Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29

April 22, 2023
Mysore MuleSoft Meetup
Platform Configuration on CloudHub 2.0

Safe Harbour Statement
● Both the speaker and the host are organizing this meet-up in individual capacity only.
We are not representing our companies here.
● This presentation is strictly for learning purposes only.
● Organizer/Presenter do not hold any responsibility that same solution will work for
your business requirements.
● This presentation is not meant for any promotional activities.
3

A recording of this meetup will be uploaded to events page within 24 hours
Questions can be submitted/asked at any time in the Chat/Questions and Answers Tab
Make it more Interactive!!!
Give us feedback! Rate this meetup session by filling feedback form at the end of the day
We Love Feedbacks!!! Its Bread & Butter for Meetup
Housekeeping
4

Organizers
5
Shubham Chaurasia
Billennium India
Pro Integration Developer
Giridhar Meka
Sr. Technical Architect
linkedin.com/in/giridharmeka
linkedin.com/in/shubhamchaurasia1

7
Vijayaraghavan Venkatadri
Integration Architect @
• Working at EY GDS
• 11+ years of experience in Integration & API products in
Solutioning & Design
• Certified Developer & Architect in MuleSoft
• MuleSoft Mentor & Speaker
• 3x certified in MuleSoft
• 6x certified in IBM
Speaker

Agenda
o MuleSoft & Anypoint Platform
o CloudHub 2.0
■ CloudHub 1.0 VS CloudHub 2.0
■ Shared Space VS Private Space
■ Limitations
o Private Space Landscape in CH 2.0
o Prerequisites for Private Space
o Prerequisites for VPN
o Vanity Domain Configuration & Prerequisites
o Firewall Rules & Prerequisites
o Net Tools
o Q & A 8

 MuleSoft helps enterprises to unlock their business capabilities in terms of reusable & discoverable
assets to meet the goal of digital shift in the market.
 It accelerates the process of delivering IT projects faster than ever before.
 Technically, it unlocks system and data within the enterprise with integration, driving productivity
and efficiency and creating engaging customer experience.
MuleSoft
9
Anypoint Platform
 MuleSoft Anypoint Platform is a unified platform that offers a holistic approach to API design and
development
 It helps in facilitating the API cycle from design, publish, feedback, build, deploy, manage and
secure
 It comprises the component within the platform to drive API lifecycle.

 CloudHub 2.0 is one of the deployment offerings from MuleSoft.
 It is a fully managed, containerized integration platform as a service (iPaaS) where the integration
can be deployed and managed as a lightweight container in the AWS cloud.
Benefits:
★ Provides deployments across 12 regions globally.
★ Dynamically scales infrastructure and built-in services up or down to support elastic
transaction volumes.
★ Builds in security policies, protecting your services and sensitive data with encrypted secrets,
firewall controls, and restricted shell access.
★ Encrypts certificates, passwords, and other sensitive information configuration data at rest
and in transit within Anypoint Platform.
★ Provides a standardized isolation boundary by running each Mule instance and service as a
separate container.
CloudHub 2.0
10

CloudHub 1.0 VS CloudHub 2.0
11
CloudHub 1.0 CloudHub 2.0
It is designed on a VM based platform on Cloud. Apps
are deployed on workers, which are the dedicated
instance of Mule runtime.
It is designed on a containerized platform on cloud. Built on top of
Anypoint Runtime Fabric. Apps are deployed on replicas
(containerized pods), which are dedicated instances of Mule
runtime.
Application Level Capabilities:
★ Mutual TLS not supported
★ Data Graph is supported
★ Support Object Store V1 & V2
★ Deployment Rollback not supported
★ Ports 8081 and 8082 available for HTTP & HTTPS
Application Level Capabilities:
★ Mutual TLS supported
★ Data Graph not supported
★ Only support Object Store V2
★ Deployment Rollback supported
★ All the traffic routed through 8081 for HTTP & HTTPS
Network Level Capabilities:
★ Fully Managed Anypoint VPC, VPN & AWS Transit
Gateway Attachments (Outbound firewall rules not
supported)
★ DLB has to be configured for VPC & Load balancer
logs are not supported.
★ VPC Peering supported.
Network Level Capabilities:
★ Fully Managed Anypoint Private Space which covers, VPN &
AWS Transit Gateway Attachments.(Outbound firewall rules
are supported)
★ Ingress is auto configured & Load balancer logs are
supported.
★ VPC Peering not supported.

CH 2.0 - Shared Space VS Private Space
12
Shared Space Private Space
As the name indicates, it is a shared elastic cloud of
resource in AWS which acts as a multi-tenant mode of
containerization.
Quite the contrary to shared space, private space is a virtual
and isolated space in CloudHub 2.0 as a single-tenant mode
of containerization.
It provides one shared space in each supported region to
which you deploy your applications.
It provides 12 region globally to create private to associate to
your on-premises data center as closest as possible.
Requirement on choosing Shared Space:
★ There is no requirement of isolation for your
organization.
★ Your mediation system does not falls under any
corporate data center such as on-premise or private
cloud.
★ No requirement on configuring vanity domain names in
your public endpoint.
★ No domain certificates for TLS termination.
Requirement on choosing Shared Space:
★ There is a requirement of isolation for your
organization.
★ Your mediation system does falls under any corporate
data center such as on-premise or private cloud.
★ Requirement on configuring vanity domain names in
your public endpoint.
★ Domain certificates for TLS termination.

 100 private spaces per organization.
 10 VPN per private space.
 5 transit gateway connections.
 180 Inbound and outbound firewall rules.
 10 TLS context per private space.
 Up to the size of 200 MB per application.
 Though there are no limits on number of client certificates, but the limit is on the file size
file size up to
KeyStore – 40 KB
TrustStore – 128 KB
Limitations in CloudHub 2.0
13

Private Space Landscape in CH 2.0
14

Ideally there will be two private spaces would be created per organization/business group.
 Non-Production private space
It will cover all the non-production environments such as DEV, SIT, QA, STAGE, UAT which
are based on sandboxes.
 Production private space
It will cover only production environments such as PROD which is based on production.
To create the private space, below details are required:
★ Private Space Name
★ Private Space Region
★ CIDR Block
★ DNS Server IPs
★ Internal Domains
Prerequisites for Private Space
15

Private Space Name:
The naming conventions for private space should be between 3-42 characters long, contain only
lowercase letters, numbers and dashes. The format of the name should contain below details.
❖ Organization Name
❖ Region Name
❖ Environment Specification
Format: <orgName>-<region>-<env>-ps
Example: mule-us-nonprod-ps
Private Space Region:
The selection of specific region where the private space to be created is dependent on the location of
the corporate network where it lies.
There are 12 regions available across globe.
16

17

CIDR (Classless-Inter Domain Routing):
The IP address of the private space specified using with the range of IP address denoting through CIDR
block notation which is Classless-Inter Domain Routing.
❖ MuleSoft always recommends /22 CIDR range (1026 IPs).
❖ The accepted smallest range is /24 (256 IPs) and the largest range is /16 (65536 IPs)
Certain things to be considered before determining the size of CIDR block for a private space.
❖ Number of environment within that private space.
❖ Number of API to be deployed in that private space per environment.
❖ Number of replicas per API (At least 2 IPs are reserved per replica for Zero-Downtime)
❖ Addresses reserved for fault tolerance and infrastructure and subnet may be divided up to 4
availability zones.
❖ A few sets of IP addresses reserved for infrastructure.
The generate thumb rule for deciding the size of the CIDR range is to calculate 10 times the maximum
number of expected applications to be deployed in private space. If applications are 100, the IP range
should be 1000.
18

Domain Name Server:
❖ If your corporate network uses internal DNS servers to resolve requests to custom domains,
configure the private space with theses IP addresses and domain names.
❖ Private space uses your internal DNS to resolve internal hostnames of your private network (make
sure your applications call the backend resources by FQDN)
Internal Domains:
Internal Domains that need to be accessible from private space must be resolved by the
internal DNS server.
19

The Virtual Private Network (VPN) is required to establish connections with corporate networks. Each
private requires at least one VPN tunnelling to the on-premises.
❖ There will be two runnels per VPN which could be active-active or active-passive based on the
enterprise network router configuration.
❖ The router configuration should support asymmetric routing to have active-active configuration if the
request sent through tunnel A will be used for response routing as well. Else, active-passive tunnelling
mode to established. (This must be discussed with the network team of that organization)
❖ There is an option of having redundant VPN configuration which act as a failover mechanism if the
primary VPN is down. This is required only for highly available data transactions for that organization.
Prerequisites for Virtual Private Network
20

To create the Anypoint VPN, below details are required:
❖ VPN Name
❖ Remote IP
❖ Support Gateway Routing Device:
➢ Device Vendor
➢ Device Platform
➢ Device Software Routing Type
❖ Routing Type:
➢ Static
➢ Dynamic (Using BGP Protocol)
❖ Local ASN (For both Static & Dynamic)
❖ Remote ASN ( Only for dynamic routing)
❖ Static IP CIDR ranges ( To advertise and only required for static)
21

VPN Name:
The naming conventions for VPN should be between 3-42 characters long, contain only lowercase
letters, numbers and dashes. The format of the name should contain below details.
❖ Organization Name
❖ Region Name
❖ Environment Specification
Format: <orgName>-<region>-<env>-vpn
Example: mule-us-nonprod-vpn
Remote IP:
The public IP of the VPN endpoint of the organization. This will be a static IP for the configuration. The
public IP will be provided by the network team.
22

Supported Gateway Routing Device:
Gateway device is a physical or software appliance on the client organization’s side of the VPN
connection. Get the below details from the network team.
❖ Device Vendor
❖ Device Platform
❖ Device Software
23

Routing Type:
The routing type of the VPN is determined based on the gateway device. It should be either static or dynamic.
It is always recommended to use dynamic routing and use static only if the gateway device does not support
dynamic routing.
Static Routing:
It requires you to provide routes (subnet) in your network that are accessible through Anypoint VPN. To
create static VPN connection, your VPN must be able to:
★ Establish IKE Security Associations using a pre-shared key (PSK)
★ Establish IPSec Security Associations in Tunnel Mode.
★ Use any combination of IPSec settings that Anypoint Platform supports.
★ Fragments IP packets before encryption.
★ Use one security Association (SA) pair per tunnel.
★ Use IPSec Dead Peer Detection (DPD)
★ Allow asymmetric routing.
★ For IPSec, enable perfect forward secrecy (PFS) with the Diffie-Hellman phase 2 groups 2, 5, 14-24
24

Dynamic VPN Routing (BGP):
For dynamic routing, your device uses Border Gateway Protocol (BGP) to advertise routes to Anypoint
VPN. To create a dynamic VPN connection, in addition to the static VPN connection requirements, your
VPN device must be able to:
❖ Establish BGP Peering
❖ Support route-based VPNs (bind tunnels to logical interfaces)
❖ For IPSec, enable perfect forward secrecy (PFS) with the Diffie-Hellman Phase 2 groups 2,5, 14-24
Local ASN:
The Local ASN is Local Autonomous System Number specified a private ASN (64512-645534) to
assign to the Anypoint Platform side of the VPN.
❖ Use a private ASN that is not already assigned to your network. Local ASN configured for both
static and dynamic VPN routing.
❖ Ideally local ASN is not use for static routing, you must specify this value for the first time VPN
creation. Because for any future BGP routing, it will be used. Subsequent static VPN, this local
ASN option will not be enable.
25

Remote ASN:
Remote ASN is Remote Autonomous System Number specified a private ASN (64512-645534) to
corresponds to your backend
❖ This is required only for dynamic routing
❖ Use either an existing ASN assigned to your network or a private ASN (64512-65534) that is not
already assigned to your network. The default value is 65001
Static IP CIDR Ranges:
As part of static routing, IP prefixes is required to advertise to your private network through VPN.
This is only required for static routing.
26

❖ By default, CloudHub 2.0 enables public DNS for MuleSoft private space with MuleSoft domain
certificates. However, this cannot be used for domain specific traffic which needs isolation.
❖ So, domain certs to be used to configure vanity URL and TLS termination.
❖ The domain certificates must be created separately for non-production and production private
spaces. But the non-production certificates should be shared across non-prod environment by
having the sub-domain names in the certificate to bifurcate the environment details as below.
Vanity Domain Configuration & Prerequisites
27
Environment Vanity Domain
DEV dev.<orgName>.com
SIT sit.<orgName>.com
QA qa.<orgName>.com
PROD prd.<orgName>.com

The firewall configuration must be in place for each private space. It is one of the security measures to ensures
the traffic that comes and goes out is authentic one. The private space has below firewall rules.
Inbound Firewall Rules:
❖ Public Inbound Traffic (HTTP/HTTPS):
This endpoint is a public DNS which can be accessed over the internet and intranet on HTTP & HTTPS
❖ Private Inbound Traffic (HTTP/HTTPS):
This endpoint is a private DNS which is secure and meant to accept inbound traffic within private space
and corporate network through the VPN. It cannot be accessed outside private space/over the internet.
Ideally, API calls within the VPC will be using this private space endpoint.
Outbound Firewall Rules:
❖ Public Outbound Traffic (HTTPS/TCP):
This is for MuleSoft to call any service outside the private space over the internet.
❖ Private Outbound Traffic (HTTPS/TCP):
This is for MuleSoft to call any service within the corporate network via VPN tunnelling.
Firewall Rules & Prerequisites
28

❖ MuleSoft Provides Net Tools applications to do the connectivity check.
❖ It can be deployed to private space and connectivity check can be done.
➢ The connectivity can be checked to the instances available in the corporate network.
➢ The connectivity can be checked within and outside the private space.
❖ Link: https://help.mulesoft.com/s/article/How-To-Use-Network-Tools-Application
Net Tools
29

Take a stand !
● Nominate yourself for the next meetup speaker and suggest a topic as well.
31

● Share:
○ Tweet using the hashtag #MuleSoftMeetups
○ Join Mysore Group: https://meetups.mulesoft.com/mysore/
● Feedback:
○ Fill out the survey feedback and suggest topics for upcoming events
○ Contact MuleSoft at meetups@mulesoft.com for ways to improve the program
○ Reach out to Mysore Meetup Leaders (Shubham/Giridhar) to suggest topics
for next Meetup
What’s next?
32

Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29

Recommended

Recommended

More Related Content

Similar to Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29

Similar to Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29 (20)

More from MysoreMuleSoftMeetup

More from MysoreMuleSoftMeetup (20)

Recently uploaded

Recently uploaded (20)

Platform configuration on CloudHub 2.0 | MuleSoft Mysore Meetup #29