xDB Cloud firewall configuration limitation

  • For customers using Sitecore xDB Cloud, only domain names such as *.fleet.mongolab.com and specific ports can be used to set up firewall restrictions.

    The domain names and ports of endpoints are stable. This information for each xDB Cloud set could be requested via xDB Cloud REST API endpoint. Sample set of endpoints look like:

    *.cloud.sitecore.net: 443 dsxxxxx-a0.qmt44.fleet.mongolab.com: 46408 dsyyyyy-a1.qmt44.fleet.mongolab.com: 46406

    xDB Cloud does not currently support any static IPs or ranges of IPs for setting up firewall restrictions. xDB Cloud's MongoDB servers and other endpoints have a dynamic set of IP addresses that can change within the lifetime of the deployment. 

  • If the firewall does not support host-based rules, it is best practice to open unique ports in the firewall of the Content Delivery and Content Management instances. Get this ports information using xDB Cloud REST API method.

  • Another possible way to configure the firewall is to perform DNS lookups on the xDB Cloud hosts specific to a particular xDB Cloud setup, in order to get IP addresses. The IP addresses received using such a method are dynamic and might cause connection problems if IPs are changed. 

    For better consistency of IP-based rules, the following custom approaches are possible:

    1. Write a script to dynamically configure outbound firewall rules, based on performing DNS lookups of the addresses of MongoDB hosts.
    2. Build a proxy layer that has static IPs and only allow those proxies to have more permissive outbound rules.

Applies to:

App Center 1+

October 28, 2016
December 09, 2016

Keywords: 

  • xDB