The following summarizes the Operational Connectivity required in a deployment. From a security perspective, this information is important to help you understand the ports and access points required to deploy PubSub+ Cloud in a Customer-Controlled Region. Depending on whether the deployment is on a Kubernetes cluster or to a VM-based region (Azure or AWS), the connections differ slightly. The connection information may be an important consideration when you decide on the deployment solution for a Customer-Controlled Region.
Connection Details for Operational Connectivity
The following connection details are required for Kubernetes deployments, such as Azure Kubernetes Service (AKS), Google Kubernetes Engine for Google Cloud (GKE), and Amazon Elastic Kubernetes Service (EKS). These connections are required for the Operational Connectivity when you deploy PubSub+ Cloud to Customer-Controlled Regions.
For more information about the security architecture for Customer-Controlled Regions, see Deployment Architecture for Kubernetes and Security Architecture for Customer-Controlled Regions.
For some connections, there are different regional sites as indicated in the table below.
| Connection | Host | IP Addresses | Port | Description |
|---|---|---|---|---|
| Mission Control Agent to PubSub+ Home Cloud |
Regional Site for US: |
Regional Site for US:
|
55443 |
TLS encrypted SMF traffic between the Mission Control Agent and the Home Cloud. For more information, see Information Exchanged Between the PubSub+ Home Cloud and the Mission Control Agent. |
|
Regional Site for AUS:
|
Regional Site: AUS:
|
|||
| Datadog Agents to Datadog Servers |
|
There are multiple IP addresses that must be configured for both the Mission Control Agent and the event broker services. For the Mission Control Agent: You must configure the addresses directly to Datadog. See https://ip-ranges.datadoghq.com/ for information. For event broker services: This is required for monitoring traffic to the central monitoring service (Datadog). For details about the external IP addresses, see Getting the IP Addresses for Monitoring Traffic. |
443 |
Required for monitoring traffic and metrics. TLS encrypted traffic between each Datadog agent (one per Solace pod, including Mission Control Agent) and Datadog server. Note for the Mission Control Agent, you must configure the addresses directly . |
| Kubernetes to Google Container Registry |
gcr.io( storage.googleapis.com ) |
This is not a single fixed IP address but can be proxied. |
443 |
Required to download Solace's Container images. TLS encrypted traffic between each Kubernetes cluster and Note: You do not need to allow this host and port combination if you choose to configure an image repository in your data center to mirror Solace's Container Registry ( For more information, see the Solace Container Registry information in Connectivity Model for Kubernetes Deployments. |
| Mission Control Agent to PubSub+ Home Cloud | maas-secure-prod.s3.amazonaws.com
|
N/A |
443 |
Required to download the certificate files for the created event broker service. |
${bucket_name}.s3.amazonaws.com
|
N/A |
443 |
This is a unique value for each private data center. Refer to the table of bucket names when deploying PubSub+ Cloud. |
S3 Bucket Names for Gathered Diagnostics
As detailed in the table in Connection Details for Operational Connectivity above, host address to an Amazon S3 bucket is required for gathering diagnostics. Replace {bucket_name} in the ${bucket_Name}.s3.amazonaws.com string with the appropriate value from the S3 Bucket Name column in the table below. When selecting the S3 bucket, choose the one that is geographically closest to the region where your event broker services are being deployed.
| S3 Bucket Name | AWS Region |
|---|---|
| solace-gd-af-south-1 | Africa (Cape Town) – af-south-1 |
| solace-gd-ap-northeast-1 | Asia Pacific (Tokyo) – ap-northeast-1 |
| solace-gd-ap-northeast-2 | Asia Pacific (Seoul) – ap-northeast-2 |
| solace-gd-ap-northeast-3 | Asia Pacific (Osaka) – ap-northeast-3 |
| solace-gd-ap-south-1 | Asia Pacific (Mumbai) – ap-south-1 |
| solace-gd-ap-southeast-1 | Asia Pacific (Singapore) – ap-southeast-1 |
| solace-gd-ap-southeast-2 | Asia Pacific (Sydney) – ap-southeast-2 |
| solace-gd-ca-central-1 | Canada (Central) – ca-central-1 |
| solace-gd-eu-central-1 | EU (Frankfurt) – eu-central-1 |
| solace-gd-eu-north-1 | EU (Stockholm) – eu-north-1 |
| solace-gd-eu-west-1 | EU (Ireland) – eu-west-1 |
| solace-gd-eu-west-2 | EU (London) – eu-west-2 |
| solace-gd-eu-west-3 | EU (Paris) – eu-west-3 |
| solace-gd-us-east-1 | US East (N. Virginia) – us-east-1 |
| solace-gd-us-east-2 | US East (Ohio) – us-east-2 |
| solace-gd-us-west-1 | US West (N. California) – us-west-1 |
| solace-gd-us-west-2 | US West (Oregon) – us-west-2 |
Connection Details for Amazon Web Service (AWS) Deployments
Support for VM-based deployments is now deprecated and version 10.0.1 was the last event broker release that supported deployments in VM-based regions. For more details, see the Deprecated Features list.
The following are the connection details are for VM-based deployments on Virtual Networks (VNets) on Amazon Web Services (AWS) deployments. If you are deploying with Kubernetes [Amazon Elastic Kubernetes Service (EKS)] on the Virtual Networks (VNets), refer to the connection details in the Connection Details for Operational Connectivity.
For more information, see Deploying PubSub+ Cloud with AWS.
| Source | Destination | Port | Protocol | Description |
|---|---|---|---|---|
| Mission Control Agent EC2 |
PubSub+ Home Cloud: 34.233.110.233 |
55443 | SMFs/TCP | Control traffic from Home Cloud |
| Mission Control Agent EC2 |
PubSub+ Home Cloud: 52.5.82.203 100.24.177.220 |
443 | HTTPs | Retrieve bootstrap info |
| Mission Control Agent EC2 |
868978040651.dkr.ecr.us-east-1.amazonaws.com: 234.202.110.152 18.215.24.247 3.211.214.161 3.214.195.203 3.224.48.7 3.226.62.160 34.195.38.47 18.211.154.191 |
443 | HTTPs | Retrieve Docker images |
| Mission Control Agent EC2 |
You must configure the addresses directly to Datadog. See https://ip-ranges.datadoghq.com/ for information. For the fully-qualified domain names, you can use the following:
|
443 | TCP | Send metrics |
| Mission Control Agent EC2 |
us-east-1.ec2.archive.ubuntu.com: 34.237.137.22 34.201.250.36 52.91.65.63 52.73.36.184 34.229.150.131 54.172.25.22 3.209.10.109 54.152.129.43 52.207.133.243 54.165.17.230 |
80 | HTTP | Retrieve security updates |
| Event Broker Service EC2 |
Monitoring traffic (Datadog). For details about the external IP addresses, see Getting the IP Addresses for Monitoring Traffic. |
443 |
TCP | Send monitoring traffic and metrics |
| Event Broker Service EC2 |
us-east-1.ec2.archive.ubuntu.com: 34.237.137.22 34.201.250.36 52.91.65.63 52.73.36.184 34.229.150.131 54.172.25.22 3.209.10.109 54.152.129.43 52.207.133.243 54.165.17.230 |
80 | HTTP | Retrieve security updates |
| External Clients | N/A | Various ports (e.g., 55555, 55003, 55443, 9000, 9443, 8443, 8883, 8000, 1883, 5671, 5672, 443, 80, 943, 22) and are configured on a specific event broker service | Supported protocols that are configured on a specific event broker service | Required the clients (publishers, subscribers) that use event broker services. |
| External hosts | N/A | Various ports (e.g., 9000, 9443, 8443, 8883, 8000, 1883, 5671, 5672, 443, 80, 943, 22) and are configured on a specific event broker service | Supported protocols that are configured on a specific event broker service | Required for outbound connections initiated by the event broker service to the external host. |
If the customer's security policy doesn't permit port 80 to be open, the Mission Control Agent EC2 must be periodically recreated with an updated AMI to obtain the latest security patches. Contact Solace for assistance to obtain an updated AMI.
Connection Details for Azure Deployments
Support for VM-based deployments is now deprecated and version 10.0.1 was the last event broker release that supported deployments in VM-based regions. For more details, see the Deprecated Features list.
The following are the connection details for VM-based deployments on Virtual Private Clouds (VPCs) on Azure. If you deploying Kubernetes [Azure Kubernetes Service (AKS)] on the VPCs, refer to the connection details in Connection Details for Operational Connectivity.
For more information, see Deploying PubSub+ Cloud with Azure.
| Source | Destination | Port | Protocol | Description |
|---|---|---|---|---|
| Mission Control Agent VM |
Home Cloud: 34.233.110.233 |
55443 | SMFs/TCP | Control traffic from Home Cloud |
| Mission Control Agent VM |
Home Cloud: 52.5.82.203 100.24.177.220 |
443 | HTTPs | Retrieve configuration information |
| Mission Control Agent VM |
868978040651.dkr.ecr.us-east-1.amazonaws.com: 234.202.110.152 18.215.24.247 3.211.214.161 3.214.195.203 3.224.48.7 3.226.62.160 34.195.38.47 18.211.154.191 |
443 | HTTPs | Retrieve Docker images |
| Mission Control Agent VM |
You must configure the addresses directly to Datadog. See https://ip-ranges.datadoghq.com/ for information. For the fully-qualified domain names, you can use the following:
|
443 | TCP | Send metrics |
| Mission Control Agent VM |
The specific destinations are determined based on the mirror sites for security updates. You can contact Solace to get updates for the Mission Control Agent. |
80 | HTTP | Retrieve security updates |
| Event Broker Service VM |
Monitoring traffic (Datadog). For details about the external IP addresses, see Getting the IP Addresses for Monitoring Traffic. |
443 |
TCP | Send monitoring traffic and metrics |
| Event Broker Service VM |
The specific destinations are determined based on the mirror sites for security updates. Security updates are provided when the event broker services are upgraded. |
80 | HTTP | Retrieve security updates |
| External Clients | N/A | Various ports (e.g., 55555, 55003, 55443, 9000, 9443, 8443, 8883, 8000, 1883, 5671, 5672, 443, 80, 943, 22) and are configured on a specific event broker service | Supported protocols that are configured on a specific event broker service | Required the clients (publishers, subscribers) that use event broker services. |
| External hosts | N/A | Various ports (e.g., 55555, 55003, 55443, 9000, 9443, 8443, 8883, 8000, 1883, 5671, 5672, 443, 80, 943, 22) and are configured on a specific event broker service | Supported protocols that are configured on a specific event broker service | Required for outbound connections initiated by the event broker to the external host. |
If the customer's security policy doesn't permit port 80 to be open, the Mission Control Agent VM must be periodically recreated with an updated managed image to obtain the latest security patches. Contact Solace for assistance to obtain an updated managed image.