Support Article
Hazelcast nodes do not auto-detect across DMZ
SA-10812
Summary
When starting multiple nodes, some in DMZ, some in non-DMZ, the hazelcast auto-discovery mechanism does not work as expected. This is due to network communication port restrictions.
Error Messages
Not Applicable
Steps to Reproduce
Start up PRPC nodes in both the DMZ and non-DMZ to observe the issue.
Root Cause
In this type of environment, where there are nodes both inside and outside the firewall, it is not possible to auto-discover hazelcast members. Due to the presence of the firewall, communication between the nodes is explicitly forbidden.
Resolution
This issue is resolved by making the following change to the operating environment:
Ports must be open in the firewall to explicitly allow communication using hazelcast between all the nodes in the hazelcast cluster. This is analagous to the port that must be opened for database activity in this configuration.
Once the network configuration is in place to allow the various nodes to access each other using the specific set or ports, the IPs and ports to use must be configured for Pega 7. This is achieved using the following settings in the prconfig file for each node. (Note that these values are site dependant and are as examples only)
<!-- hazelcast -->
<env name="cluster/hazelcast/ports" value="5701-5750" /> <!-- available ports that have access across the firewall for use by our cluster -->
<env name="cluster/hazelcast/interface" value="xx.x.xxx.xx"/> <!-- The IP address that I will listen to -->
<env name="cluster/hazelcast/members" value="xx.x.xxx.*/> <!-- optional list of IPs for other members in our cluster - can be a range or comma separated -->
Published June 18, 2015 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.