Changing the Port Configuration for Event Broker Services

For Kubernetes-based deployments, you can configure whether client applications connect to an event broker service using a connection endpoint. These connection endpoints can use either public or private IP addresses, which are referred to as public endpoints and private endpoints, respectively. You can view a connection endpoint as a set of ports and protocols that you can access based on the type of connection of the client application or user. These endpoints can help you to better manage access. For both private and public endpoints, you can:

  • enable/disable messaging connections

  • configure the aspects of the messaging protocols that are used (for example secure verses plain-text)

  • configure the port numbers that are used for the event broker service

  • configure the management port connections.

    At least one endpoint must have the SEMP management port enabled.

You can choose one of the following connection endpoints and port configurations:

Private IP addresses (or private endpoints)
This type of configuration allows connections to the event broker service using private IP addresses that are part of a private region [virtual private cloud or virtual private network (VPC/VNet)]. It creates a private endpoint with management via SEMP to the event broker service. The default name for the private endpoint is private endpoint. This type of configuration is available only when you choose Private Cloud as the cloud type when you create the service. Private Clouds are for Customer-Controlled Regions and Dedicated Regions. You can later choose to add a public endpoint.
Public Internet (or public endpoint)
This type of configuration allows connections to the event broker services from public Internet IP addresses. It creates a public endpoint with management via SEMP to the event broker service using the public Internet. The default name for the public endpoint is public endpoint and it is the only option available in Public Regions.
Hybrid
This type of configuration allows messaging and management connections to the event broker service from both private IP addresses and the public Internet. It creates both a private and a public endpoint with management via SEMP to the event broker service enabled. The default names for the private and public endpoints are private endpoint and public endpoint. This type of configuration is available only when you choose Private Cloud as the cloud type when you create the service. Private Clouds are for Customer-Controlled Regions and Dedicated Regions.

You can change the port configuration for an existing service. Before you change the port configure, review the considerations. These are some of the reasons to do this:

For more information about the default event broker service port configurations, see Load Balancer Rules Per Service (Default Protocols and Port Configuration).

Using Endpoints to Control Data Access

For Dedicated Region and Customer-Controlled Region deployments, the ability to configure both public and private endpoints on the same event broker service provides the flexibility to change access to your data as required. For event broker services deployed on Kubernetes-based infrastructure, you can edit your ports after service creation, including adding and deleting both public and private endpoints as required. This allows you to control access to your data and provide secure messaging using a single event broker service.

For example, assume your initial requirements are for private Messaging Connectivity and internal API connectivity within your VPC in your Customer-Controlled Region. You want to share data on a database server between your enterprise applications, and provide secure API communications between services that consume your data within your organization. To do this, you enable the secure web messaging host, and the secure REST host on the private endpoints of your event broker service and define their ports.

You later realize that you can add value to your customers by providing them access to public APIs and so they can integrate their services with yours. You also realize that the web applications used by your field teams can benefit from sharing some of the information on your database server. To keep your internal data secure, you choose to provide public access using a different protocol on a public endpoints of the same event broker service. You do this by enabling a secured REST host and web messaging on a public endpoints, and define their ports. You have now provided access to cloud-based applications using public endpoints while keeping your internal messaging secure on a private endpoint, all using a single event broker service.

Using both public and private endpoints you can us a single event broker service to segregate your data allowing you to define which applications can access what data.

Illustration depicting the concepts described in the surrounding text.

Considerations when Modifying Port Configuration

You can only edit port and endpoint configurations for Kubernetes-based event broker services. It is not possible to edit the port configuration for VM-based event broker services, or those prior to version 9.13.

You should evaluate the following considerations when you modify port configuration for event broker services.

  • For Public Region (deployed in Kubernetes), event broker services only support the editing of public endpoints after service creation. Event broker services created with Amazon Web Services or Azure don't allow for editing of port configuration.
  • In Public Regions (deployed on Kubernetes), only public endpoints are available.
  • In Customer-Controlled Regions and Dedicated Regions, you can have one private endpoint, one public endpoint, or both.
  • The following are considerations when you modify the endpoints on your event broker service or configure the protocols and port numbers in an endpoint:
    • The operation to change a custom port is asynchronous and, for that reason, you may experience a slight delay before a configuration change becomes active. The status of the change appears in the user interface. If an error occurs during the configuration change, an error prompt appears.
    • There must be at least one endpoint—you can have a maximum of one public and one private endpoint per event broker service.
    • One endpoint must have the Secured SMF enabled. SMF is required for messaging with client applications and for inter-broker communication in an event mesh.
    • One endpoint must have the Secured Broker Management Host (SEMP) port. The SEMP management port is required to manage your event broker service.
    • If you have both private and public endpoints, you don't need to enable the Secured SMF and SEMP management ports on the same endpoint, but Solace recommends that you choose the private endpoint for the SEMP port
    • When you have both public and private endpoints configured, PubSub+ Broker Manager defaults to use the public endpoint. If only a private endpoint is available, you must have connectivity to the same private network where you deployed your event broker services to connect to PubSub+ Broker Manager from the PubSub+ Cloud Console. For more information about PubSub+ Broker Manager, see Using PubSub+ Broker Manager.

If you have multiple endpoints, one endpoint can be deleted. If the endpoint being deleted is used for an event mesh, you are can delete it, but you may affect the event mesh. You can't delete an endpoint under these conditions:

  • If the endpoint is the only one with Secured Broker Management (SEMP) port enabled on it.
  • You must delete the custom hostnames that are assigned to that endpoint before you can delete the endpoint. For more information, see Deleting a Custom Hostname.

Be aware of the following port configuration considerations:

  • You can use ports 22 and 943 as custom ports.
  • If you are using NodePort as part of your deployment for Customer-Controlled Regions, creating an event broker service generates the port numbers, which you can't change.

Editing the Existing Port Configuration for an Event Broker Service

You can edit the existing port configuration for event broker services. Ensure that you review the considerations in Considerations when Modifying Port Configuration before you perform these steps to change the port configuration for your event broker service:

  1. Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging into the PubSub+ Cloud Console.
  2. Select Cluster Manager from the navigation bar.
  3. On the Services page, click the event broker service for which you want to edit the port configurations.
  4. On the service details page, select the Manage tab and then click Advanced Options.
  5. On the Port Configuration tile, beneath the endpoint you want to delete, click More Actionsand then select Edit.
  6. In the Edit Endpoint dialog box, you can:
    • edit the name of the endpoint in the Endpoint Name field
    • add or modify the description in the Description field

    • Configure the protocols and ports for the protocols for the endpoint under Protocols and Management as follows:

      Expand the connection categories to configure the specific protocols and optionally change the default port numbers. You can perform one or more of the following actions:

      • Click Disable Protocol to prevent a particular messaging protocol from being used with the endpoint. Disabling a protocol grays out the text. If you want to enable a protocol again, click Reset to default and reconfigure the protocol and ports as required.
      • Secure protocols are enabled by default in each connection category and use TLS. In each category that follows, you can configure these messaging and management protocols: 
        • Solace Messaging—Use Solace Message Format (SMF) to connect and exchange messages with the event broker service over TCP.
          • Enable SMF Host—Use SMF Host (plain-text) over TCP to connect and exchange messages with the event broker service.
          • Enable Compressed SMF Host—Use SMF (plain-text) in a compressed format over TCP to connect and exchange messages with the event broker service.
          • Enable Secured SMF Host—Use secure SMF using TLS over TCP.
        • Solace Web Messaging—Use SMF over Web Sockets over HTTP to connect and exchange messages with the event broker service.
          • Enable Web Host—Use WebSocket over HTTP (plain-text). Disabled by default.
          • Enable Secured Web Messaging Host—Use WebSocket over secured HTTP. Enabled by default.
        • AMQP—Use Advanced Message Queuing Protocol 1.0 to connect and exchange messages with the event broker service.
          • Enable AMQP Host—Use AMQP (plain-text). Disabled by default.
          • Enable Secured AMQP Host: Use AMQP over a secure TCP connection. Enabled by default.
        • MQTT—Use MQ Telemetry Transport to connect and exchange messages with the event broker service.
          • Enable MQTT Host: Use MQTT (plain-text). Disabled by default.
          • Enable WebSocket MQTT Host—Use MQTT WebSocket (plain-text). Disabled by default.
          • Enable Secured MQTT Host—Use secure MQTT (plain-text). Enabled by default.
          • Enable WebSocket Secured MQTT Host—Use WebSocket secured MQTT. Enabled by default.
        • REST—Use the Solace Messaging REST API and standards-based HTTP exchange patterns to exchange messages over TCP connections with the event broker service.
          • Enable REST Host—Use REST messaging (plain-text).
          • Enable Secured REST Host—Use secure REST messaging. Enabled by default.

        • Management—Use to enable the secure management connections necessary to manage the event broker service. You can configure these options:

          • Enable Secured Broker Management host (SEMP)—Use the secured management connection, which uses SEMP to manage the event broker. You must always have at least one port enabled on an event broker service. Creating an endpoint enables this by default.

          • Enabled Secured CLI Host (SSH)—Use a secure port to connect to the event broker service using the Solace Command Line Interface (CLI). This gives you access to a scope-restricted access to the Message VPN on the event broker service that you may find useful for management and configuration. Typically, this access is not required.

            Enabling CLI access exposes another mechanism to connect and manage your event broker service. This may expose you to unnecessary security risks. Solace recommends that you disable this port where your services have public Internet connectivity to harden access to your event broker services and when CLI access is not in use or required. This advanced access is for users with an in-depth understanding of event broker configuration and management.

  7. Click Save.

The port configuration changes take time so you'll see the progress beside the endpoint.

Adding an Endpoint to an Event Broker Service

You can add a private or public endpoint only for Customer-Controlled Regions and Dedicated Regions.

This can be useful in situations where you previously only had a private endpoint configured, but now your organization wants to permit web messaging clients to connect from port 443 using Secured Web Messaging from the public Internet.

Ensure that you review the considerations in Considerations when Modifying Port Configuration before you perform these steps:

  1. Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging into the PubSub+ Cloud Console.
  2. Select Cluster Manager from the navigation bar..
  3. On the Services page, click the event broker service for which you want to add an endpoint.
  4. On the service details page, select the Manage tab and then click Advanced Options.
  5. On the Port Configuration tile, click Add Endpoint.
  6. (Optional) In the Add Endpoint dialog box, enter a name in the Endpoint Name field. A default is provided if you don't complete this field.
  7. (Optional) In the Description field, enter information to describe your endpoint.

  8. Beneath Protocols and Management, Expand the messaging protocol that you want. You can: 

    • Configure, modify port numbers, and enable (or disable) ports as required.

    • Click Disable Protocol to disable a particular protocol.

      If you want to enable a protocol again, click Reset to default and re-select the protocols that you want to enable (or disable).

    For more information about the protocols and ports, see Details for Port Configuration.

  9. Click Save.

Adding an endpoint takes a few moments. The new endpoint appears showing it's progress.

Deleting an Endpoint from an Event Broker Service

You can delete an endpoint for your event broker service. After you delete the endpoint, client applications using the configured protocols and ports can no longer connect to that event broker service.

Ensure that you review the considerations in Considerations when Modifying Port Configuration before you perform these steps:

  1. Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging into the PubSub+ Cloud Console.
  2. Select Cluster Manager from the navigation bar.
  3. On the Services page, the event broker service for which you want to delete an endpoint.
  4. On the service details page, select the Manage tab and then click Advanced Options.
  5. On the Port Configuration tile, beside the endpoint you want to delete, click More Actionsand then select Delete.

  6. In the Delete Endpoint dialog, click Delete if you want to remove the endpoint, otherwise click Cancel.

    If the endpoint you want to delete is the last endpoint or is the only endpoint the Secured Broker Management Host (SEMP) port enabled, you won't be able to delete it.

  7. Click Save.

Deleting an endpoint takes a few moments.