50 Sensitive nodes behind firewall, want only one port 9100 hole

Hello, we have an environment where 50 nodes are high security, behind a dedicated firewall. We want to monitor them all, but not open port 9100 up for all 50 nodes. We’d like to open up 9100 for one node on that subnet, and have it collect node_exporter data from all the others, and only that “collector” be scraped by our main prometheus server.

I’ve looked at federation, but that doesn’t seem to be what we need, as we’re not looking to aggregate data, just pass ALL data from 50 nodes from one collector. Any suggestions on what we want to do in this situation?

The normal solution in this sort of situation would be to run a Prometheus server behind the firewall (or HA pair) to scrape all the secure servers, and then use federation or remote read/write.

Thanks Stuart. It seems that both hierarchy and cross-service federation envision aggregation, so I think not appropriate. Where can I find info on remote read/write? Thanks.