Sisense Required Ports for Linux

Last updated: June 21, 2026

Tier Deployment
Enterprise On-Prem

Previous Step:

Sisense uses certain ports to communicate with machines on the Internet and within your Sisense namespace. Below is a description of the ports that you may need to allow in your deployment.

Note:

In cluster deployments, open all traffic between the nodes (TCP and UDP).


Outbound Rules for Sisense

Ports Description
80, 443

Allow outbound TCP connections from the workers to these ports to allow worker node updates and reloads.

Additionally, outbound communication on port 443 to https://l.sisense.com for licensing.

2049

Allow outbound TCP and UDP connections to this port to allow mounting file storage as volumes.

This is only relevant when using NFS and only for the NFS server.

3260 Allow outbound TCP and UDP connections to this port for communication to block storage.
8071 Allow outbound connections to the Sisense external monitoring system.
10250

Allow inbound TCP and UDP connections to this port for the Kubernetes dashboard and commands such as kubectl logs and kubectl exec.

For EKS, AES and GKE need to be open towards the K8S control.

Outbound Connectivity (Destination Hosts)

In addition to the outbound port rules above, an online installation or upgrade reaches the external destinations listed below. These hosts must be reachable (typically over TCP 443, with some over TCP 80) from the Sisense nodes before installation. Hosts are not required for an offline (air-gapped) installation — see Installing Sisense in an Offline Environment.

Note:

This list reflects the current Sisense release and may differ for older releases. The Required When column indicates the conditions under which each destination is contacted; entries that apply to a specific OS, cloud provider, or configuration flag are only relevant when that condition is met.

Host Port Protocol Applies To Required When Notes

ubuntu.com

443

TCP

Ubuntu

Online install

Outbound preflight; APT ecosystem

archive.ubuntu.com

443

TCP

Ubuntu

Online install (Ubuntu)

Common APT mirror

security.ubuntu.com

443

TCP

Ubuntu

Online install (Ubuntu)

Common APT security updates

dl.fedoraproject.org

443

TCP

Red Hat; CentOS; Rocky; Oracle Linux; Amazon Linux

Online install

Outbound preflight; EPEL packages

mirror.centos.org

80

TCP

Red Hat; CentOS; Rocky; Oracle Linux; Amazon Linux

Online install

Outbound preflight; YUM/DNF mirrors

cdn.amazonlinux.com

443

TCP

Amazon Linux

Online install (Amazon Linux)

Amazon Linux package mirrors (amazon-linux-extras / dnf)

subscription.rhsm.redhat.com

443

TCP

Red Hat

RHEL with subscription-manager

RHEL subscription access

docker.io

443

TCP

All

Online install

Docker Hub

registry-1.docker.io

443

TCP

All

Online install

Docker Hub registry API

download.docker.com

443

TCP

All

Online install

Docker packages/repos

quay.io

443

TCP

All

Online install

Default image registry (quay.io/sisense_release); Rook Ceph images

gcr.io

443

TCP

All

Online install

Google container registry

storage.googleapis.com

443

TCP

All

Online install

GCR/GCS-backed artifacts

github.com

443

TCP

All

Online install

Helmfile; pip git dependencies (e.g. pssh on AL2023); release assets

release-assets.githubusercontent.com

443

TCP

All

On-prem RKE2 online install

RKE2 release binaries (via get.rke2.io)

bitbucket.org

443

TCP

All

Online install

Legacy/third-party references

pypi.org

443

TCP

All

Online install

Python installer dependencies

files.pythonhosted.org

443

TCP

All

Online install

Python package wheels

kubernetes.io

443

TCP

All

Online install

Kubernetes-related references

l.sisense.com

443

TCP

All

Online install

Sisense licensing/artifacts

auth.cloud.sisense.com

443

TCP

All

Online install

Sisense cloud authentication

get.rke2.io

443

TCP

All

On-prem online install (not offline / OpenShift)

RKE2 install script

update.rke2.io

443

TCP

All

On-prem RKE2 online install

RKE2 update channel

dl.k8s.io

443

TCP

All

Online install

kubectl binary download

get.helm.sh

443

TCP

All

Online install

Helm binary download

registry.k8s.io

443

TCP

All

storage_type=nfs

NFS CSI driver images (default baseRepo)

kyverno.github.io

443

TCP

All

signature_validation=true

Kyverno Helm chart repository

kubernetes.github.io

443

TCP

All

cloud_provider=aws and fresh infra

AWS cloud-controller-manager Helm repo

data.sisense.com

443

TCP

All

Optional AWS ALB setup

Optional Sisense scripts (e.g. aws-alb-iam-attach.sh)

documentation.sisense.com

443

TCP

All

Documentation links only

Sisense docs (not required for install automation)

<docker_registry from config>

443

TCP

All

private_docker_registry=true or custom registry

User-defined registry host; default quay.io/sisense_release on quay.io

*.amazonaws.com

443

TCP

All

AWS cloud (EBS/EFS/FSx/EC2 API)

AWS service endpoints (region-specific)

metadata.google.internal

80

TCP

All

GKE nodes

GCE metadata (link-local; not public internet)

169.254.169.254

80

TCP

All

AWS EC2 nodes

EC2 instance metadata (link-local; not public internet)

AI & Control-Plane Connectivity

Deployments that use Sisense AI/GenAI features require outbound access (TCP 443) to the external service providers below. Unlike the installer hosts above, these are provider endpoints with no single fixed Sisense-owned FQDN — the exact destination depends on your provider, region, and configuration. For on-prem deployments, you supply the target service URL; for control-plane services, the destinations are reached on your behalf.

On-Prem (client-provided target service URL)

Destination Description

LLM provider

Access to the LLM provider. Currently Azure OpenAI; AWS Bedrock support is planned.

MongoDB Atlas

Access to the Vector database used by Sisense AI features.

Arria

Access to the narration service provider.

Control-Plane Services (LLM Gateway, Similarity Service)

Destination Description

AWS Secret Manager (ASM)

Access to AWS Secret Manager.

LLM provider

Access to the LLM provider. Currently Azure OpenAI; AWS Bedrock support is planned.

MongoDB Atlas

Access to MongoDB Atlas maintained by Sisense.

Inbound Rules for Sisense

The following ports should be opened to your network so you will be able to access the Sisense application, SSH and Kubernetes dashboard:

Ports Description
TCP 443/30845 HTTPS/HTTP WEB (SSL/non-SSL mode). These ports should be open to allow your users to access Sisense.
TCP 22 SSH. This port should be opened when your Administrator needs to deploy or upgrade Sisense.
TCP 6443 This port should be opened when your Administrator needs to access the Kubernetes dashboard.

Cluster Mode

When deploying multiple nodes, the following ports should be opened between each node:

Ports Description
TCP 2379 - 2380 etcd
TCP 10248 - 10259 Kubernetes
TCP 9100 Node exporter

Cluster Network Plugin

Sisense support two cluster network plugins, Calico and Weave. The default network plugin used by Sisense is Calico.

Calico and Weave secure the communication between your nodes. The following ports should be opened:

Calico

Ports Description
TCP 9099 Calico
TCP 179 Calico - bird

Weave

Ports Description
TCP 6783 Weave's control and data
UDP 6783/6784 Weave's control and data
UDP 4789 VXLAN
TCP 111 rpcbind
TCP 179 bird

Cluster Shared File System Implementation

Depending on which you use, the following ports should be opened:

FSx

Ports Description
TCP 988 NFS

NFS

Outbound NFS should for the nodes.

Ports Description
TCP 2049 NFS

Load Balancer

If you are using an external load balancer, make sure that the load balancer supports WebSockets.

If you are using Amazon AWS with load balancing, ALB supports WebSockets, ELB does not.

Note:

The Classic Load Balancer in AWS does not support WebSockets.


Next Steps