Hi Robert
Morag and Neil have already provided excellent answers.
On the 'partial repositories hosting the same queue' - there are probably edge cases where if you have PUTting applications connected to these queue managers, they might still want to route a message to a remote instance - for example if the local queue becomes unavailable for some reason, or you have configured CLWLUSEQ(ANY). If the putting applications are remote, then (aside from the amqsclm exception) as Morag says these should not normally need to communicate.
The only other thing I can think to add, is if either now or in future you add publish subscribe applications using clustered Topic objects, by default these require that ALL partial repositories be able to communicate with all others. In your environment, it sounds like it would be sensible to look at the alternative option 'Routed Topics': https://www.ibm.com/docs/en/ibm-mq/9.3?topic=clusters-topic-host-routing-in-publishsubscribe which is more suited to star/central hub topologies.
Regards
Anthony
------------------------------
Anthony Beardsmore
IBM MQ Development
IBM
------------------------------
Original Message:
Sent: Mon May 22, 2023 05:23 PM
From: Grebenár Róbert
Subject: MQ clusters and firewalls
Helló,
I've been looking for information on how to enable firewalls between MQ cluster members.
We have a number of queue managers (40-50), with a centralized architecture (each one could only speak with the center).
And we have firewalls between almost everything :) Till now we knew what to enable, but recently we started to use MQ clusters, and the question came: between which hosts should we enable firewalls?
I suspect (my logic tells) that we should enable communication at the following cases:
* Between the two full repositories
* Between the partial repositories and their defined full repository (maybe both full repositories?)
* Between all the partial repositories hosting the same queue
* Between the client's queue manager and all the partial repositories hosting the queue that the application wants to reach
Are these assumptions correct? What else might be needed? Is there any "official" recommendations / best practices on firewalls when using MQ clusters?
Thanks,
Robert
------------------------------
Grebenár Róbert
------------------------------