Cluster node ports
Dynatrace Managed requires configuration of network ports to operate, to serve pages, and to accept monitoring data.
Be sure to configure your network and firewall so that all ports listed below are accessible. Note that ports should be opened for bi-directional communication. For a typical deployment, we recommend that all ports be open between the cluster nodes.
Port 443 must remain open to allow incoming traffic from your data center.
Port
Used by
Notes
443
Dynatrace Managed UI, OneAgent and REST API
Routed to local port 8022 using an iptables' prerouting rule. This port must remain open. All Dynatrace communication to the cluster is handled over secure socket HTTPS communication (port 443) with strong cryptography to guarantee your data privacy.
84431
Monitoring data from OneAgent, nodes within Dynatrace Managed cluster
OneAgent only sends data outbound to Dynatrace Server—it doesn't open a listening port. Each monitored machine with OneAgent installed on it must access this port. This port must remain open for communication between nodes within Dynatrace Managed deployments.
8019
Upgrade UI
This port can be closed to traffic coming from outside the Dynatrace cluster. If you're running a Dynatrace Managed cluster, only your cluster nodes need access to this port.
8020, 8021
Dynatrace Managed UI and REST API
These ports can be closed to traffic coming from outside the Dynatrace cluster. If you're running a Dynatrace Managed cluster, only your cluster nodes need access to these ports.
8022
Dynatrace Managed UI and REST API (NGINX)
Port 8022 can be closed to traffic coming from outside the Dynatrace cluster. This port can be used as an equivalent to 443 if usage of a non-privileged port is required.
5701-5711
Hazelcast In-memory data grid platform
Responsible for data being evenly distributed among the cluster nodes. Allows for horizontal scaling of processing and storage. These ports can be closed to traffic coming from outside the Dynatrace cluster. If you're running a Dynatrace Managed cluster, only your cluster nodes need access to these ports.
9042, 7000, 7001
Cassandra-based Hypercube storage
These ports can be closed to traffic coming from outside the Dynatrace cluster. If you're running a Dynatrace Managed cluster, only your cluster nodes need access to these ports.
9200, 9300
Elasticsearch-based search engine
These ports can be closed to traffic coming from outside the Dynatrace cluster. If you're running a Dynatrace Managed cluster, only your cluster nodes need access to these ports.
Dynatrace environments with a cluster version earlier than 1.166 use port 8443. New Dynatrace environments still use port 8443, but this port doesn't need to be exposed to the outside of the cluster nodes. Upgraded Dynatrace environments preserve port settings from the previous version. As a result, it is possible to have an upgraded Dynatrace environment that still uses port 8443.
Outbound communication to Dynatrace Mission Control
All nodes in the cluster should be able to communicate with Mission Control to receive software updates and facilitate a data exchange using following addresses:
52.5.224.56,52.200.165.10,13.228.109.33,52.221.165.63,46.137.81.205,52.48.91.146
Domains used: mcsvc.dynatrace.com, mcsvc-us.dynatrace.com, mcsvc-eu.dynatrace.com, mcsvc-ap.dynatrace.com.
All cluster data received by Mission Control via the endpoints above is hosted in the U.S. regions.
In order to ensure compliance with United States restrictions2, in the event that you now or at any time in the future plan to host a Dynatrace Managed cluster or monitor any technology with Huawei Cloud services (or any hosting service provided by an affiliate of Huawei Technologies), you need to contact a Dynatrace product expert to set a proper endpoint—Europe or Asia/Pacific.
Network communication is used for license validation, health monitoring, automatic updates, and remote access. The communication is established via HTTPS and WSS through port 443 and based on TLS v1.2. The TLS/SSL certificate is provided by Amazon and is automatically renewed annually.
Communication between Dynatrace Managed clusters and Mission Control can also be routed via a proxy, but the proxy must allow web sockets and support the SNI TLS extension and WebSockets.
The Dynatrace Software may not be exported or re-exported from the U.S. to (a) any Group E country listed in SUPPLEMENT NO. 1 TO PART 740 – COUNTRY GROUPS (Currently Syria, North Korea, Iran and Cuba) or the Crimea Region of Ukraine, or (b) any company, entity or person listed as a party of concern found here (currently including Huawei Technologies and its affiliates worldwide), or (3) for any end-use related to the development, production or use of nuclear, chemical or biological weapons or missiles. Our contracts with our customers require compliance with these and other export control laws.