Groundplex requirements - Network setup

The Groundplex allows access to endpoints that are in your network firewall. As a SnapLogic Environment admin, you might typically involve your network admin or DevOps team from an organization to define the network settings of the Groundplex.

Your Snaplex makes outbound HTTPS requests to the SnapLogic control plane. In addition to the SnapLogic control plane, the Snaplex also makes WebSocket Secure (WSS) outbound connections with the control plane, which uses this connection to send inbound control messages to the Snaplex. WSS is an extension of HTTPS that provides a standards-compliant and secure message-passing mechanism. The Groundplex does not require inbound network connectivity. The only requirement is outbound connectivity to the SnapLogic control plane over the HTTPS port 443.

A Groundplex also establishes outbound connections to any endpoints mentioned in a pipeline. If the pipeline being executed on the Snaplex communicates with Salesforce and Redshift endpoints, then the Snaplex establishes outbound connections with Salesforce and Redshift databases. The specific protocol used depends on the endpoint. For example, Salesforce Snaps use an HTTPS connection, while Redshift Snaps use a TCP connection over TLS (SSL) optionally to establish the JDBC connection.

Most Groundplexes run on nodes with outbound access to the internet enabled. Therefore, your Snaplex can start without any specific configuration. If your Groundplex is running on a node with restricted outbound access, use one of the following two methods to configure it:

  • HTTP Proxy: Configure the Snaplex to communicate with the SnapLogic control plane and other endpoints through an HTTP forward proxy.

  • IP Address Allowlist: Open an outbound firewall rule to the SnapLogic control plane and other endpoints as necessary.

The IP address allowlist method requires you to open the firewall rules for each endpoint the Groundplex communicates with. Because many endpoints do not have a single IP address to allowlist, this might be a challenging task. Additionally, the Snaplex communicates directly with Amazon S3 for file operations, so those requests need to proxy through the control plane, causing the requests to run slowly. Some operations cannot be supported when direct access to S3 is disabled. The HTTP proxy method does not have these limitations.

We recommend using an HTTP proxy, because it enables communication with any endpoints using the HTTP protocol.

You can set up Snaplex network communication through the following UI page in Admin Manager:

  • Use the Node Properties tab to configure HTTP/HTTPS ports and HTTP interface connection.

  • Use the Node Proxies tab to manage how nodes interact with an HTTP/HTTPS proxy server for external communication.

Learn more about the configuration fields on these tabs in Create a Snaplex in Manager | Node Configuration Options.

HTTP port configuration

Use the Node Properties tab to change port values.

You can change the default values:

  • 8090 for the JCC node

  • 8091 for the FeedMaster node

HTTP/HTTPS port customization

You can customize the HTTP port configuration used by the JCC node.

  1. Point the cursor and click the target Snaplex to open the Update Snaplex page.

  2. Click the Node Properties tab.

  3. In the HTTP Port or HTTPS Port field, specify the custom port value.

Updating this option changes the default setting in the Global properties field:

  • HTTP Port:

jcc.jetty_port = 8090

  • HTTPS Port:

jcc.cc_secure_port = 8888

Feedmaster broker port customization

If you Snaplex has a Feedmaster node, you can also customize the Feedmaster node port configuration. The default is 8089.

  1. Point the cursor and click the target Snaplex to open the Update Snaplex page.

  2. Click the Node Properties tab.

  3. Under Global properties, click to open the key-value fieldset.

  4. Specify the custom port value.

    • Key: jcc.broker_service_uri

    • Value: ssl://0.0.0.0:8089?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.enabledCipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA

Important: The port used should be unique and cannot be the same as the ports used for the HTTP and HTTPS services.

HTTP connection pooling

Outbound HTTP connections created to the SnapLogic cloud or to any other HTTP endpoints are placed in a connection pool by default. You can configure the properties for the pool by adding them to the Update Snaplex page, in Node Properties tab, Global properties option.

Global property Key Value Description
jcc.http_client_max_connections 300 To increase the maximum number of connections that can be created at a time (default is 100):
jcc.http_client_tcp_connection_timeout 120 To set the TCP connection timeout for an outbound connection (in seconds, the default is 60, zero is an infinite timeout):
jcc.http_client_socket_timeout 300 To set the inactivity timeout for a socket connection (in seconds, default is 3600, zero is an infinite timeout).

The http_client_socket_timeout must be set to a value higher than the maximum child Pipeline execution time.

HTTP proxy configuration

In the typical HTTP Proxy configuration, the proxy forwards requests to any endpoint. You can use the same HTTP proxy for connecting with the SnapLogic Control Plane and also for connecting to other REST endpoints, such as Salesforce. Forward HTTP proxy type is the most flexible method for integrating multiple endpoints.

You can obtain the proxy configuration settings from your network operations team. You can open the Update Snaplex dialog in SnapLogic Manager and configure the HTTP proxy settings.

Learn more about specific field settings on the Node Proxies tab in Update a Snaplex.

By default, a proxy routes all outbound HTTP and HTTPS requests. To restrict the proxy for requests routing outside your firewall, you need to change the proxy settings. First, you need to configure the Non-proxy Hosts field to restrict the endpoints that the proxy uses. Second, you need to disable the proxy to enable communication among the nodes in a Snaplex. If you cannot do the latter task, it can result in neighbor connectivity check failures for your Snaplex.

In the following example, the field restricts HTTP requests from routing to the local host or host in the http://example.com domain.

  • Key: jcc.http.nonProxyHosts

  • Value: localhost|127.*|[::1]|MYHOSTNAME|*.example.com

The proxy settings are configured per the standard JRE settings. These are displayed in the Node Proxies tab of your Snaplex:

jcc.http.proxyHost = myproxy.example.com
jcc.http.proxyPort = 3128
jcc.http.nonProxyHosts = localhost|127.*|[::1]|MYHOSTNAME|*.example.com
jcc.https.proxyHost = myproxy.example.com
jcc.https.proxyPort = 3128
jcc.https.nonProxyHosts = localhost|127.*|[::1]|MYHOSTNAME|*.example.com
jcc.http.proxyUser=proxyuser
jcc.http.proxyPassword=proxypass
                

Reverse proxy configuration

In some scenarios, your network operations team might configure a reverse proxy instead of a traditional proxy. In that case, all requests to the proxy are directly sent to the SnapLogic control plane. For example, if https://myproxy.test.com/ is the proxy server, a request will return the status from the SnapLogic control plane.

For example: cURL https://myproxy.test.com/status

To enable the Snaplex to work with the reverse proxy, add the following two key-value pairs to the Global properties of your Snaplex:

Key Value
jcc.sldb_uri https://myproxy.test.com:443
jcc.host_header <control-plane-name>.snaplogic.com

Where <control-plane-name> is one of the following:

  • elastic

  • uat

  • emea

Setting up a reverse proxy is unusual. In most cases, a forward proxy should be used.

Troubleshooting Snaplex communication

You can run the following cURL commands to test communication with the Snaplex. In each command, you specify the control plane name in the URL.

Name Control plane
elastic Production - default
emea Production - EMEA
uat Testing - default
  • To verify if outbound requests are permitted from the Snaplex node:

cURL https://control-plane-name.snaplogic.com/status

A response with the status OK indicates successful completion.

If this request hangs or fails, then a proxy is required. Request the HTTP proxy information from your network operations team.

  • To check access through a proxy:

cURL -x myproxy.mydomain.com:3128 https://control-plane-name.snaplogic.com/status

If this request fails with a 407 (Proxy Authentication Required), then you need to specify the authentication information in the proxy.

  • To check the proxy authentication, run the following command:

cURL -x myproxy.mydomain.com:3128 --proxy-user "proxyuser:proxypasswd"
https://control-plane-name.snaplogic.com/status

The -v option can be added to cURL to get detailed messages.

Important: For Windows-based Groundplexes, download the TLS (SSL) enabled https://curl.haxx.se/dlwiz/?type=bin&os=Win32&flav=-&ver=- to verify your configuration.