+

Configuring Your Network to Support Runtime Fabric on Self-Managed Kubernetes

Network configuration must be performed by an IT administrator.

Before installing or using Runtime Fabric on Self-Managed Kubernetes, ensure that the following ports and hostnames are configured correctly.

Port Configuration

To install or run Runtime Fabric, ensure that you have configured the following ports on your Kubernetes installation.

For protocol-aware firewalls, consider allowing the following port traffic to use AMQP (Advanced Message Queuing Protocol) over Websockets.

The following table does not include ports and hostnames from Anypoint Platform that you may also need to allow. Refer to the Anypoint Mule Gateway documentation for a list of additional ports and hostnames.

Port Layer 4 Protocol Layer 5 Protocol Source Destination Description

443

TCP

HTTPS

API consumers

All nodes

Allow inbound API requests to ingress controllers

443

TCP

AMQP over WebSockets

All nodes

Internet

Anypoint Platform management services

443

TCP

HTTPS

All nodes

Internet

API Manager policy updates, API Analytics Ingestion, and Resource retrieval (application files, container images).

443 (v1.8.50, or later)

TCP

Lumberjack

All nodes

Internet

Anypoint Monitoring, Anypoint Visualizer

Port Used by the Persistence Gateway

The Persistent Gateway requires a Postgres-compliant database to store persistent data across Mule application replicas. Ensure that your Kubernetes cluster has access to this database and port. See Persistence Gateway.

Hostname Configuration

To function correctly, Runtime Fabric on Self-Managed Kubernetes requires the following hostname configurations:

Port Protocol Hostnames Description

443

AMQP over WebSockets

  • US control plane: transport-layer.prod.cloudhub.io

  • EU control plane: transport-layer.prod-eu.msap.io

Runtime Fabric message broker for interaction with the control plane.

443 (v1.8.50 and later)

TCP (Lumberjack)

  • US control plane: dias-ingestor-router.us-east-1.prod.cloudhub.io

  • EU control plane: dias-ingestor-nginx.prod-eu.msap.io

Anypoint Monitoring agent for Runtime Fabric.

5044 (legacy)

TCP (Lumberjack)

  • US control plane: dias-ingestor-nginx.prod.cloudhub.io

  • EU control plane: dias-ingestor-nginx.prod-eu.msap.io

Anypoint Monitoring agent for Runtime Fabric.

As of Runtime Fabric version 1.8.50, this port is not strictly required. It will be deprecated in the future.

443

HTTPS

anypoint.mulesoft.com

Anypoint Platform for pulling assets.

443

HTTPS

kubernetes-charts.storage.googleapis.com

Kubernetes base charts repository.

443

HTTPS

docker-images-prod.s3.amazonaws.com

Kubernetes base charts repository.

443

HTTPS

  • US control plane: worker-cloud-helm-prod.s3.amazonaws.com

  • EU control plane: worker-cloud-helm-prod-eu-rt.s3.amazonaws.com, worker-cloud-helm-prod-eu-rt.s3.eu-central-1.amazonaws.com

Runtime Fabric version repository. The Runtime Fabric installation uses software from this repository during installation and upgrades.

443

HTTPS

  • US control plane: exchange2-asset-manager-kprod.s3.amazonaws.com

  • EU control plane: exchange2-asset-manager-kprod-eu.s3.amazonaws.com, exchange2-asset-manager-kprod-eu.s3.eu-central-1.amazonaws.com

Anypoint Exchange for application assets.

443

HTTPS

  • US control plane: exchange-files.anypoint.mulesoft.com

  • EU control plane: exchange-files.eu1.anypoint.mulesoft.com

Anypoint Exchange for application files.

443

HTTPS

  • US control plane: rtf-runtime-registry.kprod.msap.io

  • EU control plane: rtf-runtime-registry.kprod-eu.msap.io

Runtime Fabric Docker repository.

443

HTTPS

  • US control plane: prod-us-east-1-starport-layer-bucket.s3.amazonaws.com, prod-us-east-1-starport-layer-bucket.s3.us-east-1.amazonaws.com

  • EU control plane: prod-eu-central-1-starport-layer-bucket.s3.amazonaws.com, prod-eu-central-1-starport-layer-bucket.s3.eu-central-1.amazonaws.com

Runtime Fabric Docker image delivery.

443

HTTPS

  • US control plane: runtime-fabric.s3.amazonaws.com

  • EU control plane: runtime-fabric-eu.s3.amazonaws.com

Runtime Fabric Docker repository.

443

HTTPS

  • US control plane: configuration-resolver.prod.cloudhub.io

  • EU control plane: configuration-resolver.prod-eu.msap.io

Anypoint Configuration Resolver.

Verify Outbound Connectivity

Every Anypoint Runtime Fabric cluster requires connectivity with Anypoint control plane, and any interference with connectivity can limit functionality, resulting in application deployment failures or degraded status in Anypoint Runtime Manager.

You can use rtfctl to verify that Runtime Fabric has the required outbound connectivity. On each node, follow the instructions in Install rtfctl to install rtfctl.

To verify the required outbound connectivity, run the following command on all controller and worker nodes in the cluster:

sudo ./rtfctl test outbound-network

Sample output:

[root@rtf-controller-1 runtimefabric]# sudo ./rtfctl test outbound-network
Using proxy configuration from Runtime Fabric (proxy "", no proxy "")

Using 'US' region
transport-layer.prod.cloudhub.io:443 ✔
https://anypoint.mulesoft.com ✔
https://worker-cloud-helm-prod.s3.amazonaws.com ✔
https://exchange2-asset-manager-kprod.s3.amazonaws.com ✔
https://ecr.us-east-1.amazonaws.com ✔
https://494141260463.dkr.ecr.us-east-1.amazonaws.com ✔
https://prod-us-east-1-starport-layer-bucket.s3.amazonaws.com ✔
https://runtime-fabric.s3.amazonaws.com ✔
tcp://dias-ingestor-nginx.prod.cloudhub.io:443 ✔

If you have outbound connectivity issues that prevent Runtime Fabric from reaching any of the required Anypoint control plane services, work with your network team to verify that you have added the required port IPs and hostnames to the allowlist as described in the port configuration section.

Certificate Configuration

To allow different endpoints to use mutual TLS authentication to establish a connection, you must configure SSL passthrough to allow the following certificates:

Control Plane Certificates

US control plane

transport-layer.prod.cloudhub.io
configuration-resolver.prod.cloudhub.io

EU control plane

transport-layer.prod-eu.msap.io
configuration-resolver.prod-eu.msap.io

Was this article helpful? Thanks for your feedback!
View on GitHub