I wonder if you're closing this port not only to inbound from the internet but also inbound from the private network as well? From the machine running your proxy, with port 8443 closed can the proxy get to ZAC? If yes - then I would try what @gooseleggs wrote up and see if you still have issues. If you do, look at the logs from the router that's trying to access ZAC. It might provide the missing information.
No, not at all. Every computer that's connected to the internet will have two different interfaces available to you. You'll have the "loopback" or "localhost" or "127.0.0.1" and you'll have 'whatever' the IP address is, let's call it 1.2.3.4...
For example, if you any quickstart for your setup, the controller config will have a section called "web.name.bindPoints" and in there will be an 'interface'. By default, it'll listen on ALL interface by using 0.0.0.0. However you could choose to change this (just beware, if you "do it wrong", you'll know because suddenly things won't respond any more lol).
If you change this to 1.2.3.4 - well then suddenly you won't be able to access your controller API using 127.0.0.1 because you have bound to the IP address specifically, which won't be on the "loopback" interface. Or conversely, you change this to 127.0.0.1 - now "nothing" will work from anywhere other than localhost because you're binding specifically to the loopback, the one that has IP 127.0.0.1 assigned to it...
That's what you can do for the management API... You can leave the "client" API bound to 0.0.0.0 but keep the "management" API bound to 127.0.0.1. That would prevent changes to your network from anywhere except for when the traffic is on the local machine.
I didn't test this (shame on me) but that means you would change the config from looking like this:
web:
- name: client-management
bindPoints:
- interface: 0.0.0.0:8441
address: ec2-18-188-201-183.us-east-2.compute.amazonaws.com:8441
identity: (removed section for brevity)
options: (removed section for brevity)
apis:
- binding: fabric
options: { }
- binding: health-checks
options: { }
- binding: edge-management
options: { }
- binding: edge-client
options: {
to look like this:
web:
- name: management-apis
bindPoints:
- interface: 127.0.0.1:5309
address: "127.0.0.1:5309"
identity: (removed section for brevity)
options: (removed section for brevity)
apis:
- binding: fabric
options: { }
- binding: health-checks
options: { }
- binding: edge-management
options: { }
# - binding: edge-client ----- notice this is commented out
# options: { } ----- notice this is commented out
- name: client-apis
bindPoints:
- interface: 0.0.0.0:8441
address: ec2-18-188-201-183.us-east-2.compute.amazonaws.com:8441
options:
apis:
- binding: edge-client
options: { }
Now your management API is only accessible from "localhost" but your "edge" API is still accessible from anywhere. Obviously if you do this - it affects ZAC since it makes heavy use of the management api.