Routers overview
Routers are the fundamental components that comprise the mesh network itself. They're responsible for securely transporting all application traffic across the NetFoundry data plane.
Routers perform two primary roles: serving as the ingress/egress point for client applications and acting as zero-trust relay nodes to forward data across the network fabric.
Router types
You can categorize routers based on their role and deployment location:
- NetFoundry-hosted routers: These routers form the core, global NetFoundry fabric. They're managed by NetFoundry and are optimized for high performance and reliability. While they primarily connect other routers together to build the secure backbone of your network, they also accept edge connections, allowing clients to enter the network directly without needing a customer-hosted router for ingress.
- Customer-hosted routers: These routers are functionally identical to NetFoundry-hosted routers but are deployed and managed by you. You can place them in any network environment (private data centers, public clouds, Kubernetes clusters, or branch offices) to extend the mesh. This control allows them to serve multiple roles: they can act as a tunneler to offload traffic to private resources (ZTNA), serve as a secure ingress point for local devices, or function as additional relay nodes to expand the fabric's reach.
Tunneler mode
Tunneler mode is a configuration setting that enables the router to act as a Ziti Edge Tunneler (link to Tunneler definition). When enabled, the controller creates an identity for the router, giving it the same capabilities as any other identity to host or access services.
- Without tunneler mode: The router performs transit functions and can accept edge connections (ingress) from other clients, but it can't function as an endpoint itself.
- With tunneler mode: The router can interact with the overlay as an endpoint. This allows it to offload traffic to local applications (host) or intercept traffic from the local LAN (client) to bridge them into the overlay.
Tunneler mode is typically only enabled on customer-hosted routers. NetFoundry-hosted routers reside in the public cloud and can't be used to tunnel traffic to your private local resources.
For more info, see Tunnelers on OpenZiti docs.
Transit routers
A transit router is a logical concept used to define a router dedicated exclusively to forwarding traffic between other routers. Unlike standard routers, transit routers are explicitly restricted from accepting edge connections and can't be used as tunnelers to host services.
While standard routers inherently perform transit functions, designating specific routers as "transit routers" is a specialized configuration used primarily for dedicated backbone redundancy or to enforce strict separation of duties at high scale. For most deployments, standard routers provide the same transit capabilities without these restrictions.
You manage transit routers separately from your general router list because their primary function is scaling and managing the router-to-router connections that form the mesh overlay network.
Console reference
Routers table
The Routers tab shows all routers registered to your network, providing immediate visibility into their status, identity, and role within the fabric.
| Column | Description |
|---|---|
| Name | The unique, user-defined name given to the router. |
| O/S | The operating system where the router software is installed (e.g., Linux, Windows, macOS). |
| Roles | Shows the role attributes assigned to this router. These attributes are used in policy definitions (like router policies) to authorize connections and service hosting. |
| Verified | Indicates whether the controller has successfully verified the router's identity certificate and that the router is trusted. |
| Online | Shows the real-time operational status. A checkmark indicates the router is connected to the controller and actively participating in the data plane. |
| Created At | The date and time the router identity was first created in the controller. |
| ID | The unique, system-assigned ID (UUID) assigned to the router by the controller. This is primarily used for API calls. |
Transit routers table
The Transit Routers tab displays all routers configured to participate in the secure network fabric. Since transit routers are typically part of a self-enrolled, NetFoundry-hosted fabric, they often have fewer active columns related to manual enrollment than the main router list.
| Column | Description |
|---|---|
| Name | The unique, user-defined name given to the router. |
| Verified | Indicates whether the controller has successfully verified the router's identity certificate and that the router is trusted. |
| Online | Shows the real-time operational status. A checkmark indicates the router is connected to the controller and actively participating in the network fabric. |
| Created At | The date and time the router identity was first created in the controller. |
| Token | Shows the enrollment token status. Since routers use secure, automated enrollment methods, this column is typically blank or indicates a completed enrollment. |
| JWT | Shows the status of the JSON Web Token. Like the Token column, this is typically blank for routers which are self-managed nodes. |
| ID | The unique, system-assigned ID (UUID) assigned to the router by the controller. This is primarily used for API calls. |