Solved: Exposing Dynatrace Cluster nodes API on a service point without exposing also UI ?

gilles_tabary · ‎29 Aug 2022

Hello.

By default, Dynatrace Cluster nodes exposes on port 443 the UI service plus API service plus OA service. Is there a way to have a service point exposing only API service ?

I'd like some API scripts to have access (network / firewall wise) to API without having access to UI.

Regards.

Radoslaw_Szulgo · ‎29 Aug 2022

For OneAgent communication, you can set a port that you like - but if it is different than 443 or 8433 then you need to have your own proxy or LB - https://www.dynatrace.com/support/help/shortlink/managed-load-balancer#oneagent-

For API only port - you need to do it very similar way - you need to put your own LB/proxy in front and set up rules to hit /api only requests.

Senior Product Manager,
Dynatrace Managed expert

gilles_tabary · ‎29 Aug 2022

So, if I understand well

no it is not possible to configure a Dynatrace Cluster node to split API traffic away from Web UI traffic
but one could achieve this by
- leave Dynatrace Cluster Node listening on default port 443
- set up a reverse-proxy which will let through only /api/* or /<env-id>/api/*, distributing incoming traffic to backend Dynatrace Cluster Node 443 endpoint

Correct ?

BTW, of interest I see

https://www.dynatrace.com/support/help/shortlink/managed-cluster-node-capabilities
turn on/off Web UI traffic, or OneAgent traffic one a Dynatrace Cluster node
AFAIU : Not good : not a "split" but a "disable feature".
https://www.dynatrace.com/support/help/shortlink/managed-load-balancer#oneagent-endpoint-configurati...
CMC > Cluster nodes > OneAgent endpoint configuration > Change to (say) 7777
Then Cluster Node Embedded ActiveGate listens OneAgent traffic on port 7777, != 443. This endpoint does not listen anymore to Web UI traffic : good. But then this endpoint does not serve any more API traffic. :-(.

Radoslaw_Szulgo · ‎29 Aug 2022

Yes, all correct.

Senior Product Manager,
Dynatrace Managed expert

gilles_tabary · ‎29 Aug 2022

This not the topic of this thread but :

For OneAgent communication, you can set a port that you like ; but if it is different than 443 or 8433 then you need to have your own proxy or LB

I don't understand this statement. If I change CMC > Cluster nodes > OneAgent endpoint configuration to (say) 7777, all my ActiveGate's and OneAgent gets automatically updated to send OneAgent traffic to his new port number (7777) ( AG and OA are "network topology aware" ) and I do not need to set up either LB or Proxy. This is tested and proven.

Radoslaw_Szulgo · ‎29 Aug 2022

If you set endpoint to port 7777, then OneAgents and AGs will try to reach out that port. You need to take care of making this endpoint available - e.g. via LB/proxy.

Senior Product Manager,
Dynatrace Managed expert

gilles_tabary · ‎29 Aug 2022

@Radoslaw_Szulgo wrote:
If you set endpoint to port 7777, then OneAgents and AGs will try to reach out that port. You need to take care of making this endpoint available - e.g. via LB/proxy.

To my understanding : ... making this endpoint available via *firewall* (if not open by default), not via LB / proxy : I have none. In my case I'd need to change nothing, because my OA's communicate with Cluster exclusively through AG:9999 (already firewall open) and this AG would communicates to Cluster Nodes @ :7777 (already firewall open).

Radoslaw_Szulgo · ‎30 Aug 2022

What would you like to understand? Resolve? I'm lost now.

I'm trying to explain that if you want to route the traffic on a custom port - for instance, 7777, you need additional infrastructure that follows like that:

OneAgent -- :7777 --> custom LB/Proxy --- :443 or :8443 --> Cluster node

Senior Product Manager,
Dynatrace Managed expert

gilles_tabary · ‎30 Aug 2022

I think you replied : no, for now it is not possible to talk to Cluster Nodes API endpoints (443), without also having access at the same endpoint to Web UI and OneAgent traffic. Unless one mingles with a reverse-proxy filtering incoming request to let through only /api/* and /<env-id>/api/*.

Thanks.

Regards.