Skip to content

Firewall & connectivity

This page answers one question: which firewall rules do I need to open for LinkMesh to work?

There are two kinds of traffic, and they’re worth keeping straight because they have different shapes:

  • Control plane — everything that talks to the LinkMesh server. The operator’s browser, your collectors (config pull + status), and the optional onboarding agent. All of it is HTTPS on 443, all of it reaches in to the server.
  • Data plane — your collectors sending telemetry to your observability backends. This leaves your network outbound, on each backend’s own port, and never passes through LinkMesh.
DATA PLANE — telemetry egress (outbound) CONTROL PLANE — to the LinkMesh server · 443 backend ports (HTTPS/OTLP/remote-write/Kafka) Operator browser Onboarding agent optional Collectors otelcol · Alloy Grafana Cloud Loki / Tempo Prometheus Kafka LinkMesh Server CONTROL PLANE · 443 Remote Git HA config store UI / API · 443 /v1/agent · 443 (WSS) config-pull + own-metrics · 443 git · 443
The control plane (cyan, dashed) reaches the LinkMesh server on 443; the data plane (blue, solid) is your collectors sending telemetry outbound to your backends. Telemetry never transits LinkMesh.

Control plane — to the LinkMesh server

Every control connection is HTTPS on 443, inbound to the server. There is no inbound connection to a collector or to the agent — they always reach out to the server, so a managed host needs no open listening ports for LinkMesh.

ConnectionPortProtocolDirectionPurposeRequired
Operator browser → server443HTTPS→ serverWeb UI + REST APIYes
otelcol collector → server443HTTPS (OpAMP, WSS)→ serverConfig pull + health/statusYes, for OpAMP collectors
Grafana Alloy collector → server443HTTPS (remotecfg)→ serverConfig pullYes, for Alloy collectors
Collector → server443HTTPS (OTLP)→ serverCollector own-metrics (self-telemetry)Optional
Onboarding agent → server443HTTPS (WSS, /v1/agent)→ serverDiscovery control channelOptional — only if you run the agent

Data plane — telemetry egress

Telemetry flows collector → backend, outbound from your network, on each backend’s own port. LinkMesh is not in this path; it never sees your telemetry. Open whatever your chosen backends need:

ConnectionPortProtocolDirectionPurposeRequired
Collector → Grafana Cloud443HTTPS / OTLPoutbound →Telemetry exportAs configured
Collector → Loki / Tempobackend port (usually 443)HTTPS / OTLPoutbound →Logs / traces exportAs configured
Collector → Prometheusbackend port (usually 443)HTTPS remote-writeoutbound →Metrics exportAs configured
Collector → Kafkabroker port (e.g. 9092)Kafkaoutbound →Telemetry exportAs configured

The exact ports depend entirely on the destinations you configure — see your backend’s documentation for its ingest endpoint and port.

Optional: server → remote Git

A highly-available deployment keeps its config in a remote Git repository so multiple server replicas share one source of truth. When you use that storage backend, the server needs outbound access to the Git host:

ConnectionPortProtocolDirectionPurposeRequired
Server → remote Git443 (HTTPS) or 22 (SSH)HTTPS / SSHoutbound →HA config storeOnly for the remote-Git backend

A single-instance server with the built-in store needs none of this.

At a glance

  • Open to the server, on 443: the operator’s browser and your collectors (and the agent, if you use it). That’s the whole control plane.
  • Open outbound from your network: collectors to your backends, on the backends’ ports.
  • Nothing to open inbound to a collector or agent — they connect out.
  • Telemetry never transits LinkMesh — it goes straight from your collectors to your backends.