Skip to main content
Version: 1.19.0 (latest)

Manage networks with kziti

A network in kziti is a logical grouping of services — typically one customer, team, or environment. Each network gets one or more private routers that host its services and connect outbound to the public routers in the existing kziti deployment.

This guide covers creating networks, provisioning their private routers, and removing them.

List existing networks

kziti network list

Create a new network

Creating a network is a control-plane record only — infrastructure comes from the private router (next section).

kziti network create net-corp-a "Corp A"

The first argument is the network ID — the net- prefix is the convention used in role attributes and access grants (e.g. the network net-corp-a is granted via kziti access grant alice@example.com net-corp-a). The short form without the prefix (corp-a) also works and is normalised automatically. Keep the name short and lowercase. The second argument is a human-readable display name.

Provision a private router for the network

Step 1. Create the router record on the controller

On the controller host:

kziti router private provision net-corp-a corp-a-router-1 --output-dir /tmp

This creates an OpenZiti router identity tagged for the network and writes a router enrollment JWT to /tmp/corp-a-router-1.jwt.

--tunneler is enabled by default (router hosts services). Use --no-tunneler only if running a separate hosting identity.

Transfer the JWT to the host that will run the router:

scp /tmp/corp-a-router-1.jwt user@router-host.corp-a.example.com:/tmp/

Step 2. Install kziti and start the router on the new host

On the host where the private router will run, install the kziti binary as in the quickstart, then start it as a router:

kziti deploy install --profile router \
  --router-host router-host.corp-a.example.com \
  --enrollment-token "$(cat /tmp/corp-a-router-1.jwt)"

The router enrolls with the controller using the JWT and starts hosting traffic for the network.

Step 3. Verify

On the controller host:

kziti router list

The new router should appear with status online and the network attribute set.

Rename a network

kziti network rename net-corp-a "Corp A (renamed)"

The network ID does not change — only the display name.

Delete a network

warning

Deleting a network removes its services, role attributes, and policies from the controller. Identities lose access to anything previously scoped to the network. Make sure no Kasm sessions depend on the network's services before deleting.

kziti network delete net-corp-a

After deletion, tear down any private routers that were specific to the network using Tear down a deployment.