Dynatrace Managed requires specific network ports for operation. Configure your firewall so that all ports listed below are open for bi-directional communication. For a typical Managed deployment, all ports should be open between cluster nodes.
| Port | Used by | Notes |
|---|---|---|
443 | Dynatrace web UI, OneAgent, and REST API | Routed to local port 8022 via an iptables prerouting rule. This port must remain open to allow incoming traffic from your data center. All cluster communication uses HTTPS with strong encryption. |
5701-5710 | Hazelcast In-memory data grid platform | Distributes data evenly across cluster nodes and enables horizontal scaling. Required for cluster-internal communication only. Ports can be blocked for traffic from outside the cluster. |
5711, 8018 | Nodekeeper | Required for cluster-internal communication only. Ports can be blocked for traffic from outside the cluster. |
7000, 7001, 9042 | Cassandra-based Hypercube storage | Required for cluster-internal communication only. Ports can be blocked for traffic from outside the cluster. |
7199 | Cassandra JMX | Required for cluster-internal communication only. Port can be blocked for traffic from outside the cluster. |
8019 | Upgrade UI | Required for cluster-internal communication only. Port can be blocked for traffic from outside the cluster. |
8020, 8021 | Dynatrace Managed UI and REST API | Required for cluster-internal communication only. Ports can be blocked for traffic from outside the cluster. |
8022 | Dynatrace Managed UI and REST API (NGINX) | Can be used in place of port 443 when a non-privileged port is required. Ports can be blocked for traffic from outside the cluster. |
84431 | Monitoring data from OneAgent, nodes within Dynatrace Managed cluster | OneAgent sends data outbound to Dynatrace Server only — no listening port is opened on the monitored host. Each host with OneAgent must have access to this port, which must also remain open for inter-node communication. |
9200, 9300 | Elasticsearch-based search engine | Required for cluster-internal communication only. Ports can be blocked for traffic from outside the cluster. |
Environments running a cluster version earlier than 1.166 use port 8443. New environments still use port 8443, but it doesn't need to be exposed outside the cluster nodes. Upgraded environments preserve the port settings from the previous version.
All cluster nodes must be able to communicate with Mission Control to receive software updates and exchange data. Allow outbound traffic to the following IPv4 addresses:
13.228.109.3346.137.81.20552.5.224.5652.48.91.14652.200.165.1052.221.165.63Domains used:
mcsvc.dynatrace.commcsvc-us.dynatrace.commcsvc-eu.dynatrace.commcsvc-ap.dynatrace.comAll cluster data received by Mission Control via the domains above is hosted in the U.S. regions.
To ensure compliance with United States export restrictions2, if you plan to host a Managed Cluster or monitor Huawei Cloud services (or any Huawei affiliate), contact Dynatrace Support to configure a Europe or Asia/Pacific endpoint.
The Dynatrace Software may not be exported or re-exported from the U.S. to (a) any Group E country listed in SUPPLEMENT NO. 1 TO PART 740 – COUNTRY GROUPS (Currently Syria, North Korea, Iran and Cuba) or the Crimea Region of Ukraine, or (b) any company, entity or person listed as a party of concern found here (currently including Huawei Technologies and its affiliates worldwide), or (3) for any end-use related to the development, production or use of nuclear, chemical or biological weapons or missiles. Our contracts with our customers require compliance with these and other export control laws.
Mission Control communication uses HTTPS and WSS over port 443 with TLS v1.2. The TLS/SSL certificate is provided by Amazon and renewed automatically each year.
Mission Control communication can be routed through a proxy. The proxy must support WebSockets and the SNI TLS extension.