Elastic APM RUM architecture

Hi, i have a question to RUM architecture. I have added RUM to our Webshop frontend JS code and able to test with local APM-server... if i want to really monitor the Webshop users events, do i need to make the APM - Server - port available to the world? Is there any security to prevent DDOS attacks or something like this on APM port or do i need to handle this by infrastructure?


APM server is exposing an API for RUM agent same way as your backend is exposing API to your frontend. so protect it the same way you are doing with your backend API behind a WAF/Proxy ...

Hi @binschlag,

Thanks for reaching out.

The APM Server port needs to be exposed publicly if your application is used over the internet, but if you only have an internal app, you only need to expose the port on that network.

APM Server already includes rate limiting and there's an issue for supporting third-party authentication systems. Please feel free to comment on the issue.

I hope this helps,

1 Like