logo of Akmatori
GitHub
11.10.2025

Secure Your Network with OpenZiti Zero Trust: Dark Services and Application Segmentation

head-image

Traditional network security relies on perimeter defenses—VPNs, firewalls, and exposed ports—that grant broad access once authenticated. This model fails in distributed environments where services span clouds, data centers, and remote locations. OpenZiti implements zero trust networking by making services completely "dark" with no listening ports, encrypting all traffic end-to-end, and enforcing application-level segmentation through certificate-based authentication and programmable policies.

What is OpenZiti?

OpenZiti is an open-source zero trust networking platform that creates secure overlay networks using a scalable mesh architecture. Unlike VPNs that grant network-wide access, OpenZiti enforces identity-based, application-level permissions. Services register with the OpenZiti controller without opening inbound ports—clients initiate outbound-only connections through edge routers that authenticate identities and apply policies before establishing encrypted tunnels. This approach eliminates attack surfaces while simplifying access control for microservices, APIs, and legacy applications.

Key Features

  • Dark Services: Services remain invisible on public networks with no listening ports, preventing reconnaissance and direct attacks.
  • Certificate-Based Authentication: Mutual TLS and certificate rotation authenticate all identities—devices, applications, and users—before granting access.
  • Application Segmentation: Policies define per-service access rules, ensuring clients only reach authorized applications rather than entire network segments.
  • End-to-End Encryption: Traffic encrypts at the application layer and remains encrypted across routers, preventing man-in-the-middle attacks.
  • Programmable SDKs: Embed OpenZiti directly into applications using SDKs for Go, C, Python, Java, and Swift, bypassing traditional network tunnels.

Installation

Deploy an OpenZiti network using the quickstart script for a local development environment:

bash <(curl -s https://get.openziti.io/quick/ziti-cli-functions.sh)
expressInstall

This script installs the Ziti controller, edge router, and admin console. For production deployments, use Kubernetes with Helm charts:

helm repo add openziti https://openziti.github.io/helm-charts
helm install ziti-controller openziti/ziti-controller --namespace openziti --create-namespace
helm install ziti-router openziti/ziti-router --namespace openziti

Install the Ziti CLI for managing identities and services:

# Linux
curl -sSLf https://get.openziti.io/install.bash | sudo bash

# macOS
brew install openziti/openziti/ziti

Usage

Create a service and grant access using the Ziti CLI:

# Create an identity for a client
ziti edge create identity user "client-app" -o client-app.jwt
ziti edge enroll client-app.jwt

# Create an identity for a service host
ziti edge create identity device "api-server" -o api-server.jwt
ziti edge enroll api-server.jwt

# Define a service for an internal API
ziti edge create service "internal-api"

# Bind the service to the hosting identity
ziti edge create service-policy "api-bind" Bind --service-roles "@internal-api" --identity-roles "@api-server"

# Grant access to the client identity
ziti edge create service-policy "api-dial" Dial --service-roles "@internal-api" --identity-roles "@client-app"

Start a tunneler on the client to intercept traffic:

ziti-edge-tunnel run --identity client-app.json

The API server listens only on localhost but becomes accessible to authorized clients via the OpenZiti overlay network—no firewall rules or port forwarding required.

Operational Tips

  • Replace VPNs for Remote Access: Deploy edge routers in cloud regions and enable employees to access internal tools without VPN overhead or broad network exposure.
  • Secure Microservices: Embed Ziti SDKs into containerized apps to enforce service-to-service authentication without service mesh complexity.
  • Simplify Multi-Cloud Connectivity: Use OpenZiti to connect workloads across AWS, Azure, and GCP without VPC peering or site-to-site VPNs.
  • Monitor with Fabric Events: Enable fabric event streaming to ingest connection logs and policy violations into SIEM platforms for compliance auditing.

Conclusion

OpenZiti transforms network security by eliminating exposed services, enforcing identity-based access, and encrypting all traffic end-to-end. Its dark services architecture and programmable SDKs make it ideal for SRE teams securing distributed applications and replacing legacy VPNs with zero trust principles.

For efficient incident management and to prevent on-call burnout, consider using Akmatori. Akmatori automates incident response, reduces downtime, and simplifies troubleshooting.

Additionally, for reliable virtual machines and bare metal servers worldwide, check out Gcore.

Akmatori team

Automate incident response and prevent on-call burnout with AI-driven agents!

Try Akmatori for free