Product Introduction

Overview

Strengths

Use Cases

Concepts

Use Limits

Features

Service Regions

Purchase Guide

Billing Overview

Pay-as-You-Go (Postpaid)

Free Trial Introduction

Managed Collector Billing Introduction

Archive Storage Billing Introduction

Purchase Methods

Payment Overdue

Getting Started

Integration Guide

Scrape Configuration Description

Custom Monitoring

EMR Integration

Java Application Integration

Go Application Integration

Exporter Integration

Nacos Integration

Common Exporter

Health Check

Instructions for Installing Components in the TKE Cluster

Cloud Monitoring

Non-Tencent Cloud Host Monitoring

Read Cloud-Hosted Prometheus Instance Data via Remote Read

Agent Self-Service Access

Pushgateway Integration

Security Group Open Description

Operation Guide

Instance

TKE

Integration Center

Data Multi-Write

Recording Rule

Instance Diagnosis

Archive Storage

Alerting Rule

Tag

Access Control

Grafana

API Guide

TKE Metrics

Resource Usage and Billing Overview

Practical Tutorial

Migration from Self-Built Prometheus

Custom Integration with CVM

TKE Monitoring

Enabling Public Network Access for TKE Serverless Cluster

Connecting TMP to Local Grafana

Enabling Public Network Access for Prometheus Instances

Configuring a Public Network Address for a Prometheus Instance

Terraform

Terraform Overview

Managing Prometheus Instances Using Terraform

Managing the Integration Center of Prometheus Instances Using Terraform

Collecting Container Monitoring Data Using Terraform

Configuring Alarm Policies Using Terraform

FAQs

Basic Questions

Integration with TKE Cluster

Product Consulting

Use and Technology

Cloud Monitor FAQs

Service Level Agreement

TMP Policy

Data Processing And Security Agreement

Security Group Open Description

PDF

Focus Mode

Font Size

Last updated: 2024-08-15 17:08:56

Overview
This document describes the port that needs to be opened for security groups of managed clusters and user clusters during the process of integrating TKE for TMP. It also describes solutions for security group related issues that arise when managed clusters and user clusters are bound.
Managed Cluster
Managed cluster Security Groups are created by TMP and generally do not need modifications.
Security Group
Rule
Protocol Port
Policy
Inbound rule
TCP:9093, 9090, 10901, 10902, 9990, 3000, 8080, and 8008
Allow
Inbound rule
TCP:8100-8200
Allow
Outbound rule
ALL
Allow
Port Description
Port
Function
Remarks
TCP:8008
proxy-server listens for the proxy-agent connection port
-
TCP:8080
Cluster internal API calls port
-
TCP:3000
grafana proxy port
-
TCP:9990
cm-notify synchronization port
About to be decommissioned
TCP:10901,10902
thanos sidecar listening address
-
TCP:9090
Configure reload port, and collect data query API
-
TCP:9093
Alarm port
-
TCP:8100-8200
proxy-server listening collection port
Since the collection port range is 100, the maximum number of associated clusters cannot exceed 100.
Viewing Method
log in to  Prometheus Monitoring, select the instance's ID/Name > instance diagnostics, choose Integration Center for diagnostics, in the data collection architecture diagram you can see the Managed Cluster Security Group, click it to jump to the security group interface via hyperlink to view the Managed Cluster Security Group.
﻿
﻿
﻿
User Cluster
The user cluster security group is specified when the user creates a node. If not specified, the default security group will be used.
Security Group
Rule
Cluster Type
Protocol Port
Policy
Description
Outbound rule
-
TCP:8008
Allow
Ensure that the proxy-agent and proxy-server can establish a connection
Inbound rule
Standard cluster
-
﻿
The standard cluster does not need opening ports.
Inbound rule
Independent cluster
TCP: 9092, 8180, 443, 10249, 9100, 60002, 10252, 10257, 10259, and 10251
Allow
The independent cluster needs to open additional master node-related ports to ensure proxy-agent can pull master node-related monitoring data
Viewing Method
log in to Prometheus Monitoring, select the instance ID/Name > Data Collection, and click the cluster ID/Name to jump to the cluster's TKE interface.
Native Nodes
Click Node Management > Worker Node > Node pool, and click Node Pool ID. In the Details page, you can see the security group. In the Security group, search by security group ID to view specific rules.
﻿
﻿
﻿
Common Nodes
Click Node Management > Worker Node > Node Pool, and click Node Pool ID. In the Details page, hover over the Node ID and click Details:
﻿
﻿
﻿
After navigating to the Instance Details page, click Security groups to view specific security group information:
﻿
﻿
﻿
Super Nodes
Click Node Management > Worker Node > Node Pool, and click Node Pool ID. In Node pool information, you can view the security group:
﻿
﻿
﻿
Related Issues
Issue Description
Abnormal binding status, "Install tmp-agent CR" step shows "context deadline exceeded":
﻿
﻿
﻿
Troubleshooting
Is the VPC the Same or Interconnected?
1. Click the user cluster link, open the associated cluster, and view the cluster node network (i.e., vpcid):
﻿
﻿
﻿
2. On the  Prometheus Instance's Basic Info page, click Network to view the cluster network:
﻿
﻿
﻿
3. Compare the vpcid. If they are different, check if the VPCs are interconnected via CCN. If not, you need to associate the CCN to interconnect both VPCs or select Create Public Network CLB Instance when associating clusters. If CCN is interconnected but still unsuccessful, check if the CCN bandwidth limit is reached. If so, increase the CCN bandwidth limit.
Associate with CCN:
﻿
﻿
﻿
Select Create Public Network CLB Instance:
﻿
﻿
﻿
Does the Security Group Allow Access?
1. View the user cluster security group. For viewing methods, see User Cluster Security Group Viewing Method. Check if the rules meet the requirements.
2. If the user cluster is an independent cluster, view the Master&Etcd security group information. Click Node Management > Master&Etcd > Node Pool, click the Node Pool ID, hover over the Node ID, and then click Jump to CVM Instance Details Page. On the CVM Security groups page, you can view specific security group information:
﻿
﻿
﻿
Check if the security group rules meet the requirements.
﻿

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

tencent cloud

TencentCloud Managed Service for Prometheus

Security Group Open Description

Overview

Managed Cluster

Security Group

Port Description

Viewing Method

User Cluster

Security Group

Viewing Method

Native Nodes

Common Nodes

Super Nodes

Related Issues

Issue Description

Troubleshooting

Is the VPC the Same or Interconnected?

Does the Security Group Allow Access?

Help and Support

Rule	Protocol Port	Policy
Inbound rule	TCP:9093, 9090, 10901, 10902, 9990, 3000, 8080, and 8008	Allow
Inbound rule	TCP:8100-8200	Allow
Outbound rule	ALL	Allow

Port	Function	Remarks
TCP:8008	proxy-server listens for the proxy-agent connection port	-
TCP:8080	Cluster internal API calls port	-
TCP:3000	grafana proxy port	-
TCP:9990	cm-notify synchronization port	About to be decommissioned
TCP:10901,10902	thanos sidecar listening address	-
TCP:9090	Configure reload port, and collect data query API	-
TCP:9093	Alarm port	-
TCP:8100-8200	proxy-server listening collection port	Since the collection port range is 100, the maximum number of associated clusters cannot exceed 100.

Rule	Cluster Type	Protocol Port	Policy	Description
Outbound rule	-	TCP:8008	Allow	Ensure that the proxy-agent and proxy-server can establish a connection
Inbound rule	Standard cluster	-		The standard cluster does not need opening ports.
Inbound rule	Independent cluster	TCP: 9092, 8180, 443, 10249, 9100, 60002, 10252, 10257, 10259, and 10251	Allow	The independent cluster needs to open additional master node-related ports to ensure proxy-agent can pull master node-related monitoring data