I could use some clarification on the last remark on the 'Managed Deployment' scenario's page
The last line:
Solved! Go to Solution.
You configure the endpoint in your Cluster Management Console (CMC) in Settings -> Public endpoints. This is the endpoint that in fact should hit your Cluster ActiveGates. The endpoint should be available publicly (for Public (M)RUM) and internally.
What is meant by the docs, is that all data from RUM, mobile and Synthetic firstly hit Cluster AG (via configured endpoint) and then Cluster AG redirects the traffic to you cluster - exactly as you see on the diagram.
Is that clear? What other questions I can help you with?
HI Radoslaw, it is now clear to me that indeed the entity to receive the data first, here being the Cluster AG), is meant as endpoint.
For external data the Cluster AG(s) are placed in the DMZ, and I understand the concept that the different data sources use that as the same endpoint.
You state that "the endpoint should be available publicly (for Public (M)RUM) and internally". Does this mean that for internal purposes (environments) this very same endpoint must be used, in the DMZ? Thus traffic internal also to DMZ? I assumed an internal Cluster AG and Enviroment AG if necessary could handle internal traffic.
In case you have only internal (M)RUM the same endpoint is used as Cluster AG serve as what we call "beacon forwarders" - that's the AG capability to route monitoring data from Synthetic and (M)RUM. No other AG type should be configured to handle this. I agree that this may in your case route the traffic redundantly to DMZ back and forth. Currently you can:
1) Attach to the endpoint both publicly reachable IPs and internal ones. You then leave resolving proper AG address to DNS
2) Use Load Balancer in front and configure the endpoint to the Load Balancer. Then Load Balancer redirects traffic to either DMZ Cluster AG or internal Cluster AG based on the client IP or sth else
3) Use a separate cluster for internal RUM and separate for external RUM.
Hope this helps or inspires to find an optimal solution.
Hi @Radoslaw S.,
Both external and internal (M)RUM is the concept I am looking at.
Sorry for all the questions, but I want to understand the concept through and through 😉
So as you explained and according the documentation, per cluster you can only define one
Cluster ActiveGate URL. And for all environments managed by this cluster, all the M(RUM) agents point to the same, this URL.
(The URL should be a FQDN with valid certificate to allow secure (SSL/443) communication.)
In the most basic situation that means when external and internal (M)RUM is used, the internal agents will try to contact the URL on the public/outside IP address, according DNS .
Unless in internal DNS the URL DNS name resolves to the internal IP (of the CAG(s)). Then the internal address is used - if configured on the CAGs.  Which may have some security implications.
I visualized it as follows, is this correct?:
Is it so that (additional) internal Cluster AG's do not necessarily need to be technically in the DMZ, if the endpoint's DNS address internally resolves to such local address? Same principal, but DNS determines where data gets send to (as depicted below). Is this correct?
But what I also was thinking @Radoslaw S., is that (one of) the Cluster ActiveGates may not necessarily need to be in the DMZ, but can reside in the internal zone somewhere.
The internal DNS points to the IP of this CAG endpoint. Technically then not being the same endpoint as the external traffic. Would that work?