Contact Us 1-800-596-4880

Private Spaces

A private space is a virtual, private, and isolated logical space in CloudHub 2.0 in which to run your apps. You can create multiple private spaces, either in the same or different regions.

You connect your private intranet to your private space to function as a single, private network.

In each private space, you define:

  • A private network, which is a virtual cloud where apps deployed to this private space run.

  • One or more connections from the private network to your external network, either via Anypoint VPN or a transit gateway.

  • TLS contexts, which define the domains that are available when deploying apps to the private spaces, and optionally enable mutual TLS.

  • Firewall rules to allow and block inbound and outbound traffic to your private space.

  • The environments and business groups to allow to deploy to the private space.

When you create a private space, your license for Mule runtime is automatically injected and managed by MuleSoft.

Private Network

When you create the private network, you associate a range of IP addresses for the apps in your private space to use, the region in which they run, and optionally, any internal DNS servers to resolve requests to custom domains.

You can configure multiple private spaces in a single region, enabling you to set up separate isolated networks for your production and non-production environments, such as dev or staging.

For information about regions, see Private Network Region.

Private Network Connections

You can connect a private space to your private network using the following methods:

TLS Contexts

Using Transport Layer Security (TLS) contexts, CloudHub 2.0 enables clients to use custom domains and paths to reach apps deployed to private spaces.

When setting up a private space, you configure Transport Layer Security (TLS) contexts that define the domains that are available when deploying apps to the private spaces, and optionally enable mutual TLS.

When deploying an app to the private space, you can use the domains from the TLS contexts to configure multiple endpoints, which clients use to reach the app from the internet. If the domains in the TLS context include a wildcard, you can configure an optional subdomain, such as the app name or an organization. You can create as many endpoints as you need.

Path Rewriting

You can configure the app to be accessible from a different path from the base path where the app is listening.

Firewall Rules

You control the traffic to and from your private spaces.


By default, CloudHub 2.0 allows traffic to the private space on ports 80 (HTTP) and 443 (HTTPS) from anywhere ( Configure firewall rules to allow connections through specified ports, remove ports, or use ports 80 and 443 to control traffic to your private space.

The private space provides load balancing to balance inbound traffic to apps across multiple replicas.


By default, CloudHub 2.0 allows all traffic from the private space to destinations outside the private space. Configure firewall rules to remove this rule and allow traffic only on specified ports.

By combining firewall rules and TLS context configuration, you can fine-tune the ingress and egress of your application traffic.