ZeroTier on AWS
This guide covers basic configuration and troubleshooting for deploying ZeroTier on Amazon Web Services (AWS). For connecting AWS to on-premise resources, see Bridging. For Azure deployments, see ZeroTier on Azure.
The diagram above shows a typical ZeroTier deployment on AWS, connecting EC2 instances through ZeroTier's encrypted network overlay while maintaining access to AWS services like RDS and S3.
Security Groups Configuration
Required Ports
ZeroTier requires specific ports for optimal connectivity:
Inbound Rules:
- UDP 9993 - ZeroTier agent peer-to-peer communication (required)
- TCP 443 - ZeroTier Central REST API for network management (optional, not required by agent)
- ICMP - For network diagnostics (optional but recommended)
Outbound Rules:
- All traffic - ZeroTier needs to connect to various ports for peer discovery
- Or specific UDP 1-65535 if all traffic is not allowed
Example Security Group Configuration
For general firewall guidance, see Corporate Firewalls.
# Create security group for ZeroTier
aws ec2 create-security-group \
--group-name zerotier-sg \
--description "ZeroTier Security Group"
# Allow ZeroTier protocol port
aws ec2 authorize-security-group-ingress \
--group-name zerotier-sg \
--protocol udp \
--port 9993 \
--cidr 0.0.0.0/0
# Allow HTTPS for ZeroTier Central API (optional - only if using REST API)
aws ec2 authorize-security-group-ingress \
--group-name zerotier-sg \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0
Basic EC2 Setup
Instance Configuration
Install ZeroTier on EC2:
# Ubuntu/Debian
curl -s https://install.zerotier.com | sudo bash
sudo zerotier-cli join [NETWORK_ID]
# Amazon Linux 2
curl -s https://install.zerotier.com | sudo bash
sudo systemctl enable zerotier-one
sudo zerotier-cli join [NETWORK_ID]
Verify Installation:
# Check ZeroTier status
sudo zerotier-cli info
# List networks
sudo zerotier-cli listnetworks
# Check peers
sudo zerotier-cli peers
NAT Gateway Considerations
AWS NAT Gateways implement Symmetric NAT, which can impact ZeroTier's peer-to-peer connectivity:
Issues:
- Symmetric NAT prevents direct peer-to-peer connections
- Increased latency due to relay traffic
- Higher bandwidth costs for relayed connections
Solutions:
- Deploy in public subnets where direct connectivity is needed
- Configure routing to bypass NAT for ZeroTier traffic
- Use bridge nodes to provide VPC access without NAT Gateway dependency
Testing NAT Connectivity
# Check current network status
sudo zerotier-cli listnetworks
# Verify connectivity type
sudo zerotier-cli peers | grep -E "DIRECT|RELAY"
Simple Integration Examples
Basic Database Connectivity
Test connectivity to RDS or other VPC resources:
# Test MySQL/Aurora connectivity
mysql -h [RDS_ENDPOINT] -u [USERNAME] -p
# Test PostgreSQL connectivity
psql -h [RDS_ENDPOINT] -U [USERNAME] -d [DATABASE]
File Share Access
# Mount EFS via NFS
sudo mount -t nfs4 [EFS_DNS_NAME]:/ /mnt/efs
# Test S3 access (if using VPC endpoint)
aws s3 ls s3://[BUCKET_NAME]/
Troubleshooting
Connectivity Issues
Check ZeroTier Status:
# View network status
sudo zerotier-cli listnetworks
# Check peers
sudo zerotier-cli peers
# View system logs
sudo journalctl -u zerotier-one -f
Verify AWS Security Groups:
# Check security group rules
aws ec2 describe-security-groups --group-ids [SECURITY_GROUP_ID]
# Test connectivity
telnet [TARGET_IP] [PORT]
nc -zv [TARGET_IP] [PORT]
Performance Issues
Monitor Connection Types:
- Direct connections - Optimal performance
- Relayed connections - Higher latency, check firewall rules
Optimization Steps:
- Verify security group rules allow UDP 9993
- Check for symmetric NAT issues
- Ensure instances have direct internet access when possible
- Monitor CPU and network utilization
Common Issues
- Connection timeouts: Check security groups and NACLs
- Relayed traffic: Deploy in public subnets or configure NAT bypass
- High latency: Verify direct peer-to-peer connectivity
- Service unreachable: Confirm target services are listening on ZeroTier interface
This basic setup provides secure connectivity between AWS resources and other ZeroTier network members while maintaining simplicity and reliability.