Ingress High Availability in Public Clouds


As customers extend Ziti network into all public clouds, we obviously prefer they would use SDKs and embed Ziti into their cloud native apps. This is not always possible for various reasons. Since Ziti Network is highly distributed by design, the ingress to the network from not native Ziti Apps must be as well.

The preferred architecture for this is to be cloud native and utilize tools/platforms available in various clouds, more specifically network load balancers. The following requirements are the desired attributes of cloud load balancers.

  1. Network type, i.e. L3/L4

  2. Transparent - doesn't close or originate flows or interact with the payload of the flow and protocol handshakes always occur directly between the client and the back-end pool vm

  3. The original source IP address is preserved

  4. TCP and UDP support using the same front end private IP

  5. Hash Algorithm:

    1. Five-Tuple (source IP and port, destination IP and port, protocol)

    2. Three-Tuple (source IP, destination IP, protocol) - session affinity, i.e. more predictable to use the same ER for network ingress per protocol

    3. Two-Tuple (source IP, destination IP) - same as (b) but no protocol dependency

  6. Backend VM Weight - desirable

  7. Health Check Types - configurable destination port, interval, retries, timeout for all types

    1. http (optional body look-up)

    2. tcp (required at the very least)

    3. udp (optional)


In Ziti v.0.20.10, the router health check endpoint was introduced. This can be used to check on the Edge Router connectivity status to the controller. i.e. ER online or offline as seen by the controller. We also tested using a local service that would originate and terminate on the same local ER as the health check endpoint. The idea for that was to verify the data plane between the tunneler and the edge router as seen by sessions originating on the local tunneler. This part may not be as critical for the tunneler/router combo for the simple fact that the code is integrated now. 

Here is a simple health check configuration option using the existing edge router health checks.

  1. protocol option = https

  2. port option = tcp

  3. path option = /health-checks

Deployment Diagram



Cloud Solutions 

  1. Azure HA Solution
  2. OCI HA Solution
  3. GCP HA Solution
  4. AWS HA Solution


Was this article helpful?
1 out of 1 found this helpful



Please sign in to leave a comment.