CLOUDWATCH MULE® INTEGRATION
System Architecture
The CloudWatch Mule® Integration is an agent-based integration.
Pre-requisites
IO Connect Services API
The CloudWatch Mule® Integration does a license check via SSL and hence it requires outbound access to:
- https://api.ioconnectservices.com/
- Port: 443
On-prem Mule servers
On-prem Mule servers must be registered in Anypoint Runtime Manager (ARM) to be able to collect data. The RM Agent comes in the /bin folder of the Mule runtime, then you can perform the command in CLI. See instructions in https://docs.mulesoft.com/runtime-manager/servers-create.
Any server that’s registered in a group or cluster in ARM must be able to gather metrics from those as well.
Mule Networking pre-requisites
In order for the agent to properly connect to ARM in Anypoint, specific network configuration must be allowed. All DNS names, ports and IPs needed to hook the agent are documented in https://docs.mulesoft.com/runtime-manager/rtm-agent-whitelists.
CloudHub applications
Given the cloud nature of applications deployed to CloudHub, all application and server metadata is intrinsically stored by default on Anypoint Control Plane. No special configuration is required other than the needed permissions in the connected app.
Ports and Hostnames to whitelist
The CloudWatch Mule® Integration must have an internet connection on port 443 for outbound connections at least.
In enterprises, it’s very common that all networks are behind a firewall to protect access. In many other cases, reverse proxies are used to protect outbound communications to restricted websites. Customers must configure rules in the firewall and proxies to ensure the communication to all IO Connect Services, Anypoint and CloudWatch.
IO Connect Services networking requirements
The CloudWatch Mule® Integration does a license check via SSL and hence it requires outbound access to:
- https://api.ioconnectservices.com/
- Port: 443
This is an outbound communication only and it’s initiated by the CloudWatch agent running on-premise.
MuleSoft Anypoint networking requirements
Communication from Mule servers, installed on-prem, must allow inbound and outbound connections to the following DNS names via port 443 (HTTPS) and 9999 (configurable websocket).
Here is a full list of the FQDNs that need to be whitelisted. Pick the ones corresponding to the region to which you MuleSoft organization belongs to.
- anypoint.mulesoft.com
- eu1.anypoint.mulesoft.com
- mule-manager.anypoint.mulesoft.com
- mule-manager.eu1.anypoint.mulesoft.com
- runtime-manager.anypoint.mulesoft.com
- runtime-manager.eu1.anypoint.mulesoft.com
- arm-auth-proxy.prod.cloudhub.io
- arm-auth-proxy.prod-eu.msap.io
- data-authenticator.anypoint.mulesoft.com
- data-authenticator.eu1.anypoint.mulesoft.com
- analytics-ingest.anypoint.mulesoft.com
- analytics-ingest.eu1.anypoint.mulesoft.com
- exchange2-asset-manager-kprod.s3.amazonaws.com
- exchange2-asset-manager-kprod-eu.s3.eu-central-1.amazonaws.com
Learn more about the MuleSoft Anypoint networking requisites in https://docs.mulesoft.com/runtime-manager/rtm-agent-whitelists
CloudWatch networking requirements
Communication from the CloudWatch agent is via port 443 (HTTPS).