50 Sensitive nodes behind firewall, want only one port 9100 hole

gregGT · July 26, 2021, 6:32pm

Hello, we have an environment where 50 nodes are high security, behind a dedicated firewall. We want to monitor them all, but not open port 9100 up for all 50 nodes. We’d like to open up 9100 for one node on that subnet, and have it collect node_exporter data from all the others, and only that “collector” be scraped by our main prometheus server.

I’ve looked at federation, but that doesn’t seem to be what we need, as we’re not looking to aggregate data, just pass ALL data from 50 nodes from one collector. Any suggestions on what we want to do in this situation?

stuart · July 26, 2021, 6:45pm

The normal solution in this sort of situation would be to run a Prometheus server behind the firewall (or HA pair) to scrape all the secure servers, and then use federation or remote read/write.

gregGT · July 26, 2021, 8:03pm

Thanks Stuart. It seems that both hierarchy and cross-service federation envision aggregation, so I think not appropriate. Where can I find info on remote read/write? Thanks.

Topic		Replies	Views
Prometheus replication - Is federation the way to go? Prometheus server	3	720	July 15, 2021
One cluster with Prometheus to scrape multiple clusters Prometheus server	4	830	February 15, 2023
Ton of targets behind NAT - Suggestions General Help/Support	0	427	October 21, 2022
Use case discussion: IT monitoring, bare metal and network devices General Help/Support	0	91	July 3, 2024
Is it wise to use single Prometheus Server to scrape metrics from different kubernetes clusters on cloud? Prometheus server	0	552	September 5, 2022

50 Sensitive nodes behind firewall, want only one port 9100 hole

Related topics