cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Looking to upgrade from Dynatrace Managed to SaaS? See how

Exposing Dynatrace cluster nodes API on a service point without exposing also UI

gilles_tabary
Mentor

Hello.

By default, Dynatrace Cluster nodes expose on port 443 the UI service plus API service plus OA service. Is there a way to have a service point exposing only API service?

I'd like some API scripts to have access (network / firewall wise) to API without having access to UI.

Regards.

8 REPLIES 8

Radoslaw_Szulgo
Inactive

For OneAgent communication, you can set a port that you like - but if it is different than 443 or 8433 then you need to have your own proxy or LB - https://www.dynatrace.com/support/help/shortlink/managed-load-balancer#oneagent-

 

For API only port - you need to do it very similar way - you need to put your own LB/proxy in front and set up rules to hit /api only requests. 

Senior Product Manager,
Dynatrace Managed expert

gilles_tabary
Mentor

So, if I understand well

  • no it is not possible to configure a Dynatrace Cluster node to split API traffic away from Web UI traffic
  • but one could achieve this by 
    • leave Dynatrace Cluster Node listening on default port 443
    • set up a reverse-proxy which will let through only /api/* or /<env-id>/api/*, distributing incoming traffic to backend Dynatrace Cluster Node 443 endpoint

Correct ? 

 

BTW, of interest I see 

Yes, all correct. 

Senior Product Manager,
Dynatrace Managed expert

gilles_tabary
Mentor

This not the topic of this thread but :

 


For OneAgent communication, you can set a port that you like ; but if it is different than 443 or 8433 then you need to have your own proxy or LB


I don't understand this statement. If I change CMC > Cluster nodes > OneAgent endpoint configuration to (say) 7777, all my ActiveGate's and OneAgent gets automatically updated to send OneAgent traffic to his new port number (7777) ( AG and OA are "network topology aware" ) and I do not need to set up either LB or Proxy. This is tested and proven.

If you set endpoint to port 7777, then OneAgents and AGs will try to reach out that port. You need to take care of making this endpoint available - e.g. via LB/proxy.

Senior Product Manager,
Dynatrace Managed expert


@Radoslaw_Szulgo wrote:

If you set endpoint to port 7777, then OneAgents and AGs will try to reach out that port. You need to take care of making this endpoint available - e.g. via LB/proxy.


To my understanding : ... making this endpoint available via *firewall* (if not open by default), not via LB / proxy : I have none. In my case I'd need to change nothing, because my OA's communicate with Cluster exclusively through AG:9999 (already firewall open) and this AG would communicates  to Cluster Nodes @ :7777 (already firewall open).

What would you like to understand? Resolve? I'm lost now.

 

I'm trying to explain that if you want to route the traffic on a custom port - for instance, 7777, you need additional infrastructure that follows like that:

 

OneAgent -- :7777 --> custom LB/Proxy --- :443 or :8443 --> Cluster node

Senior Product Manager,
Dynatrace Managed expert

I think you replied : no, for now it is not possible to talk to Cluster Nodes API endpoints (443), without also having access at the same endpoint to Web UI and OneAgent traffic. Unless one mingles with a reverse-proxy filtering incoming request to let through only /api/* and /<env-id>/api/*.

Thanks.

Regards.

Featured Posts