Cluster node ports

Dynatrace Managed requires configuration of network ports to operate, to serve pages, and to accept monitoring data.

Be sure to configure your network and firewall so that all ports listed below are accessible. Note that ports should be opened for bi-directional communication. For a typical deployment, we recommend that all ports be open between the cluster nodes.

Incoming ports

Ports 443 must remain open to allow incoming traffic from your data center.

Port Used by Notes
443 Dynatrace Managed UI, OneAgent and REST API

Routed to local port 8022 using an iptables' prerouting rule. This port must remain open. All Dynatrace communication to the cluster is handled over secure socket HTTPS communication (port 443) with strong cryptography to guarantee your data privacy.

8443 1 Monitoring data from OneAgent, nodes within Dynatrace Managed cluster

OneAgent only sends data outbound to Dynatrace Server—it doesn't open a listening port. Each monitored machine with OneAgent installed on it must access this port. This port must remain open for communication between nodes within Dynatrace Managed deployments.

8018 Nodekeeper

This port can be closed to traffic coming from outside the Dynatrace cluster. If you're running a Dynatrace Managed cluster, only your cluster nodes need access to this port.

8019 Upgrade UI
8020, 8021 Dynatrace Managed UI and REST API

These ports can be closed to traffic coming from outside the Dynatrace cluster. If you're running a Dynatrace Managed cluster, only your cluster nodes need access to these ports.

8022 Dynatrace Managed UI and REST API (NGINX)

Port 8022 can be closed to traffic coming from outside the Dynatrace cluster. This port can be used as an equivalent to 443 if usage of a non-privileged port is required.

5701-5711 Hazelcast In-memory data grid platform

Responsible for data being evenly distributed among the cluster nodes. Allows for horizontal scaling of processing and storage. These ports can be closed to traffic coming from outside the Dynatrace cluster. If you're running a Dynatrace Managed cluster, only your cluster nodes need access to these ports.

9042, 7000, 7001, 7199 Cassandra-based Hypercube storage

These ports can be closed to traffic coming from outside the Dynatrace cluster. If you're running a Dynatrace Managed cluster, only your cluster nodes need access to these ports.

9200, 9300 Elasticsearch-based search engine

These ports can be closed to traffic coming from outside the Dynatrace cluster. If you're running a Dynatrace Managed cluster, only your cluster nodes need access to these ports.

Outbound communication to Dynatrace Mission Control

Within multi-node clusters, each node must be able to communicate with Mission Control for basic health checks (for example, component states, disk, and CPU usage), in addition to the mandatory management connection (URL: https://mcsvc.dynatrace.com or IP addresses: 52.5.224.56, 52.200.165.10, 52.221.165.63, and 13.228.109.33) via HTTPS (port 443) for license validation, health monitoring, and automatic updates. Communication between Dynatrace Managed clusters and Mission Control is based on TLS v1.2.

Communication between Dynatrace Managed clusters and Mission Control can also be routed via a proxy, but the proxy must allow web sockets and support the SNI TLS extension.


1 Dynatrace environments with a cluster version earlier than 1.166 use port 8443. New Dynatrace environments still use port 8443, but this port doesn't need to be exposed to the outside of the cluster nodes. Upgraded Dynatrace environments preserve port settings from the previous version. As a result, it is possible to have an upgraded Dynatrace environment that still uses port 8443.