StackLight

The tables below contain the details about ports and protocols used by different StackLight components.

Warning

This section does not describe communications within the cluster network.

User interfaces

Component

Network

Direction

Port/Protocol

Consumer

Comments

Alerta UI

External network (LB service)

Inbound

443/TCP/HTTPS

Cluster users

Add the assigned external IP to the allowlist.

Alertmanager UI

External network (LB service)

Inbound

443/TCP/HTTPS

Cluster users

Add the assigned external IP to the allowlist.

Grafana UI

External network (LB service)

Inbound

443/TCP/HTTPS

Cluster users

Add the assigned external IP to the allowlist.

OpenSearch Dashboards UI

External network (LB service)

Inbound

443/TCP/HTTPS

Cluster users

Only when the StackLight logging stack is enabled. Add the assigned external IP to the allowlist.

Prometheus UI

External network (LB service)

Inbound

443/TCP/HTTPS

Cluster users

Add the assigned external IP to the allowlist.

Alertmanager notifications receivers

Component

Network

Direction

Port/Protocol

Destination

Comments

Alertmanager Email notifications integration

Cluster network

Outbound

TCP/SMTP

Depends on the configuration, see the comment.

Only when email notifications are enabled. Add an SMTP host URL to the allowlist.

Alertmanager Microsoft Teams notifications integration

Cluster network

Outbound

TCP/HTTPS

Depends on the configuration, see the comment.

Only when Microsoft Teams notifications are enabled. Add a webhook URL to the allowlist.

Alertmanager Salesforce notifications integration

Cluster network

Outbound

TCP/HTTPS

For Mirantis support mirantis.my.salesforce.com and login.salesforce.com. Depends on the configuration, see the comment.

Only when Salesforce notifications are enabled. Add an SF instance URL and an SF login URL to the allowlist. See requirements for a baremetal-based cluster for details.

Alertmanager ServiceNow notifications integration

Cluster network

Outbound

TCP/HTTPS

Depends on the configuration, see the comment.

Only when notifications to ServiceNow are enabled. Add a configured ServiceNow URL to the allowlist.

Alertmanager Slack notifications integration

Cluster network

Outbound

TCP/HTTPS

Depends on the configuration, see the comment.

Only when notifications to Slack are enabled. Add a configured Slack URL to the allowlist.

Notification integration of Alertmanager generic receivers

Cluster network

Outbound

Customizable, see the comment

Depends on the configuration, see the comment.

Only when any custom Alertmanager integration is enabled. Depending on the integration type, add the corresponding URL to the allowlist.

External integrations

Component

Network

Direction

Port/Protocol

Destination

Comments

Salesforce reporter

Cluster network

Outbound

TCP/HTTPS

For Mirantis support mirantis.my.salesforce.com and login.salesforce.com. Depends on the configuration, see the comment.

Only when the Salesforce reporter is enabled. Add a SF instance URL and SF login URL to the allowlist. See requirements for a baremetal-based cluster for details.

Prometheus Remote Write

Cluster network

Outbound

TCP

Depends on the configuration, see the comment.

Only when the Prometheus Remote Write feature is enabled. Add a configured remote write destination URL to the allowlist.

Prometheus custom scrapes

Cluster network

Outbound

TCP

Depends on the configuration, see the comment.

Only when the Custom Prometheus scrapes feature is enabled. Add configured scrape targets to the allowlist.

Fluentd remote syslog output

Cluster network

Outbound

TCP or UDP (protocol and port are configurable)

Depends on the configuration, see the comment.

Only when the Logging to remote Syslog feature is enabled. Add a configured remote syslog URL to the allowlist.

Metric Collector

Cluster network

Outbound

9093/443/TCP

mcc-metrics-prod-ns.servicebus.windows.net

Applicable to management clusters only. Add a specific URL from Microsoft Azure to the allowlist. See requirements for a baremetal-based cluster for details.

External Endpoint monitoring

Cluster network

Outbound

TCP/HTTP(S)

Depends on the configuration, see the comment.

Only when the External endpoint monitoring feature is enabled. Add configured monitored URLs to the allowlist.

SSL certificate monitoring

Cluster network

Outbound

TCP/HTTP(S)

Depends on the configuration, see the comment.

Only when SSL certificates monitoring feature is enabled. Add configured monitored URLs to the allowlist.

Metrics exporters

Component

Network

Direction

Port/Protocol

Consumer

Comments

Prometheus Node Exporter

Host network

Inbound (from cluster network)

19100/TCP Since 17.0.0, 16.0.0, 14.1.0, 9100/TCP Before 17.0.0, 16.0.0, 14.1.0

Prometheus from the stacklight namespace

Prometheus from Cluster network scrape metrics from all nodes.

Fluentd (Prometheus metrics endpoint)

Host network

Inbound (from cluster network)

24231/TCP

Prometheus from the stacklight namespace

Only when the StackLight logging stack is enabled. Prometheus from the cluster network scrapes metrics from all nodes.

Calico node

Host network

Inbound (from cluster network)

9091/TCP

Prometheus from the stacklight namespace

Prometheus from cluster network scrape metrics from all nodes.

Telegraf SMART plugin

Host network

Inbound (from cluster network)

9126/TCP

Prometheus from the stacklight namespace

Applicable to the bare metal provider obly. Prometheus from scrapes metrics of the cluster network from all nodes.

MKE Manager API

Host network

Inbound (from cluster network)

4443/TCP, 6443/TCP

Blackbox exporter from the stacklight namespace

Applicable to the master node only. Blackbox exporter from cluster network probes all master nodes.

  • 6443/TCP is applicable to the OpenStack provider only.

  • 4443/TCP is applicable to the bare metal and vSphere providers only.

On attached MKE clusters, the port and protocol depend on the MKE cluster configuration.

MKE Metrics Engine

Host network

Inbound (from cluster network)

12376/TCP

Prometheus from the stacklight namespace

Prometheus from cluster network scrape metrics from all nodes.

Kubernetes Master API

Host network

Inbound (from cluster network)

443/TCP, 5443/TCP

Blackbox exporter from the stacklight namespace

Applicable to the master node only. Blackbox exporter from cluster network probes all master nodes.

  • 443/TCP is applicable to the OpenStack provider only and to attached MKE clusters.

  • 5443/TCP is applicable to the bare metal and vSphere providers only.

Caution

Since Container Cloud 2.27.3 (Cluster release 16.2.3), support for vSphere-based clusters is suspended. For details, see Deprecation notes.

Container Cloud telemetry

Component

Network

Direction

Port/Protocol

Consumer

Destination

Comments

Telemeter client

Cluster network (managed cluster)

Outbound (to management cluster external LB)

443/TCP

n/a

Telemeter server on a management cluster (Telemeter server external IP from the stacklight namespace of a management cluster)

Applicable to managed clusters only. The Telemeter client on a managed cluster pushes metrics to the Telemeter server on a management cluster.

Telemeter server

External network (LB service)

Inbound (from managed cluster network)

443/TCP

Telemeter client on managed clusters

n/a

Applicable to management clusters only. The Telemeter client on the managed cluster pushes metrics to the Telemeter server on the management cluster.