Firewall configuration guidelines for Teracloud® Streams

If firewall usage is required, the preferred configuration is to set up a firewall at the perimeter of the Teracloud® Streams cluster to restrict network access to resources in the cluster but not communication between the resources. When any communication passes through a firewall, latency is introduced. These guidelines apply to clients that are in the Teracloud® Streams cluster as well as clients that are external to the cluster.
Tip:

When you configure a port for a service, the placement of the service can be controlled by host tags so that the ports are open only on the resources that are configured to run that service. For information about using host tags, see Assigning tags to resources in a domain.

Guidelines for clients that are in the Teracloud® Streams cluster

If your security plan requires a firewall on the resource or between resources, the following communications must be enabled between resources and must be blocked from unauthorized external access:
  • Communication between Teracloud® Streams management services, which is limited to ports in the local port range (TCP/IP port numbers automatically assigned by the host machine). You can use the port range configuration property for the domain to control the range.

  • TCP communication between processing elements, which is limited to ports in the local port range.

  • HTTPS connections between the web management service (SWS) and Teracloud® Streams interfaces such as the Streams Console. Each Teracloud® Streams domain that is running the SWS service requires a user-assigned HTTPS port.

  • Connections between the JMX management API service (JMX) and Teracloud® Streams interfaces such as the Streams Java Monitoring and Management Console, the Streams Console, and the REST management API service (REST). Each Teracloud® Streams domain that is running the JMX service requires a user-assigned port.

  • All communication protocols between applications and any systems, such as an external Apache ZooKeeper server or external analytics services.

Guidelines for clients that are external to the Teracloud® Streams cluster

The following communications must be enabled for external clients of the listed Teracloud® Streams functionalities:

Table 1.
Streams Functionality Required Communication Enablement Configuration Port

Streams Console

HTTPS connection to the web management service (SWS)

sws.port

REST management API

HTTPS connection to REST management API service (REST)

rest.port

JMX management API

SSL/TCP connection to JMX management API service (JMX)

HTTPS connection to JMX large data server

jmx.port

jmx.httpPort

Teracloud® Streams data service

HTTPS connection to Teracloud® Streams data service (DATA)

data.port

The following topics provide details on configuring the service ports: