Agent connectivity requirements

What openings does a Frends Agent need in firewall.

Hosting a Frends Agent on your server requires the following details to be set up and confirmed.

Outbound connectivity

Frends 5.7 and later require outbound access to the following:

  • Frends UI: <tenant>.frendsapp.com on port 443

  • Azure Service Bus: Ports 443, 5671 and 5672 are needed to be open towards Azure Service Bus

  • Azure Blob Storage: Port 443 is needed for Azure Blob Storage

You can check the Microsoft's documentation about Azure Service Bus and Azure Blob Storage. As the IP addresses of the Azure services may change, these may have to be opened without IP restrictions.

Azure Service Bus is used to allow the Agent to communicate with the Frends Core, that is located in Azure cloud. This in turn enables the connectivity between the Frends UI and the Agents.

Azure Blob Storage is needed to store larger logging data and messages that do not fit in a single Azure Service Bus message (over 200 kb), as well as to retrieve compiled Processes during Process or Agent deployment.

Alternatively, if outbound connectivity is limited for the Agent and ports 5671 and 5672 cannot be opened outbound to the Azure Service Bus. As a workaround the transport type can be set to AMQP Websockets by adding ;TransportType=AmqpWebSockets to the Azure Service Bus connection string. After this the Azure Service Bus connection will use port 443 for outbound connections.

Inbound connectivity

The Frends Agent operates through Azure Service Bus, which has the connectivity requirements listed above. As such, the server will not receive any inbound connections directly to it for standard operations.

For REST APIs published to your Agent Groups and thus Agents, there will be inbound connectivity for all the API requests, on the ports defined for your Agent. In order for the published API to be accessible, the ports need to allow inbound connections through firewall.

Alternatively for publishing REST APIs, a Gateway Agent can be set up instead. It will act as a gateway and a load balancer for Agents behind it, publishing the APIs without giving direct access to the actual Agents performing the processing. This way the servers hosting the Agents will not require external inbound connectivity, but the API Gateway Agent will require it instead.

High Availability connectivity requirements

When using a central database as Shared State Store, each server hosting the Agents must have access to it, requiring outbound connectivity from the Agent machines to the database.

SQL Server and Azure SQL Database instance require at least port 1433 to be open for outbound connectivity from the client. You can learn more about SQL Server connectivity requirements and Azure SQL Database connectivity requirements from the corresponding links.

Chosen load balancer or API Gateway Agent needs to be facing the public internet in case public access to the created REST APIs and HTTP Triggers is required, allowing external connections to come in. If the connections are to be internal only, you can adjust the connectivity more freely within your internal, on premise network based on your requirements.

Load balancing systems, including API Gateway Agent, often act as proxy between outside network and the executing servers, meaning they will use same or similar connection details from the load balancer to the executing server, as what was used to call the load balancing proxy. Therefore the connections between load balancer and agent servers must also be taken into account, by allowing inbound connections from the load balancer to reach your Agents.

Testing connectivity

You can test ports from the machine that is going to be hosting the Frends Agent with either a Powershell command or a Unix command.

Note that if you restrict the outgoing connections, get the correct URL for those tests from the appsettings.secrets.json configuration file.

Powershell

Command: tnc yourtenant-frends-bus.servicebus.windows.net -Port port

  • Replace yourtenant with your Frends tenant name. You can find it by going to your Frends webpage and looking at the URL, which is in the form tenant.frendsapp.com

  • Replace port with the desired port you wish to check

Unix

Command: nc -zv yourtenant-frends-bus.servicebus.windows.net 443 9350-9354 5671-5672

  • yourtenant-frends-bus.servicebus.windows.net is the servicebus URL of your Tenant.

  • The correct URL value can be found from the appsettings.secrets.json configuration file on the AzureServiceBusSasTokenConfigurator.Endpoint property

  • Remember to change the protocol from "sb" to "https"

Last updated

Was this helpful?