Learn how to put your digital team to work with MuleSoft for Agentforce.
Contact Us 1-800-596-4880

Requirements and Limits for Flex Gateway

Before you download and install Anypoint Flex Gateway, review the following requirements and limits.

Flex Gateway Requirements

Permission Requirements

To use Flex Gateway you must have these permissions:

Permission Ability Notes

Manage Servers

Create, update, and delete server and Flex Gateway resources.

Runtime Manager permission, which is assigned to a specific environment in a Business Group.

Read Servers

View server and Flex Gateway resources.

Runtime Manager permission, which is assigned to a specific environment in a Business Group.

Usage Viewer

View gateway metrics.

Usage permission, which can be added only by an organization administrator at the root organization level.

Your Anypoint Platform Admin can add these permissions in Access Management. See Manage Team Permissions for more information.

Connected App Scope Requirements

To register Self-Managed Flex Gateway using a Connected App, the following scopes are required:

  • Manage Servers

  • Read Servers

  • View Organization

Managed Flex Gateway Resource Requirements

To use Managed Flex Gateway your Business Group must have at least one of these Managed Flex Gateway resources:

  • Large Managed Flex Gateways

  • Small Managed Flex Gateways

These resources aren’t inherited. To redistribute Managed Flex Gateway resources to a business group, see Redistribute Resources Between Existing Business Groups.

Managed Flex Gateway Private Space Requirement

To use Managed Flex Gateway, you have created a private space in CloudHub 2.0 or have access to a private space created by someone else.

To create a private space, see Creating Private Spaces.

Software Requirements for Self-Managed Flex Gateway

Flex Gateway isn’t supported on Windows or in Docker running on Windows.

Software Requirements for Kubernetes and OpenShift Deployments

Running Flex Gateway requires:

  • A minimum of either Kubernetes 1.21 or OpenShift 4.8.

  • Ingress v1 (stable), which requires specifying apiVersion: networking.k8s.io/v1 as the API version in your configuration resources.

  • A private cloud or data center.

    Or, a cloud provider such as the following:

    • Google Kubernetes Engine (GKE)

    • Amazon Elastic Kubernetes Service (Amazon EKS)

    • Azure Kubernetes Service (AKS)

  • A minimum Helm version of 3.0.0 is required.

Software Requirements for Linux Deployments

Flex Gateway runs on the following Long Term Support (LTS) versions of Linux:

  • Amazon Linux 2023

  • CentOS 8

  • Debian (Bullseye, Bookworm)

  • Red Hat Enterprise Linux (9)

  • Red Hat Enterprise Linux (9) on IBM Power (ppc64le)

  • SUSE Linux Enterprise (SLES 15 SP3)

  • SUSE Linux Enterprise (SLES 15 SP3) on IBM Power (ppc64le)

  • Ubuntu (Focal, Jammy)

Flex Gateway is designed to run in cloud-native architectures. Therefore, multiple installations on a single Linux VM aren’t supported. You can install only one gateway instance per Linux VM.

Software Requirements for Container Deployments

Flex Gateway supports the following:

  • Docker

  • Podman

Additionally, Flex Gateway supports the following container orchestration services:

  • Amazon Elastic Container Service (Amazon ECS)

  • Azure Container Service (ACS)

  • Google Cloud Run

  • AWS Fargate

Hardware Requirements for Self-Managed Flex Gateway

A single Flex Gateway can support multiple backend APIs. To support more backend APIs, you can deploy multiple replicas or additional Flex Gateways. For information about sizing, refer to Resource Sizing for Self-Managed Flex Gateway.

Flex Gateway requires either an Intel or AMD-64 processor.

Ports, IPs, and Hostnames Allowlist Requirements

For Flex Gateway to communicate with MuleSoft-managed online Anypoint Platform APIs and services, you must add these hostnames and ports of external resources to the allowlist:

Plane Host Port Mode Description Protocol

US

anypoint.mulesoft.com

443

Both

Required to connect with the control plane, push internal metrics, and download custom policy binaries.

HTTPS

US

arm-mcm2-service.kprod.msap.io

443

Both

Required to communicate with the transport layer.

mTLS

US

logging.ingestion.us-east-1.prod.cloudhub.io

443

Both

Required to send analytics data to the control plane.

HTTPS

US

metering.ingestion.us-east-1.prod.cloudhub.io

443

Both

Required to send analytics data to the control plane.

HTTPS

US

monitoring.ingestion.us-east-1.prod.cloudhub.io

443

Both

Required to send analytics data to the control plane.

HTTPS

US

exchange-files.anypoint.mulesoft.com

443

Connected

Required to download policies.

HTTPS

US

exchange2-asset-manager-kprod.s3.amazonaws.com

443

Connected

Required to download policies.

HTTPS

US

configuration-resolver.prod.cloudhub.io

443

Connected

Required to download policies.

mTLS

US

us1.ingest.mulesoft.com

443

Both

Required to send analytics data to the control plane.

HTTPS

US

flex-packages.anypoint.mulesoft.com

443

Both

Required to download and install Flex Gateway.

HTTPS

EU

eu1.anypoint.mulesoft.com

443

Both

Required to connect with the control plane, push internal metrics, and download custom policy binaries.

HTTPS

EU

arm-mcm2-service.kprod-eu.msap.io

443

Both

Required to communicate with the transport layer.

mTLS

EU

logging.ingestion.eu-central-1.prod-eu.msap.io

443

Both

Required to send analytics data to the control plane.

HTTPS

EU

metering.ingestion.eu-central-1.prod-eu.msap.io

443

Both

Required to send analytics data to the control plane.

HTTPS

EU

eu1.ingest.mulesoft.com

443

Both

Required to send analytics data to the control plane.

HTTPS

EU

monitoring.ingestion.eu-central-1.prod-eu.msap.io

443

Both

Required to send analytics data to the control plane.

HTTPS

EU

configuration-resolver.prod-eu.msap.io

443

Connected

Required to download policies.

mTLS

EU

exchange-files.eu1.anypoint.mulesoft.com

443

Connected

Required to download policies.

HTTPS

EU

exchange2-asset-manager-kprod-eu.s3.eu-central-1.amazonaws.com

443

Connected

Required to download policies.

HTTPS

EU

flex-packages.anypoint.mulesoft.com

443

Both

Required to download and install Flex Gateway.

HTTPS

EU

flex-packages.eu1.anypoint.mulesoft.com

443

Both

Required to download and install Flex Gateway.

HTTPS

Port 9998 is reserved for internal processes, and should not be used in ApiInstance definitions.

Flex Gateway Limits

Limit Value Notes

Request header

60 KB

Requests that exceed this limit receive a 431 response.

Payload

1 MB

This limit applies only to buffering the payload (such as logging the payload using message logging). If you’re not accessing the payload, the payload size has no limit.
Payloads that exceed this limit receive a 413 response.

Contracts per API

1,000

Exceeding this limit isn’t supported but doesn’t cause errors.

Contracts per gateway instance

10,000

Exceeding this limit isn’t supported but doesn’t cause errors.

Upstreams per API

100

The 100 upstreams can consist of a combination of different routes.
To learn more, see Multiple Upstream Limits.

Routes per API

100

Upstreams per route

10

Managed Flex Gateway Limits

Limit Value Notes

APIs per Large Managed Gateway instance

500

Exceeding this limit isn’t supported but doesn’t cause errors.

APIs per Small Managed Gateway instance

50

Exceeding this limit isn’t supported but doesn’t cause errors.

Requests per second for Large Managed Gateway

500

Requests per second for Small Managed Gateway

100

Self-Managed Flex Gateway Limits

Limit Value Notes

Request header

60 KB

Requests that exceed this limit receive a 431 response.

APIs per Self-Managed Gateway instance

1,000

Exceeding this limit isn’t supported but doesn’t cause errors.

Flex Gateway Environment Variables

Environment Variable Default Value Function

FLEX_CONNECTION_IDLE_TIMEOUT_SECONDS

60

Maximum number of seconds a connection can be idle before it times out.

FLEX_DOWNSTREAM_CONNECTION_BUFFER_LIMIT_BYTES

1048576 (1 MB)

Maximum size, in bytes, of read and write buffers for new connections.

FLEX_ENVOY_HEADERS_ENABLED

false

Allows (true) or removes (false) Envoy headers from requests.

FLEX_STREAM_IDLE_TIMEOUT_SECONDS

300

Maximum number of seconds a stream can remain idle without receiving any data in either the inbound (client to Flex Gateway) or outbound (Flex Gateway to upstream service) direction.

FLEX_UPSTREAM_CONNECTION_IDLE_TIMEOUT_SECONDS

60

Maximum number of seconds a stream between Flex Gateway and the upstream service can remain idle between requests.

FLEX_UPSTREAM_RESPONSE_TIMEOUT_SECONDS

15

Maximum number of seconds a Flex Gateway waits for a response from an upstream service.

Flex Gateway on Hyperforce

Managed Flex Gateway

Managed Flex Gateway isn’t supported on Hyperforce deployments.

Flex Gateway Running in Connected Mode

Hyperforce supports Flex Gateway Connected Mode versions 1.8 and later. Because the Flex Gateway is hosted locally, Hyperforce does not affect the gateway’s function. However, the gateway’s control plane is affected by the API Manager Hyperforce limitations. To learn more, see API Manager on Hyperforce.

Flex Gateway Running in Local Mode

Because Flex Gateway running in Local Mode is completely self-hosted, it isn’t affected by Hyperforce.