Firewalls protect valuable data from public access. If your data sources reside behind a firewall for protection, and you are not using a Satellite Connector or Satellite location, then you must configure the firewall to allow the IP addresses for Cloud Pak for Data as a Service and also for individual services. Otherwise, Cloud Pak for Data as a Service is denied access to the data sources.

To allow Cloud Pak for Data as a Service access to private data sources, you configure inbound firewall rules using the security mechanisms for your firewall. Inbound firewall rules are not required for connections that use a Satellite Connector or Satellite location, which establishes a link by performing an outbound connection. For more information, see Connecting to data behind a firewall.

All services in Cloud Pak for Data as a Service actively use WebSockets for the proper functioning of the user interface and APIs. Any firewall between the user and the Cloud Pak for Data as a Service domain must allow HTTPUpgrade. If Cloud Pak for Data as a Service is installed behind a firewall, traffic for the wss:// protocol must be enabled.