Hi, we have multiple application sites in our environment and we have private security gateway servers installed in each of the sites. I would like to know if I can restrict servers in site A to point o the private security gateway in site A only and similarly, restrict servers in site B to connect to security gateway server in site B only. If security gateway server in site A goes down, we will not want the OneAgents to connect to site B, we are willing to risk losing data (or we will create 2 security gateway servers per site for failover). We do not want multiple tenants. Please advise if this is possible and if you can point me to any articles, it would be appreciated.
Solved! Go to Solution.
Hey @Barry L.,
As of today, as soon as the OneAgent connects to the cluster it will get a list of all SGWs and it will cycle through the list until it finds a SGW to connect to. (Internal priority: Private > Public Managed > Public)
Our R&D department is working on a solution to route agent traffic to specific SGWs. I heard that this feature should arrive around Q3 of 2018.
The current workaround is to put firewall rules in place that prevent the agent from connecting to SGWs that you don't want it to connect to.
I hope that helps.
As Max mentioned, this has to currently be done using firewall rules. I just wanted to add here to confirm that we do this pretty extensively currently at my deployment and it works nicely. You can put rules on the hosts with agents to only allow sending over the SGW port (9999) to the IP address of your gateway.
Hello, Barry L.!
The last thing I heard was that GA of this feature is planned for Calendar Year Quarter 2 or 3 of 2020. As specific versions get narrowed down and I'm able to share more, I will! @Karl A. is someone who may know more.
There's currently a workaround:
in file /opt/dynatrace/oneagent/agent/conf/ruxitagentproc.conf locate the line starting with
and append the AG URL's in the priority you want them to be used e.g.
We use this in order to speed-up container deployments with K8s app-only monitoring as otherwise the oneagent would try several unreachable AG's (waiting for connection timeouts to occur with each attempt) which will delay the whole container startup for no good reason.