Hazelcast nodes do not auto-detect across DMZ
When starting multiple nodes, some in DMZ, some in non-DMZ, the hazelcast auto-discovery mechanism does not work as expected. This is due to network communication port restrictions.
Steps to Reproduce
Start up PRPC nodes in both the DMZ and non-DMZ to observe the issue.
In this type of environment, where there are nodes both inside and outside the firewall, it is not possible to auto-discover hazelcast members. Due to the presence of the firewall, communication between the nodes is explicitly forbidden.
This issue is resolved by making the following change to the operating environment:
Ports must be open in the firewall to explicitly allow communication using hazelcast between all the nodes in the hazelcast cluster. This is analagous to the port that must be opened for database activity in this configuration.
Once the network configuration is in place to allow the various nodes to access each other using the specific set or ports, the IPs and ports to use must be configured for Pega 7. This is achieved using the following settings in the prconfig file for each node. (Note that these values are site dependant and are as examples only)
<!-- hazelcast -->
<env name="cluster/hazelcast/ports" value="5701-5750" /> <!-- available ports that have access across the firewall for use by our cluster -->
<env name="cluster/hazelcast/interface" value="xx.x.xxx.xx"/> <!-- The IP address that I will listen to -->
<env name="cluster/hazelcast/members" value="xx.x.xxx.*/> <!-- optional list of IPs for other members in our cluster - can be a range or comma separated -->
100% found this useful