Connection Details for Deployment of PubSub+ Cloud Components

The following summarizes the Operational Connectivity required in a deployment. From a security perspective, this information is important to help you understand the ports and access points required to deploy PubSub+ Cloud in a Customer-Controlled Region. The connection information may be an important consideration when you decide on the deployment solution for a Customer-Controlled Region.

Connection Details for Operational Connectivity

The following connection details are required for Kubernetes deployments, such as Azure Kubernetes Service (AKS), Google Kubernetes Engine for Google Cloud (GKE), and Amazon Elastic Kubernetes Service (EKS). These connections are required for the Operational Connectivity when you deploy PubSub+ Cloud to Customer-Controlled Regions. 

For more information about the security architecture for Customer-Controlled Regions, see Deployment Architecture for Kubernetes and Security Architecture for Customer-Controlled Regions.

For some connections, there are different regional sites as indicated in the table below.

Connection Host                        IP Addresses Port Description
Mission Control Agent to PubSub+ Home Cloud

Regional Site for United States (US):

production-ivmr.messaging.solace.cloud

Regional Site for United States:

  • 34.233.110.233
  • 52.205.60.66
  • 54.204.227.82

55443

TLS encrypted SMF traffic between the Mission Control Agent and the Home Cloud. For more information, see Information Exchanged Between the PubSub+ Home Cloud and the Mission Control Agent.

Regional Site for Australia (AUS):

prod-aws-au-1-ivmr.messaging.solace.cloud

Regional Site for Australia:

  • 13.236.32.115
  • 3.106.10.188
  • 3.105.186.75

Regional Site for Singapore (SG):

prod-aws-sg-ivmr.messaging.solace.cloud

Regional Site for Singapore:

  • 13.228.252.157
  • 18.139.22.7

Regional Site for European Union (EU):

prod-aws-eu-ivmr.messaging.solace.cloud

Regional Site for European Union:

  • 3.125.70.35
  • 52.29.203.148
Datadog Agents to Datadog Servers
  • api.datadoghq.com
    • agent-http-intake.logs.datadoghq.com

    • *.agent.datadoghq.com

There are multiple IP addresses that must be configured for both the Mission Control Agent and the event broker services.

For the Mission Control Agent:

You must configure the addresses directly to Datadog. See https://ip-ranges.datadoghq.com/ for information.

For event broker services: This is required for monitoring traffic to the central monitoring service (Datadog). For details about the external IP addresses, see Getting the IP Addresses for Monitoring Traffic.

 443

Required for monitoring traffic and metrics.

TLS encrypted traffic between each Datadog agent (one per Solace pod, including Mission Control Agent) and Datadog server.

Note for the Mission Control Agent, you must configure the addresses directly.

Kubernetes to Solace Container Registry gcr.io( storage.googleapis.com )

This is not a single fixed IP address but can be proxied.

443

Required to download Solace's Container images.

TLS encrypted traffic between each Kubernetes cluster and gcr.io.

Note: You do not need to allow this host and port combination if you choose to configure an image repository in your data center to mirror Solace's Container Registry (gcr.io).

For more information, see the Solace Container Registry information in Connectivity Model for Kubernetes Deployments.

Mission Control Agent to PubSub+ Home Cloud maas-secure-prod.s3.amazonaws.com

N/A

443

Required to download the certificate files for the created event broker service.

${bucket_name}.s3.${bucket_region}.amazonaws.com

 

N/A

443

This is a unique value for each private data center. Refer to the table of bucket names when deploying PubSub+ Cloud.

This is required for gathering diagnostic information.

S3 Bucket Names for Gathered Diagnostics

As detailed in the table in Connection Details for Operational Connectivity above, the host address to an Amazon S3 bucket is required for gathering diagnostics. Replace {bucket_name} in the ${bucket_Name}.s3.amazonaws.com string with the appropriate value from the S3 Bucket Name column in the table below. When selecting the S3 bucket, choose the one that is geographically closest to the region where your event broker services are being deployed.

S3 Bucket Name AWS Region
solace-gd-af-south-1 Africa (Cape Town) – af-south-1
solace-gd-ap-northeast-1 Asia Pacific (Tokyo) – ap-northeast-1
solace-gd-ap-northeast-2 Asia Pacific (Seoul) – ap-northeast-2
solace-gd-ap-northeast-3 Asia Pacific (Osaka) – ap-northeast-3
solace-gd-ap-south-1 Asia Pacific (Mumbai) – ap-south-1
solace-gd-ap-southeast-1 Asia Pacific (Singapore) – ap-southeast-1
solace-gd-ap-southeast-2 Asia Pacific (Sydney) – ap-southeast-2
solace-gd-ca-central-1 Canada (Central) – ca-central-1
solace-gd-eu-central-1 EU (Frankfurt) – eu-central-1
solace-gd-eu-north-1 EU (Stockholm) – eu-north-1
solace-gd-eu-west-1 EU (Ireland) – eu-west-1
solace-gd-eu-west-2 EU (London) – eu-west-2
solace-gd-eu-west-3 EU (Paris) – eu-west-3
solace-gd-us-east-1 US East (N. Virginia) – us-east-1
solace-gd-us-east-2 US East (Ohio) – us-east-2
solace-gd-us-west-1 US West (N. California) – us-west-1
solace-gd-us-west-2 US West (Oregon) – us-west-2