Supported connectivity schemes for ActiveGates
Dynatrace requires certain ports and paths to be opened and accessible through the monitored infrastructure, firewalls and other components. The ports are configurable and the default values are shown here.
Dynatrace SaaS connectivity scheme
All possible connections for the SaaS connectivity scheme, with preferred and alternative paths are shown below.
The solid arrows indicate the preferred paths. For example, OneAgent will connect to an Environment ActiveGate, if one is present. It will, however, connect to a the Dynatrace Saas Cluster directly, if no connection to an Environment ActiveGate is possible. The direction of arrows in the diagrams indicates which component initiates the connection.
Environment ActiveGate receives connections on port 9999.
Dynatrace SaaS Cluster receives connections on port 443.
Cluster ActiveGate receives connections on port 9999.
Dynatrace Managed Cluster (embedded ActiveGate) receives connections on port 443. For more information see diagrams above.
If you run Browser monitors or HTTP monitors from private Synthetic locations, you need to make sure the Synthetic-enabled ActiveGate has access to the tested resource. If you use ActiveGate extensions, you need to make sure the ActiveGate executing the extensions has access to the monitored technology.
ActiveGates exist in the following hierarchy:
Level 1—Environment ActiveGates
Level 2—Cluster ActiveGates
Level 3—Embedded ActiveGates—ActiveGates embedded within cluster nodes (not shown on graphs above).
ActiveGates can only send data to higher hierarchy levels. It is impossible to send data to the same or lower level of the hierarchy.
Environment ActiveGates, by default, connect directly to the Dynatrace Cluster (unless custom network zones are used—see below). This eliminates an intermediate step of connecting to a Cluster ActiveGate. Connecting through the Cluster ActiveGate needs to be arranged, if the Dynatrace Cluster is not directly reachable. For example, if the Environment ActiveGate is in a different network or different data center.
Connectivity can also depend on network zones if such are configured. Network zone configuration means that ActiveGates and OneAgents will prefer to communicate with ActiveGates from the same zone, before connecting to ActiveGates outside of the active zone.
Proxy and load balancer configuration
All Dynatrace components (OneAgents, ActiveGates, Dynatrace Cluster) detect their hostnames and distribute them as communication endpoints among each other to achieve the highest possible connection robustness.
This works automatically, unless there are networking devices (proxies, load balancers) in your environment, which should be taken into account, and of which Dynatrace is not aware.
The diagram below shows all possible proxy and load balancer (reverse proxy) placements for an ActiveGate deployment. For simplicity, direct connections—those that are not through proxies or load balancers–are not shown in this diagram. Alternative connections (those that connect through one or more proxies or load balancers), are shown as dashed lines.
- If there is a load balancer between OneAgents and an ActiveGate, you should specify the load balancer's address as the
dnsEntryPointproperty in the ActiveGate configuration.
- If there is a load balancer between ActiveGate and the next communication endpoint that traffic should be routed through, configure
- If a proxy is used to reach the Dynatrace Cluster or any of the monitored clouds, configure a proxy.
You can configure the ActiveGate headers in your firewall.
- Network zones
Find out how network zones work in Dynatrace.