By default, Dynatrace Cluster nodes exposes on port 443 the UI service plus API service plus OA service. Is there a way to have a service point exposing only API service ?
I'd like some API scripts to have access (network / firewall wise) to API without having access to UI.
For OneAgent communication, you can set a port that you like - but if it is different than 443 or 8433 then you need to have your own proxy or LB - https://www.dynatrace.com/support/help/shortlink/managed-load-balancer#oneagent-
For API only port - you need to do it very similar way - you need to put your own LB/proxy in front and set up rules to hit /api only requests.
So, if I understand well
BTW, of interest I see
This not the topic of this thread but :
For OneAgent communication, you can set a port that you like ; but if it is different than 443 or 8433 then you need to have your own proxy or LB
I don't understand this statement. If I change CMC > Cluster nodes > OneAgent endpoint configuration to (say) 7777, all my ActiveGate's and OneAgent gets automatically updated to send OneAgent traffic to his new port number (7777) ( AG and OA are "network topology aware" ) and I do not need to set up either LB or Proxy. This is tested and proven.
If you set endpoint to port 7777, then OneAgents and AGs will try to reach out that port. You need to take care of making this endpoint available - e.g. via LB/proxy.
To my understanding : ... making this endpoint available via *firewall* (if not open by default), not via LB / proxy : I have none. In my case I'd need to change nothing, because my OA's communicate with Cluster exclusively through AG:9999 (already firewall open) and this AG would communicates to Cluster Nodes @ :7777 (already firewall open).
What would you like to understand? Resolve? I'm lost now.
I'm trying to explain that if you want to route the traffic on a custom port - for instance, 7777, you need additional infrastructure that follows like that:
OneAgent -- :7777 --> custom LB/Proxy --- :443 or :8443 --> Cluster node
I think you replied : no, for now it is not possible to talk to Cluster Nodes API endpoints (443), without also having access at the same endpoint to Web UI and OneAgent traffic. Unless one mingles with a reverse-proxy filtering incoming request to let through only /api/* and /<env-id>/api/*.