All Products
Search

This Product

    Cloud Monitor:Configure network settings for CloudMonitor

    Document Center

    Cloud Monitor:Configure network settings for CloudMonitor

    Last Updated:Feb 27, 2026

    If your host has a firewall or your Elastic Compute Service (ECS) instance uses a security group, you must add the IP addresses and ports of CloudMonitor servers to the outbound whitelist. This allows the CloudMonitor agent on your host to send heartbeat and monitoring data to the CloudMonitor backend.

    Prerequisites

    You must manage the CloudMonitor agent with an administrator account:

    • Linux: Log in as the root user.

    • Windows: Log in as the Administrator user.

    Important

    Running under an administrator account carries inherent risks to system stability and data security. Exercise caution and follow your organization's security policies.

    Network requirements summary

    The following table lists all firewall rules required for the CloudMonitor agent:

    Data typeNetworkEndpointPortsResolution method
    HeartbeatAnycms-cloudmonitor.aliyun.com8080, 3128nslookup or ping
    MonitoringVPCmetrichub-<regionid>.aliyun.com80, 443nslookup
    MonitoringInternetmetrichub-cms-<regionid>.aliyuncs.com80, 443nslookup
    MetadataVPC only100.100.0.0/160-65535CIDR block (no resolution needed)

    Procedure

    Step 1: Allow heartbeat traffic

    The CloudMonitor agent sends heartbeat data to cms-cloudmonitor.aliyun.com on ports 8080 and 3128.

    Resolve the server IP addresses by running either of the following commands on your host:

    nslookup cms-cloudmonitor.aliyun.com

    or

    ping cms-cloudmonitor.aliyun.com

    Add the resolved IP addresses and ports 8080 and 3128 to the outbound whitelist of your firewall.

    Step 2: Allow monitoring data traffic

    The CloudMonitor agent reports monitoring data on ports 80 and 443. The endpoint depends on whether your host reports data over a virtual private cloud (VPC) or over the Internet.

    Report data over a VPC

    If your host reports data through a VPC, the endpoint follows this pattern:

    metrichub-<regionid>.aliyun.com

    Replace <regionid> with the region ID of your Alibaba Cloud host. To find the region ID, run:

    curl http://100.100.100.200/latest/meta-data/region-id

    Then resolve the endpoint IP addresses:

    nslookup metrichub-<regionid>.aliyun.com

    Add the resolved IP addresses and ports 80 and 443 to the outbound whitelist of your firewall.

    Note

    You must also add CIDR block 100.100.0.0/16 with port range 0-65535 to the outbound whitelist. This CIDR block is used to retrieve instance-related information such as the region ID.

    Report data over the Internet

    If your host reports data over the Internet, the endpoint follows this pattern:

    metrichub-cms-<regionid>.aliyuncs.com
    Note

    When reporting over the Internet, set <regionid> to one of the following values: cn-hangzhou, cn-shanghai, cn-beijing, or cn-shenzhen.

    Resolve the endpoint IP addresses:

    nslookup metrichub-cms-<regionid>.aliyuncs.com

    Add the resolved IP addresses and ports 80 and 443 to the outbound whitelist of your firewall.

    Non-Alibaba Cloud hosts

    If your host is not provided by Alibaba Cloud, you can use port 443 to report data over the Internet and to monitor the heartbeats of the CloudMonitor agent.