Requirements and Limits for Flex Gateway

Before you download and install Anypoint Flex Gateway, review the following requirements and limits.

Permission Requirements

Running Flex Gateway requires the following permissions:

Manage Servers and Read Servers permissions in Runtime Manager

Your Anypoint Platform Admin can add these permissions in Access Management. See Manage Team Permissions for more information.

Your Anypoint Platform Admin can also add a Connected App with the appropriate permissions. See Connected Apps for more information.

To use Managed Flex Gateway or to register Self-Managed Flex Gateway using a Connected App, the following scopes are required:

Manage Servers
Read Servers
View Organization

Software Requirements for Self-Managed Flex Gateway

Flex Gateway isn’t supported on Windows or in Docker running on Windows.

Software Requirements for Kubernetes and OpenShift Deployments

Running Flex Gateway requires:

A minimum of either Kubernetes 1.21 or OpenShift 4.8.
Ingress v1 (stable), which requires specifying apiVersion: networking.k8s.io/v1 as the API version in your configuration resources.
A private cloud or data center.

Or, a cloud provider such as the following:
- Google Kubernetes Engine (GKE)
- Amazon Elastic Kubernetes Service (Amazon EKS)
- Azure Kubernetes Service (AKS)

A minimum Helm version of 3.0.0 is required.

Software Requirements for Linux Deployments

Flex Gateway runs on the following Long Term Support (LTS) versions of Linux:

Amazon Linux 2023
CentOS 8
Debian (Bullseye, Bookworm)
Red Hat Enterprise Linux (9)
Red Hat Enterprise Linux (9) on IBM Power (ppc64le)
SUSE Linux Enterprise (SLES 15 SP3)
SUSE Linux Enterprise (SLES 15 SP3) on IBM Power (ppc64le)
Ubuntu (Focal, Jammy)

Flex Gateway is designed to run in cloud-native architectures. Therefore, multiple installations on a single Linux VM aren’t supported. You can install only one gateway instance per Linux VM.

Software Requirements for Container Deployments

Flex Gateway supports the following:

Docker
Podman

Additionally, Flex Gateway supports the following container orchestration services:

Amazon Elastic Container Service (Amazon ECS)
Azure Container Service (ACS)
Google Cloud Run
AWS Fargate

Hardware Requirements for Self-Managed Flex Gateway

A single Flex Gateway can support multiple backend APIs. To support more backend APIs, you can deploy multiple replicas or additional Flex Gateways. For information about sizing, refer to Resource Sizing for Self-Managed Flex Gateway.

Flex Gateway requires either an Intel or AMD-64 processor.

Flex Gateway Limits

Limit Value Notes

Limit	Value	Notes
Request header	60 KB	Requests that exceed this limit receive a `431` response.
Payload	1 MB	This limit applies only to buffering the payload (such as logging the payload using message logging). If you’re not accessing the payload, the payload size has no limit. Payloads that exceed this limit receive a 413 response.
Upstreams per API	50	The 50 upstreams is a combination of different routes. To learn more, see Multiple Upstream Limits.
Contracts per API	1,000	Exceeding this limit isn’t supported but doesn’t cause errors.
Contracts per gateway instance	10,000	Exceeding this limit isn’t supported and causes no error.

Request header

60 KB

Requests that exceed this limit receive a 431 response.

Payload

1 MB

This limit applies only to buffering the payload (such as logging the payload using message logging). If you’re not accessing the payload, the payload size has no limit.
Payloads that exceed this limit receive a 413 response.

Upstreams per API

The 50 upstreams is a combination of different routes.
To learn more, see Multiple Upstream Limits.

Contracts per API

1,000

Exceeding this limit isn’t supported but doesn’t cause errors.

Contracts per gateway instance

10,000

Exceeding this limit isn’t supported and causes no error.

Managed Flex Gateway Limits

Limit	Value	Notes
APIs per Large Managed Gateway instance	500	Exceeding this limit isn’t supported but doesn’t cause errors.
APIs per Small Managed Gateway instance	50	Exceeding this limit isn’t supported but doesn’t cause errors.
Requests per second for Large Managed Gateway	500
Requests per second for Small Managed Gateway	100

Self-Managed Flex Gateway Limits

Limit Value Notes

Limit	Value	Notes
Request header	60 KB	Requests that exceed this limit receive a `431` response.
APIs per Self-Managed Gateway instance	1,000	Exceeding this limit isn’t supported but doesn’t cause errors.

Request header

60 KB

Requests that exceed this limit receive a 431 response.

APIs per Self-Managed Gateway instance

1,000

Exceeding this limit isn’t supported but doesn’t cause errors.

Ports, IPs, and Hostnames Allowlist Requirements

For Flex Gateway to communicate with MuleSoft-managed online Anypoint Platform APIs and services, you must add the following hostnames and ports of external resources to the allowlist:

Plane	Host	Port	Mode	Description	Protocol
US	anypoint.mulesoft.com	443	Both	Required to connect with the control plane, push internal metrics, and download custom policy binaries	HTTPS
US	arm-mcm2-service.kprod.msap.io	443	Both	Required to communicate with the transport layer	mTLS
US	logging.ingestion.us-east-1.prod.cloudhub.io	443	Both	Required to send analytics data to the control plane	HTTPS
US	metering.ingestion.us-east-1.prod.cloudhub.io	443	Both	Required to send analytics data to the control plane	HTTPS
US	monitoring.ingestion.us-east-1.prod.cloudhub.io	443	Both	Required to send analytics data to the control plane	HTTPS
US	exchange-files.anypoint.mulesoft.com	443	Connected	Required to download policies	HTTPS
US	exchange2-asset-manager-kprod.s3.amazonaws.com	443	Connected	Required to download policies	HTTPS
US	configuration-resolver.prod.cloudhub.io	443	Connected	Required to download policies	mTLS
US	us1.ingest.mulesoft.com	443	Both	Required to send analytics data to the control plane	HTTPS
US	flex-packages.anypoint.mulesoft.com	443	Both	Required to download and install Flex Gateway	HTTPS
EU	eu1.anypoint.mulesoft.com	443	Both	Required to connect with the control plane, push internal metrics, and download custom policy binaries	HTTPS
EU	arm-mcm2-service.kprod-eu.msap.io	443	Both	Required to communicate with the transport layer	mTLS
EU	logging.ingestion.eu-central-1.prod-eu.msap.io	443	Both	Required to send analytics data to the control plane	HTTPS
EU	metering.ingestion.eu-central-1.prod-eu.msap.io	443	Both	Required to send analytics data to the control plane	HTTPS
EU	eu1.ingest.mulesoft.com	443	Both	Required to send analytics data to the control plane	HTTPS
EU	monitoring.ingestion.eu-central-1.prod-eu.msap.io	443	Both	Required to send analytics data to the control plane	HTTPS
EU	configuration-resolver.prod-eu.msap.io	443	Connected	Required to download policies	mTLS
EU	exchange-files.eu1.anypoint.mulesoft.com	443	Connected	Required to download policies	HTTPS
EU	exchange2-asset-manager-kprod-eu.s3.eu-central-1.amazonaws.com	443	Connected	Required to download policies	HTTPS
EU	flex-packages.anypoint.mulesoft.com	443	Both	Required to download and install Flex Gateway	HTTPS
EU	flex-packages.eu1.anypoint.mulesoft.com	443	Both	Required to download and install Flex Gateway	HTTPS

Plane

Host

Port

Mode

Description

Protocol

anypoint.mulesoft.com

443

Both

Required to connect with the control plane, push internal metrics, and download custom policy binaries

HTTPS

arm-mcm2-service.kprod.msap.io

443

Both

Required to communicate with the transport layer

mTLS

logging.ingestion.us-east-1.prod.cloudhub.io

443

Both

Required to send analytics data to the control plane

HTTPS

metering.ingestion.us-east-1.prod.cloudhub.io

443

Both

Required to send analytics data to the control plane

HTTPS

monitoring.ingestion.us-east-1.prod.cloudhub.io

443

Both

Required to send analytics data to the control plane

HTTPS

exchange-files.anypoint.mulesoft.com

443

Connected

Required to download policies

HTTPS

exchange2-asset-manager-kprod.s3.amazonaws.com

443

Connected

Required to download policies

HTTPS

configuration-resolver.prod.cloudhub.io

443

Connected

Required to download policies

mTLS

us1.ingest.mulesoft.com

443

Both

Required to send analytics data to the control plane

HTTPS

flex-packages.anypoint.mulesoft.com

443

Both

Required to download and install Flex Gateway

HTTPS

eu1.anypoint.mulesoft.com

443

Both

Required to connect with the control plane, push internal metrics, and download custom policy binaries

HTTPS

arm-mcm2-service.kprod-eu.msap.io

443

Both

Required to communicate with the transport layer

mTLS

logging.ingestion.eu-central-1.prod-eu.msap.io

443

Both

Required to send analytics data to the control plane

HTTPS

metering.ingestion.eu-central-1.prod-eu.msap.io

443

Both

Required to send analytics data to the control plane

HTTPS

eu1.ingest.mulesoft.com

443

Both

Required to send analytics data to the control plane

HTTPS

monitoring.ingestion.eu-central-1.prod-eu.msap.io

443

Both

Required to send analytics data to the control plane

HTTPS

configuration-resolver.prod-eu.msap.io

443

Connected

Required to download policies

mTLS

exchange-files.eu1.anypoint.mulesoft.com

443

Connected

Required to download policies

HTTPS

exchange2-asset-manager-kprod-eu.s3.eu-central-1.amazonaws.com

443

Connected

Required to download policies

HTTPS

flex-packages.anypoint.mulesoft.com

443

Both

Required to download and install Flex Gateway

HTTPS

flex-packages.eu1.anypoint.mulesoft.com

443

Both

Required to download and install Flex Gateway

HTTPS

Port 9998 is reserved for internal processes, and should not be used in ApiInstance definitions.

Flex Gateway on Hyperforce

Hyperforce supports Flex Gateway versions 1.7 and later. Because Flex Gateway running in Local Mode is completely self-hosted, it isn’t affected by Hyperforce. For Flex Gateway running in Connected Mode, some API Manager Hyperforce limitations affect Mule Gateway. To learn more, see API Manager on Hyperforce.