Networking Setup Examples

This page illustrates the most common networking configurations. Please refer to the configuration that is applicable to your deployment style. The purpose of these examples is to help you understand which communication paths need to be open and how to correctly configure the applications to properly redirect to Keycloak and back.

When Everything Is Running on a Single Machine

The simplest case is when everything is running on single machine, including the browser used to access Manta Flow. This setup is very unlikely to be used in a production environment, but it is the one used during installation. This setup only makes sense for a single user. In this setup, every server can reach the others at the URL http://localhost:<port>.

No alt text provided

In such cases, the default configuration created during installation can be used. In each of the configuration files, the value http://localhost:<port>/auth can be used for the auth-server-url.

When Everything Is Running on a Single Server Accessed from Outside

This is similar to the first use case but allows multiple users to use Manta Flow concurrently. In this case, Manta Flow is installed on a server with a defined domain name, or at least an IP address on which it can be reached. The user then uses a browser on a different machine and accesses the server over a network.

No alt text provided

In the diagram, you can see that Manta Flow is installed on a machine with an IP address of 192.0.2.42 and the domain name internal.company.domain. This means that Flow Server and AdminGUI Backend can still reach Keycloak using the URL localhost:<port>. But the user has to type into the browser the address of the server or its IP address.

In this configuration, the auth-server-url in the file keycloak-fe.json cannot be localhost:<port> because the frontend cannot reach Keycloak at localhost. The correct value to be set in keycloak-fe.json is http://internal.company.domain:9090/auth or http://192.0.2.42:9090/auth.

The same goes for the Flow Server configuration file keycloak.json. Even though it is not obvious at first glance, you have to keep in mind that Flow Server is also accessed from a browser. For this to work, the URL in Flow Server has to be updated as well.

When Everything Is Running on a Single Server behind a Reverse Proxy or Load Balancer

This is the most complex setup illustrated in the guide. But, conceptually, it is very similar to the previous example. The only notable change is that instead of using the URL of the server hosting IBM Automatic Data Lineage Platform, you have to put into the configuration files the URL of the relay server that’s in front of the hosting server.

No alt text provided

In this configuration, the auth-server-url in the file keycloak-fe.json is set to http://proxy.company.domain:9090/auth.

The same goes for the Flow Server configuration file keycloak.json. Again, keep in mind that Flow Server is also accessed from a browser. For this to work, the URL in Flow Server has to be updated as well.