Step 4: After installation
With your Ziti network installed and verified, you're ready to start building on it. This page covers essential day 2 operations and points you to additional resources.
Learn OpenZiti concepts
Before building on your network, familiarize yourself with the core OpenZiti concepts that underpin identities, services, and policies. The OpenZiti documentation covers the architecture and key concepts, and the core concepts guide provides detailed explanations of each resource type.
Manage your network with ZAC
The Ziti Admin Console (ZAC) is your primary interface for managing the Ziti network. From ZAC you can create and manage identities, services, policies, and edge routers.
Create identities
Identities represent the endpoints (devices, applications, servers) that connect to your Ziti network. Each identity receives a certificate used for mutual TLS authentication.
- Use ZAC or the Ziti CLI to create identities.
- After creation, enroll the identity to generate its certificates and register it with the controller.
Create services
Services define what resources are accessible over the Ziti network and how traffic is routed and authorized.
- For an overview of service components (termination, configuration, authorization), see services.
- For a hands-on walkthrough of creating your first service, see the services quickstart.
Add edge routers
The installer deploys one default edge router alongside the controller. For production environments, you will likely need additional routers to improve performance, redundancy, or regional coverage.
- To add routers, use ZAC or the Ziti CLI/API.
- For Kubernetes-based router deployments, see the OpenZiti deployment guides.
Connect clients
End users connect to the Ziti network using tunneler software available for all major platforms:
For a complete overview, see the tunneler reference.
Programmatic access
For automated workflows and CI/CD integration, see the OpenZiti API reference and the CLI reference.
Set up backups
Configuring backups should be a priority after verifying your installation. NetFoundry Self-Hosted provides automated backup tooling built on Velero with S3 storage.
For environments that need on-site storage, see On-site backups (MinIO).
Monitor with the support stack
If you installed the NetFoundry support stack, you have access to pre-configured monitoring and logging tools:
- Grafana: Dashboards for network telemetry and metrics
- Kibana: Searchable logs and raw telemetry data
- RabbitMQ: Message buffer for Ziti metrics and events
These tools are accessible over Ziti using the edge tunnel. For details on the support stack components, see the support stack overview.
Keep your installation up to date
NetFoundry Self-Hosted provides a guided upgrade script that manages version compatibility between the Ziti controller, routers, and helm charts.
CLI command reference
NetFoundry Self-Hosted provides shortcut commands available after installation. These are loaded via the
nf_help_menu.sh profile script and can be listed at any time with nf-help.
| Command | Description |
|---|---|
nf-help | Show the help menu with all available commands |
nf-quickstart | Run the NetFoundry quickstart installer |
nf-upgrade | Upgrade one or more NetFoundry installed helm charts |
nf-status | Show Kubernetes status of all NetFoundry deployments |
nf-install-notes | Show installation notes (ZAC URL, credentials, helm commands) |
nf-support-bundle | Collect system diagnostics and logs into a zip file for NetFoundry support |
nf-login | Log into the Ziti controller to use with the Ziti CLI |
nf-create-snapshot | Take a snapshot of the Ziti database and store it locally |
nf-restore-snapshot | Restore a Ziti controller snapshot from backup |
nf-uninstall | Uninstall all NetFoundry installed resources from Kubernetes |
nf | Change to the NetFoundry installation directory |
Advanced configuration
- FIPS compliance: Run OpenZiti in FIPS-compliant mode for regulated environments
- Proxy configuration: Additional setup for corporate proxy environments