Service router policies
A service router policy governs the relationship between services and routers. It answers the question: Which routers are authorized to begin or end a circuit?
This policy is one of the most operationally critical policies as it determines the set of routers that are allowed to serve as the first and last routers in the secure circuit path calculated by the controller.
- First router: The first router in the circuit is the one an edge client uses to initiate traffic destined for the service.
- Last router: The last router in the circuit is the one that terminates the circuit and routes traffic to the identity binding the service.
Traffic may traverse any authorized router (a router with Allow Traversal set to Yes) to get from the first router to the last router, but the path must begin and end at the routers matching this policy.
This means:
- Identities connected to these matching first routers are eligible to initiate traffic.
- Identities connected to these matching last routers are eligible to receive the target service traffic.
Terminator creation
When an identity is authorized to bind a service, the OpenZiti SDK sends "create terminator" messages to the routers it is connected to. Those routers then send "create terminator" messages to the controller to create a terminator: the final, active data plane connection point for that service. This action makes the service ready to accept connections.
High availability and troubleshooting
If all the routers matching the policy are offline, or if no routers and services match the policy, no traffic can flow for that service. Identifying which side is failing is key to troubleshooting:
- Dial-side failure: If the identities can't find an authorized path to initiate the circuit, the logs will typically show a "no routers online" error.
- Bind-side failure: If the policy fails to authorize at least one router for the service, or if the binding identity can't connect to those routers, traffic will fail with a "no terminators" error.
By authorizing multiple routers to host the same service, the network provides the client with multiple valid path options. This enables automatic failover if one path becomes unavailable, supporting high availability.
Modifying service router policies can instantly break connectivity for clients. Don't alter these policies unless you fully understand the resulting data plane topology and the roles of the first and last routers in the circuit path, as it's very easy to inadvertently prevent traffic from being initiated or terminated correctly.
Console reference
Service router policies table
The Service Router Policies tab (often labeled Service Edge Router Policies) lists the rules that authorize specific services to be hosted on or traverse specific Edge Routers. This controls which routers are allowed to carry traffic for which services.
| Column | Description |
|---|---|
| Name | The unique, user-defined name for the policy. |
| Service Attributes | The set of service attributes included in this policy. Defines which services are allowed to use the matched routers. |
| Router Attributes | The set of router attributes included in this policy. Defines which routers are authorized to host or transport the matched services. |
| Semantic | The logic used to match attributes (AnyOf or AllOf). Determines if an entity needs one or all listed attributes to match the policy. |
| Created At | The date and time the policy was created. |
| ID | The unique, system-assigned ID (UUID) assigned to the policy by the controller. |