App Connect

App Connect

Join this online user group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Exposing TCPIP Server ports with IntegrationRuntime in a containerized environment

By Andreas Evripidou posted Fri May 09, 2025 07:42 AM

  

What's new?

In App Connect Operator 12.11.0 and IntegrationRuntime 13.0.3.0, we’re introducing a new way to expose TCPIP Server ports externally when deploying ACE flows in a containerized environment. This enhancement simplifies the process of managing external access to TCPIP Server nodes while keeping your configuration clean and centralized.

Previously, exposing TCPIP Server ports required either modifying the default service (which also exposed internal ports like the Admin API) or manually creating and managing a separate Kubernetes service. With this new feature, you can now define the specific TCPIP ports you want to expose directly in the IntegrationRuntime custom resource (CR), and the operator will handle the rest.

Why is this useful?

When deploying ACE flows that use TCPIP Server nodes, it’s common to need external access to those ports. Until now, the options were:

  • Option A: Add the TCPIP port to the existing service in the CR and set the service type to NodePort to expose it via a node port. This exposes all default ports externally—including sensitive ones like the Admin API.
  • Option B: Manually create a separate NodePort service for the TCPIP ports, which requires manual lifecycle management and adds operational overhead.

This new feature eliminates the need for workarounds by allowing you to define a dedicated NodePort service directly in the CR, scoped only to the ports you want to expose.


How does it work?

If you’re using a TCPIP Server node in your flow with settings like the following in the Toolkit:

You’ll want to define a nodePortService in your IntegrationRuntime CR like this:

spec:
  nodePortService:
    ports:
      - protocol: TCP
        name: tcpip-server
        nodePort: 32000
        port: 9910
        targetPort: 9910

When this field is specified, the operator automatically creates a new Kubernetes service with the ports you define. The service is named using the IntegrationRuntime name followed by -np-ir. For example, if your IntegrationRuntime is named my-runtime, the service will be called my-runtime-np-ir.

This way ensures that only the specified TCPIP ports are exposed externally, without affecting internal ports or requiring manual service management.

Things to keep in mind

There are a few important limitations and considerations:

  • NodePort range: Most Kubernetes platforms restrict NodePort values to a specific range, typically 30000–32767. If you specify a nodePort, make sure it’s within this range and not already in use. Alternatively, you can omit the nodePort field and let Kubernetes assign an available port automatically. If you do this, you can find the automatically assigned nodePort by finding the Service in the same namespace as the IntegrationRuntime CR with the name of the CR and the -np-ir postfix.

  • Service deletion: In the current release, if you remove the nodePortService section from the CR, the associated service is not automatically deleted. This is a known issue and will be resolved in Operator version 12.12.0 0 and IntegrationRuntime 13.0.3.1.

  • Network policies: In this release, the operator does not automatically update network policies to allow traffic to the newly exposed ports. If your cluster uses restrictive network policies, you’ll need to manually update them to permit access to the NodePort service. Automatic handling of network policies is planned for a future release.

Try it now

If you're using version 12.11.0 or later of the App Connect Operator, you can try out this new feature by upgrading your integration runtimes to version 13.0.3.0 or later. Simply add the nodePortService section to your IntegrationRuntime CR and deploy your flow with TCPIP Server nodes.

0 comments
28 views

Permalink