This article covers the more technical aspects of Tulip Connector Hosts. This article is intended to be a guide for individuals with a background in Information Technology (IT).
What is the Tulip Connector Host?
Tulip Connectors are designed to allow your Tulip Apps to interface with external systems such as databases, APIs, and machines. Information about our Connectors module can be found in this article: Introduction to Connectors
The Tulip Connector Host is the part of the Tulip platform that creates connections to these external services.
For the Connectors module of Tulip to be used, a Connector Host must be able to establish a connection to the external system that is outbound from the Connector Host and inbound to the external system.
Where does the Tulip Connector Host Software Run?
The first, and most common, deployment option is a Cloud Connector Host. A Cloud Connector Host is included in your Tulip subscription and is deployed alongside the Tulip Platform and is available for use on the “Connectors Page” as “Cloud Connector Host”.
For cloud customers, this means that connection requests from this Connector Host will come from an IP address in Tulip’s Classless Inter-Domain Routing (CIDR) block (18.104.22.168/26). This allows customers to whitelist access from the Tulip Connector Host to their service. For customers running the entire Tulip Platform on-premise, the Connector Host will make requests from the same IP address as the Tulip Platform, which is dependent on your particular deployment configuration.
The second, less common, deployment option is an on-premise Connector Host. In this case, a customer elects to host an on-premise version of the Connector Host within their own networking infrastructure to remove the need to allow incoming connections from Tulip’s CIDR block. Instead, the Connector Host will create an outgoing connection from your network that is inbound to Tulip. This type of deployment is not standard and has many additional requirements such as:
- An additional subscription cost for the software.
- Remote access requirements for Tulip to support, maintain, and update the Connector Host.
- Delays in the deployment of updates including those that may affect security.
- Delays in support for outages or configuration errors.
- Additional work for the customer to host and support this software.
Deployment options for on-premise Connector Hosts should be discussed directly between Tulip’s implementation team and your IT department. If you would like to move forward with this option, please contact your Tulip representative for more information.
What are the security issues of opening access to my DB, API, or OPC UA server to the Tulip Cloud Connector Host?
The recommended way to connect a DB, API, or OPC UA server to Tulip is to allow incoming access from a Tulip Cloud Connector Host. When doing this, it is important to follow security best-practices to ensure continued security.
- Open your firewall to only Tulip IP addresses (listed here).
- Encrypt traffic using SSL/TLS encryption using trusted certificate authorities. This addresses many of the common Man in the Middle (MitM) attacks.
- Use strong authentication schemes for your APIs and DBs. This will be dependent on the type of API or DB, but strong password credentials would be one example of a minimally acceptable solution.
- Limit access for users within your DBs, APIs, and OPC UA servers. This includes both read-only users and access to various schemas, tables, endpoints, tags, etc.
- Host your resources on infrastructure that has advanced monitoring to monitor, alert on, and dismiss malicious requests. This addresses many types of DDoS attacks.
Note that these suggestions should be taken as a starting point and that this advice does not replace personalized security planning.
What are the network requirements for hosting an on-premise Connector Host?
The on-premise Connector Host has the following networking requirements:
- An IP address
- DNS resolution to <your-account>.tulip.co
- Outgoing access on port 443 from the Connector Host to Tulip. IP addresses to whitelist are available in this article: Networking Requirements for a Tulip Deployment
- Outgoing access to AWS's ECR service for updates. AWS IP addresses can be found on this page. The Connector Host will be pulling content from this repository: 657908024359.dkr.ecr.us-east-1.amazonaws.com
- Access to all systems to be used in Connectors over the relevant ports for the external service (default ports listed below).
Note that no inbound access (from the internet to the Connector Host) is required. The Connector Host initiates all connections to the Tulip Cloud.
How is the on-premise Connector Host distributed?
The on-premise Connector Host is distributed as a Virtual Machine (VM) that can be installed on any of the following locations:
- A hypervisor such as vSphere
- A cloud provider such as AWS or Azure
- A local server or computer with a virtualization software such as Virtualbox
The recommended system requirements for this VM are:
- 25GB disk space
- 2GB RAM
- 1 vCPU or equivalent
You should monitor the resource usage of your Connector Host. You may need to allocate more resources if you're using the machine monitoring features to consume hundreds of data points per second via OPC UA, or executing hundreds of requests per second using the HTTP or SQL connectors. This is not needed for most customers.
We do not distribute the Connector Host without a meeting between yourself as the customer, your Tulip representative, and the Tulip support team. If you are interested in an on-premise Connector Host, please contact your Tulip representative.
What ports do I need to open to allow the Connector Host to access my system?
The network connection between the Connector Host and your external system are entirely managed by you as the end customer. If you have questions, you should reach out to your internal teams. However, the default ports for many common services are listed below for your convenience:
- PostgreSQL: TCP/5432
- Microsoft SQL Server: TCP/1433
- Oracle: TCP/1521
- HTTP: TCP/80
- HTTPS: TCP/443
- OPC UA: TCP/4840
- Kepware OPC UA: TCP/49320
- MTConnect: TCP/5000 or TCP/80
If you have additional questions, please reach out to your Account Manager or to our support team through the Support Request or Live Chat option using the Help button in the top right of the screen.