Please explain how AMP nodes communicate and how to set up multiple nodes (controller +targets) behind one reverse proxy

I’m really struggling with the lack of information provided about the communication model of nodes in an AMP controller → target configuration. After wrestling with and failing to successfully deploy this model for an afternoon I am left with the following questions:

  1. What is the active connection model between nodes? The controller initiates all communication with targets, or targets can initiate communications with controller as well ? (Which directions do I need to allow traffic in on my firewall(s)?)
  2. Which ports does AMP use for inter-node communication? It just uses a REST API between the nodes and therefore only needs access to the HTTP port of each node, or more?
  3. What external access is needed to the target nodes, if any? Or only the controller needs access?
  4. Do all nodes need HTTPS or just the controller? All of my nodes are on my own network.
  5. Considering the previous question, and the fact that I have a single reverse proxy already set up to handle inbound HTTP(S) and SSL certs etc. do all the nodes need to be accessible through the reverse proxy, or just the controller node?

I’d appreciate some guidance on how this all works as I have basically found nothing on any of your websites that answer these questions.

Thank you in advance.