VOLTTRON Central behind a firewall - volttron

If there is a VOLTTRON central deployment on ZMQ, would I need to have network ports on a firewall opened up if the actual VOLTTRON central instance is behind a firewall?
Basically I am looking at deploying an edge device in a building to collect some BACnet data (temporary research deployment) and hoping to aim this edge device instance to our central VOLTTRON instance that runs a SQL historian that is behind a firewall.
Does ZMQ run on port 5555? And I would I need to have our firewall opened up or port forwarding on this port to handle the bi-directional ZMQ bus?

VOLTTRON itself by default is on port 22916 (this is the zmq port volttron uses). This is configured independently from the web port. When initializing a web instance there are some more dependencies that are required than just the initial bootstrap.py so you will want to use bootstrap.py --web to make sure those are added.
If the edge devices will have a web server on them, then there must be an inbound connection from browser or code to reach that end device. In order for a volttron central agent to connect to an edge device, the edge device instance must have the vip-address of the central instance in its $VOLTTRON_HOME/config file or within the platform agent's config file. Edge devices should have the volttroncentralplatform agent installed on it for this scenario.
ZMQ could run on whatever port you configure it to. To configure volttron to use it specify the vip-address in the ~/.volttron/config file to whatever port you would like i.e. vip-address=tcp://127.0.0.1:22916 (only bound to 127.0.0.1 ip address).

Related

Payara Server Configuration

I have a microservice that is deployed on a payara app server. Everything works so far. Now I try to include an embedded REDIS Server which listens on port 6379.
In order to use this, I have to open that port and ensure that the traffic to this port is redirected to my Application.
I already configured a network listener on 6379. So that means that payara is listening on this port too.
But how can I achieve, that this port is forwarded to my own application?

How to connect to a sql database from a device connected to a different network

I am developing an app with a login system in flutter. Using postgresql I can access to an external database located in a raspberry. All works perfect until the network of the device changes. So here are my questions:
How can I access to a database from a device connected to a different network? Is that possible?
If not, how could it be the correct way to do it? or what should I read and/or learn to apply this funcionality?
Thank you.
This question is not Postgres specific.
You connect to servers over TCP/IP protocol using servers IP address or it's FQDN, fully qualified domain name. If your device is mobile and changes network, you can use some dynamic IP service or your own name servers.
Setting up a port forwarding system is also possible.

Cannot connect to both RDP and SQL Server(Azure) over VPN at the same time

I have an Azure VPN client that I use for connecting to a web server using RDP and to an Azure SQL Server instance using SSMS. The problem is, I cannot connect to both at the same time.
When I go to the Networking properties of the VPN connection, then select the properties of TCP/IPv4, if I select "Use default gateway on remote network", I am able to connect to RDP, but not SQL Server. If "Use default gateway on remote network" is not selected, I am able to connect to SQL Server, but not RDP.
What can I do to be able to connect to both at the same time?
As far as I know. By default, once a successful VPN connection creates, the highest priority entry will be added automatically in the local machine route table. When you select Use default gateway on remote network, data that can not be sent on the local network is forwarded to the dial-up network when you are connected to a local network and a dial-up network simultaneously. The local network prefers to select a VPN connection route. The connection to a local network is disconnected automatically by default. So you could RDP to the web server via the private VPN connection in the dial-up network. You could not access the Azure SQL server since the traffic from the dial-up network is not allowed in the firewall of Azure SQL server firewall. In this scenario, you could check if the outgoing traffic to the Internet from your dial-up network is blocking.
When you un-select Use default gateway on remote network, usually default gateway of the PPP adaptor will be empty. In this scenario, you cannot connect to resources on the remote network because you have disabled the Use Default Gateway on Remote Network setting in the VPN TCP/IP configuration. You could add routes for the desired VPN subnets. Refer to this paragraph Configuring Split Tunnel for Windows
You could use route print on the local machine to check the route entry. Compare the route table in the two situations. More details you could get from this DOC.
It sounds to me like you need to configure a service endpoint on your vnet to allow traffic to route through to your Azure SQL database.
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview
Try the link above for help configuring it.

How to connect a volttron platform to one on a remote server

I would like to connect a volttron platform running on a raspberry pi connected to the local network of a building to a second volttron platform running on a virtual personal server.
I know that two volttron platforms can interact with each other using the Volttron Central Management Agent or using the ForwardAgent. However, it is not clear to me what security method is used. Our ICT manager only agrees to set up a connection if the information is exchanged through https.
Could you help me formulating an answer to ICT regarding the security issue? And give me some pratical tips on how to set up the volttron configuration files? I'm not very familiar with network/security technologies. Maybe important to know: the server has a proxy and a reverse-proxy security.
Thx!
Your security person is correct. You should only set the platform up in a "real" environment through https. Since you have a proxy, that should be forwarded to the volttron central agent.
internet (443) -> proxy -> http://127.0.0.1:8080
The proxy in this case is on the same machine as the volttron central platform.
This is how we are doing it with apache as our proxy. One could do the same thing with a different web server such as nginx.
Hopefully that helps
If you are indeed trying to connect from a single instance to another instance (e.g. the way the forwarder does). Then the answer is the security is using public/private key pairs with curve mq providing perfect forward security. All traffic between platforms is 100% encrypted and only authorized agents can transmit across the instances bus.
http://curvezmq.org/

Using volttron-cfg to configure volttron central (VC)

While using volttron-cfg, I was asked some questions:
Include volttron central platform agent on volttron central? [Y] Is VC platform agent is the backend agent and VC is the frontend?
What is port 22916 (vip port)? The content returned from
"localhost:22916" is not readable.
Thanks.
The VOLTTRON central agent(VC) connects to the individual VOLTTRON instances through the VOLTTRON central platform agent(VCP).
Both the VC and VCP agents are not considered platform agents because they aren't started up when you start VOLTTRON by default.
When using the volttron-cfg command the question is asking you do you want to have a VCP as well as a VC installed on whatever instance you are setting up.
The port 22916 is the VIP (VOLTTRON Interconnect Protocol) port that allows all of the VOLTTRON agents to connect with the VOLTTRON router. If you have a VOLTTRON instance running (and left as the default port), you can telnet to it and see that it is indeed running. You will not be able to browse to it however as it is not serving http requests from that port.

Resources