# Sisense Required Ports for Linux

> Sisense uses certain ports to communicate with machines on the Internet and within your Sisense namespace. This is a description of the ports that you may need to allow in your deployment.

*Source: https://docs.sisense.com/main/SisenseLinux/linux-port-settings.htm*

---

Last updated: June 21, 2026

|  |  |
| --- | --- |
| [Tier](https://www.sisense.com/pricing/#pricing) | [Deployment](https://docs.sisense.com/main/SisenseLinux/introduction-to-sisense-cloud-managed-services.md#ComparisonofManagedCloudandSelfHosted) |
| Enterprise | On-Prem |

**Previous Step:**

- [Planning Your Configuration](https://docs.sisense.com/main/SisenseLinux/planning-your-configuration.md)

Sisense uses certain ports to communicate with machines on the Internet and within your Sisense namespace. Below is a description of the ports that you may need to allow in your deployment.

**Note:**
  

In cluster deployments, open all traffic between the nodes (**TCP and UDP**).

  

## Outbound Rules for Sisense

| Ports | Description |
| --- | --- |
| 80, 443 | Allow outbound TCP connections from the workers to these ports to allow worker node updates and reloads.  Additionally, outbound communication on port 443 to https://l.sisense.com for licensing. |
| 2049 | Allow outbound TCP and UDP connections to this port to allow mounting file storage as volumes.  This is only relevant when using NFS and only for the NFS server. |
| 3260 | Allow outbound TCP and UDP connections to this port for communication to block storage. |
| 8071 | Allow outbound connections to the Sisense external monitoring system. |
| 10250 | Allow inbound TCP and UDP connections to this port for the Kubernetes dashboard and commands such as kubectl logs and kubectl exec.  For EKS, AES and GKE need to be open towards the K8S control. |

## Outbound Connectivity (Destination Hosts)

In addition to the outbound port rules above, an **online** installation or upgrade reaches the external destinations listed below. These hosts must be reachable (typically over **TCP 443**, with some over **TCP 80**) from the Sisense nodes before installation. Hosts are not required for an offline (air-gapped) installation — see [Installing Sisense in an Offline Environment](https://docs.sisense.com/main/SisenseLinux/installing-sisense-in-an-offline-air-gapped-environment.md).

**Note:**

This list reflects the current Sisense release and may differ for older releases. The **Required When** column indicates the conditions under which each destination is contacted; entries that apply to a specific OS, cloud provider, or configuration flag are only relevant when that condition is met.

| Host | Port | Protocol | Applies To | Required When | Notes |
| --- | --- | --- | --- | --- | --- |
| `ubuntu.com` | 443 | TCP | Ubuntu | Online install | Outbound preflight; APT ecosystem |
| `archive.ubuntu.com` | 443 | TCP | Ubuntu | Online install (Ubuntu) | Common APT mirror |
| `security.ubuntu.com` | 443 | TCP | Ubuntu | Online install (Ubuntu) | Common APT security updates |
| `dl.fedoraproject.org` | 443 | TCP | Red Hat; CentOS; Rocky; Oracle Linux; Amazon Linux | Online install | Outbound preflight; EPEL packages |
| `mirror.centos.org` | 80 | TCP | Red Hat; CentOS; Rocky; Oracle Linux; Amazon Linux | Online install | Outbound preflight; YUM/DNF mirrors |
| `cdn.amazonlinux.com` | 443 | TCP | Amazon Linux | Online install (Amazon Linux) | Amazon Linux package mirrors (amazon-linux-extras / dnf) |
| `subscription.rhsm.redhat.com` | 443 | TCP | Red Hat | RHEL with subscription-manager | RHEL subscription access |
| `docker.io` | 443 | TCP | All | Online install | Docker Hub |
| `registry-1.docker.io` | 443 | TCP | All | Online install | Docker Hub registry API |
| `download.docker.com` | 443 | TCP | All | Online install | Docker packages/repos |
| `quay.io` | 443 | TCP | All | Online install | Default image registry (`quay.io/sisense_release`); Rook Ceph images |
| `gcr.io` | 443 | TCP | All | Online install | Google container registry |
| `storage.googleapis.com` | 443 | TCP | All | Online install | GCR/GCS-backed artifacts |
| `github.com` | 443 | TCP | All | Online install | Helmfile; pip git dependencies (e.g. pssh on AL2023); release assets |
| `release-assets.githubusercontent.com` | 443 | TCP | All | On-prem RKE2 online install | RKE2 release binaries (via get.rke2.io) |
| `bitbucket.org` | 443 | TCP | All | Online install | Legacy/third-party references |
| `pypi.org` | 443 | TCP | All | Online install | Python installer dependencies |
| `files.pythonhosted.org` | 443 | TCP | All | Online install | Python package wheels |
| `kubernetes.io` | 443 | TCP | All | Online install | Kubernetes-related references |
| `l.sisense.com` | 443 | TCP | All | Online install | Sisense licensing/artifacts |
| `auth.cloud.sisense.com` | 443 | TCP | All | Online install | Sisense cloud authentication |
| `get.rke2.io` | 443 | TCP | All | On-prem online install (not offline / OpenShift) | RKE2 install script |
| `update.rke2.io` | 443 | TCP | All | On-prem RKE2 online install | RKE2 update channel |
| `dl.k8s.io` | 443 | TCP | All | Online install | kubectl binary download |
| `get.helm.sh` | 443 | TCP | All | Online install | Helm binary download |
| `registry.k8s.io` | 443 | TCP | All | `storage_type=nfs` | NFS CSI driver images (default baseRepo) |
| `kyverno.github.io` | 443 | TCP | All | `signature_validation=true` | Kyverno Helm chart repository |
| `kubernetes.github.io` | 443 | TCP | All | `cloud_provider=aws` and fresh infra | AWS cloud-controller-manager Helm repo |
| `data.sisense.com` | 443 | TCP | All | Optional AWS ALB setup | Optional Sisense scripts (e.g. aws-alb-iam-attach.sh) |
| `documentation.sisense.com` | 443 | TCP | All | Documentation links only | Sisense docs (not required for install automation) |
| <docker\_registry from config> | 443 | TCP | All | `private_docker_registry=true` or custom registry | User-defined registry host; default `quay.io/sisense_release` on quay.io |
| \*.amazonaws.com | 443 | TCP | All | AWS cloud (EBS/EFS/FSx/EC2 API) | AWS service endpoints (region-specific) |
| `metadata.google.internal` | 80 | TCP | All | GKE nodes | GCE metadata (link-local; not public internet) |
| 169.254.169.254 | 80 | TCP | All | AWS EC2 nodes | EC2 instance metadata (link-local; not public internet) |

## AI & Control-Plane Connectivity

Deployments that use Sisense AI/GenAI features require outbound access (TCP 443) to the external service providers below. Unlike the installer hosts above, these are **provider endpoints** with no single fixed Sisense-owned FQDN — the exact destination depends on your provider, region, and configuration. For on-prem deployments, you supply the target service URL; for control-plane services, the destinations are reached on your behalf.

### On-Prem (client-provided target service URL)

| Destination | Description |
| --- | --- |
| LLM provider | Access to the LLM provider. Currently Azure OpenAI; AWS Bedrock support is planned. |
| MongoDB Atlas | Access to the Vector database used by Sisense AI features. |
| Arria | Access to the narration service provider. |

### Control-Plane Services (LLM Gateway, Similarity Service)

| Destination | Description |
| --- | --- |
| AWS Secret Manager (ASM) | Access to AWS Secret Manager. |
| LLM provider | Access to the LLM provider. Currently Azure OpenAI; AWS Bedrock support is planned. |
| MongoDB Atlas | Access to MongoDB Atlas maintained by Sisense. |

## Inbound Rules for Sisense

The following ports should be opened to your network so you will be able to access the Sisense application, SSH and Kubernetes dashboard:

| Ports | Description |
| --- | --- |
| TCP 443/30845 | HTTPS/HTTP WEB (SSL/non-SSL mode). These ports should be open to allow your users to access Sisense. |
| TCP 22 | SSH. This port should be opened when your Administrator needs to deploy or upgrade Sisense. |
| TCP 6443 | This port should be opened when your Administrator needs to access the Kubernetes dashboard. |

## Cluster Mode

When deploying multiple nodes, the following ports should be opened between each node:

| Ports | Description |
| --- | --- |
| TCP 2379 - 2380 | etcd |
| TCP 10248 - 10259 | Kubernetes |
| TCP 9100 | Node exporter |

## Cluster Network Plugin

Sisense support two cluster network plugins, Calico and Weave. The default network plugin used by Sisense is Calico.

Calico and Weave secure the communication between your nodes. The following ports should be opened:

### Calico

| Ports | Description |
| --- | --- |
| TCP 9099 | Calico |
| TCP 179 | Calico - bird |

### Weave

| Ports | Description |
| --- | --- |
| TCP 6783 | Weave's control and data |
| UDP 6783/6784 | Weave's control and data |
| UDP 4789 | VXLAN |
| TCP 111 | rpcbind |
| TCP 179 | bird |

### Cluster Shared File System Implementation

Depending on which you use, the following ports should be opened:

### FSx

| Ports | Description |
| --- | --- |
| TCP 988 | NFS |

### NFS

Outbound NFS should for the nodes.

| Ports | Description |
| --- | --- |
| TCP 2049 | NFS |

### Load Balancer

If you are using an external load balancer, make sure that the load balancer supports WebSockets.

If you are using Amazon AWS with load balancing, ALB supports WebSockets, ELB does not.

**Note:**
  

The Classic Load Balancer in AWS does not support WebSockets.

  

### Next Steps

- [Installing Sisense on Linux](https://docs.sisense.com/main/SisenseLinux/installing-sisense-on-linux.md)
