by clients in | |
private address space | |
to connect to the mesh network | |
end note | |
note top of "Ziti Controller" | |
controller signs certs for | |
"Edge Client", "Ziti Edge Router Public", | |
"Ziti Edge Router Private" using | |
the possed CA "Ziti Identity CA" | |
end note | |
"HSM" .. "Ziti Edge CA": posses | |
"HSM" .. "Ziti Controller CA": posses | |
"Ziti Controller" .. "Ziti Identity CA": posses | |
"Ziti Controller" .. "Ziti Edge CA cert": trust | |
"Ziti Controller" .. "Ziti Controller CA cert": trust | |
"Ziti Edge Router Private" <--> "public:10080" | |
"Ziti Edge Router Private" --> "public:8440(:6262 default)" | |
"Ziti Edge Router Public" --> "public:8440(:6262 default)" | |
"Edge Client" --> "public:8441(:1280 default)" | |
"Edge Client" --> "public:8442(:3022 default)" | |
@enduml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment