To operate a KeyControl cluster in your data center or private cloud, all VMs that operate in a public cloud and all HyTrust DataControl Policy Agents in the system must be able to communicate with all KeyControl nodes in the cluster.
For example,the following diagram shows a cluster of two KeyControl nodes. The first has an IP address of 10.238.32.90 and has been assigned port 6888. The second has an IP address of 10.238.32.91 and has been assigned port 6889. Both ports are mapped as accessible in the firewall.
When a new VM is registered, you would specify the firewall IP address and port. The VM can then communicate with the KeyControl node through the firewall via port 443 (HTTPS).
You can also consider having a load balancer behind the firewall that exports a single IP address to the firewall (and therefore the VMs) and your KeyControl nodes.