Firewall requirements

Consider the port configuration that is required between the Gateway (DataPower®) servers and the Management servers for an IBM® API Connect cloud.

Required Ports between zones

The following example of a network diagram helps to explain which ports must be configured in an API Connect network. Specific ports must be configured to enable the communication between the various zones, both public and private, in a network. [You can hover over the numbers in the diagram to see the default port numbers, which are also shown in Table 1.]
API Connect network diagram 443 HTTPS from Public zone to Gateway zone. 22 SSH, 9090 HTTPS from Protected zone to Gateway zone. 443 HTTPS from Protected zone to Management zone. 22 SSH, 443 HTTPS from Protected zone to Management zone. 22 SSH, 443 HTTPS from Protected zone to Management zone. 443, 443 HTTPS from Gateway servers to Management servers. 5550 HTTPS from Management servers to Gateway servers. 22 SSH Management servers to Developer Portal servers. 2443 HTTPS Management servers to Developer Portal servers for webhook delivery. 443 HTTPS from Developer Portal servers to Management servers within Management zone. 443 HTTPS from Public zone to Developer Portal management zone. 443 HTTPS from Protected zone to Management zone. 22 SSH, 9443 HTTPS within Protected zone (Applications subzone). Table 1 9443 HTTPS within Protected zone (Applications subzone). 9443 HTTPS from Gateway zone to Protected zone (Applications subzone). 9443 HTTPS from Management zone to Protected zone. Table 1 Port 443 HTTPS from the Management zone to the Public zone.
Table 1. Key for the network diagram example
  Usage description Default port number
 1  API request/response – Users invoking the provided APIs. 443 HTTPS from Public zone to Gateway zone.
 2  DataPower administration – Internal operators who are managing the Gateway servers. 22 SSH, 9090 HTTPS from Protected zone to Gateway zone.
 3  API Manager – Internal business users who are defining and monitoring APIs. 443 HTTPS from Protected zone to Management zone.
 4  CMC/Management administration – Internal operators who are managing the Management servers. 22 SSH, 443 HTTPS from Protected zone to Management zone.
 5  Developer Portal administration – Internal operators who are managing the Portal servers. 22 SSH, 443 HTTPS from Protected zone to Management zone.
 6  Pull configuration, Push analytics – Gateway servers communicate with Management servers. 2443, 9443 HTTPS from Gateway servers to Management servers.
 7  Push configuration – Management servers communicate with Gateway servers. 443, 5550 HTTPS from Management servers to Gateway servers.
 8  Push configuration/webhooks – Management servers push configuration and webhooks to the Developer Portal. 22 SSH Management servers to Developer Portal servers.

2443 HTTPS Management servers to Developer Portal servers for webhook delivery.

 9  Pull configuration/make API calls – Developer Portal servers pull configuration and call REST APIs. 443 HTTPS from Developer Portal servers to Management servers within Management zone.
 10  Developer Portal – External developers who are accessing the Developer Portal. 443 HTTPS from Public zone to Developer Portal management zone.
 11  Push API definition to Management server. Pick up credential for microservice code push. 443 HTTPS from Protected zone to Management zone.
 12  Push microservice Node.js project to Collective Controller. 22 SSH, 9443 HTTPS within Protected zone (Applications subzone).
 13  Application deployment and management operations. Controller communicates with Member servers. 22 SSH, <admin port greater than 9440> HTTPS within Protected zone (Applications subzone).
 14  Internal communication. Member server to Collective Controller. 9443 HTTPS within Protected zone (Applications subzone).
 15  On-demand routing update over long-lived connection. Gateway servers communicate with the Collective Controller. 9443 HTTPS from Gateway zone to Protected zone (Applications subzone).
 16  Internal communication. API Management to Collective Controller. 9443 HTTPS from Management zone to Protected zone.
 17  Application request routing – DataPower to Collective member. <port greater than 9080> HTTP/HTTPS from Gateway zone to Protected zone.
 18  External billing service – Management cluster connecting to external billing service (when configured for billing). If you are using Stripe as your external billing service, you must enable connections with the Stripe API at: https://stripe.com/files/ips/ips_api.json. You can also view the Stripe IP addresses at the following URL: https://stripe.com/docs/ips. 443 HTTPS from Management zone to Public zone.
Note:

You can customize the port values for the Cloud Manager, API Manager, and Developer Portal user interfaces. However, the Cloud Management Console (CMC) does not notify the Developer Portal when the Cloud Manager port connection changes. As a result, if you changed from the default port (443), the command set_apim_host must be run to specify the custom port. For instructions, see set_apim_host. The port number entered for the Developer Portal must match that of the Portal API Port configured in Cloud Manager > UI Settings.

You can view defined ports from the Cloud Manager, click Settings > TLS Profiles. For more information, see Specifying the cloud settings.

Communications inside the Gateway zone

There are a number of important points to note regarding the communications within the Gateway zone:
  • Port 5550 is used, by default.
  • Port designation is configurable on each Gateway server. However, if you change the port on a Gateway server, you must also change that Gateway server definition in the Cloud Manager (in API Connect).
  • We advise that you use the same port for all Gateway servers within a cluster.
  • Gateway servers communicate with each other to synchronize invocation counts.
  • All Gateway servers in a Gateway cluster must be able to reach all of the other Gateway servers in the same Gateway cluster.
  • Gateway servers in a Gateway cluster do not directly communicate with Gateway servers in a different Gateway cluster.
  • All Gateway servers must be able to reach all of the Management servers.

Communications inside the Management zone

The Management zone represents the region containing the collection of API Connect Management servers that store the cloud configuration and control communication.

There are a number of important points to note regarding the communications within the Management zone:
  • Ports 11526 and 21526 are used to synchronize configuration data (including Organizations, Users, and Products).
  • Port 9600 is used to replicate analytics data.
  • Ports 443 and 9022 are used to manage the topology.
  • Port 2443 is used to communicate HTTPS content between Management servers.
  • All Management servers must be able to reach all of the other Management servers.
  • All Management servers must be able to reach all Gateway servers.
  • All Management servers must be able to communicate HTTPS content with the external billing service when billing is configured. If you are using Stripe as your external billing service, you must enable HTTPS communication on port 443 with the Stripe API: https://stripe.com/files/ips/ips_api.json.
    Note: API Connect does not support using webhooks with Stripe. You can see a list of the Stripe IP addresses at: https://stripe.com/docs/ips.

Communications inside the Developer Portal zone

The Developer Portal zone represents the region containing the collection of Developer Portal servers.

  • Ports 3306, 4567, 4568, 4444, and 30865 are all used to enable communication between the Developer Portal nodes that are in the cluster.
  • Opening port 22 is used to allow communication between the Developer Portal nodes via SSH. Port 22 is an inbound port.
  • All Developer Portal nodes must open ports 443 and 80 so that machines can serve web traffic. Port 443 is an inbound port.
  • All Developer Portal servers must be able to communicate HTTPS content with the external billing service when billing is configured. If you are using Stripe as your external billing service, you must enable HTTPS communication on port 443 with the Stripe API: https://stripe.com/files/ips/ips_api.json.
    Note: API Connect does not support using webhooks with Stripe. You can see a list of the Stripe IP addresses at: https://stripe.com/docs/ips.
  • Port 2443 is an outbound port, and it enables functionality for background synchronization and webhooks. By opening the port, the Developer Portal can get APIs from its associated API Manager.

Common outbound ports

Configure these ports for all servers as appropriate for your enterprise:
  • 25 SMTP (only for Management servers; configurable)
  • 53 DNS (Name resolution)
  • 123 NTP (Clock synchronization)
  • 162 SNMP Traps (currently only for Gateway servers)
  • 389 LDAP (configurable)
  • ICMP (Between Management zone and Developer Portal zone)

Ethernet interface usage

To separate network traffic, you can use two or more Ethernet interfaces on the DataPower appliance on which a Gateway server is installed. For example, you can use one interface for internal IBM API Connect communications, and another for processing incoming API calls.

When adding the Gateway server to the cluster in the Cloud Manager UI, specify the name of the interface that is used for processing incoming API calls; consult with your network administrator to ascertain the IP address that receives this traffic, and specify the interface that is configured for that IP address. If you are using a dedicated interface for administrative access, mgt0 for example, you must specify the administrative IP address when adding the Gateway server. For more information, see Adding a Gateway server.

Webhook communication in API Connect

Webhooks are a subscription service, where the Developer Portal sends messages to a Management node to be subscribed to events that occur. The Developer Portal connects to port 443 on the Management server to subscribe to webhooks.

When an event occurs, a Management server contacts the Developer Portal to inform it that the event occurred and proceeds to send the event data. The event data is sent to the Developer Portal on port 2443.