Which network ports does Dynatrace Server use?

This topic applies to Dynatrace Managed installations only.

Both standalone Dynatrace Servers and Dynatrace Managed clusters require several network ports to operate, serve pages, and accept monitoring data.

Be sure to configure your network and firewall so that these ports are accessible. Note that ports should be opened for bi-directional communication.

Ports 443 and 8443 must remain open to allow incoming traffic from your data center.

Port Used by Notes
443 Dynatrace Managed UI and REST API Routed to local port 8022 using iptables' prerouting rule. This port must remain open. All Dynatrace web user-interface communication to Dynatrace Server is handled over secure socket HTTPS communication (port 443) with strong cryptography to guarantee your data privacy.
8443 Monitoring data from Dynatrace OneAgent Dynatrace OneAgent only sends data outbound to Dynatrace Server—it doesn't open a listening port. Each monitored machine with Dynatrace OneAgent installed on it must access this port. This port must remain open.
8019 Upgrade UI This port can be closed to traffic coming from outside the Dynatrace cluster. If you're running a Dynatrace Managed cluster, only your cluster nodes need access to this port.
8020, 8021 Dynatrace Managed UI and REST API These ports can be closed to traffic coming from outside the Dynatrace cluster. If you're running a Dynatrace Managed cluster, only your cluster nodes need access to these ports.
8022 Dynatrace Managed UI and REST API (nginx) Port 8022 can be closed to traffic coming from outside the Dynatrace cluster. The port can be used as equivalent of 443 if usage of a non-privileged port is required.
5701-5711 Dynatrace cluster analytics engine These ports can be closed to traffic coming from outside the Dynatrace cluster. If you're running a Dynatrace Managed cluster, only your cluster nodes need access to these ports.
9042, 7000, 7001, 7199 Cassandra-based Hypercube storage These ports can be closed to traffic coming from outside the Dynatrace cluster. If you're running a Dynatrace Managed cluster, only your cluster nodes need access to these ports.
9200, 9300 Elasticsearch-based search engine These ports can be closed to traffic coming from outside the Dynatrace cluster. If you're running a Dynatrace Managed cluster, only your cluster nodes need access to these ports.

Outbound communication to Dynatrace Mission Control

Your Dynatrace Managed clusters must be able to communicate with Mission Control (URL: https://mcsvc.dynatrace.com1 and IP addresses: 52.5.224.56, 52.200.165.10, 52.221.165.63, and 13.228.109.33) via HTTPS (port 443) for license validation, health monitoring, and automatic updates. Communication between Dynatrace Managed clusters and Mission Control is based on TLS v1.2.

To enable health monitoring, your Dynatrace Managed Server must also have access to *.live.dynatrace.com (IP addresses 34.203.81.189, 34.205.222.178, 54.164.42.22, 52.1.155.152, and 54.164.49.176) via HTTPS (port 443).

Communication between Dynatrace Managed clusters and Mission Control can also be routed via a proxy, but the proxy must allow web sockets and, if the proxy is clustered, it must provide sticky sessions for web socket communication. Also, the proxy must support the SNI TLS extension.

1 Old customers might still need to add the https://opcsvc.ruxit.com/ domain, new ones should stick with https://mcsvc.dynatrace.com.