Do I need a firewall rule for localhost?

If you access Grafana only from the same machine (localhost), you typically don't need an inbound rule. Add a rule only when exposing to other machines.

Should I enable the Public profile?

Prefer Private/Domain profiles. Avoid Public unless you explicitly need exposure on public networks and understand the risk.

How do I restrict access to a subnet only?

Use PowerShell's -RemoteAddress (e.g., 192.168.1.0/24) or netsh remoteip= to limit inbound connections to a specific subnet.

What about HTTPS behind a reverse proxy?

If Grafana sits behind IIS/NGINX using HTTPS, open 443 on the proxy host and restrict scope. Internally, proxy to Grafana's port (e.g., 3000).

Configure Windows Firewall for Grafana

Create minimal, scoped firewall rules for Grafana's HTTP/HTTPS access. Prefer Private/Domain profiles, restrict to subnets, and verify connectivity.

Do you even need an inbound rule?

Local only (localhost): No inbound rule required.
LAN access: Add an inbound rule on the listening port (default 3000), Private profile only.
Internet exposure: Use a reverse proxy with HTTPS and strict firewall scope. Avoid Public networks when possible.

Add inbound rule (PowerShell)

New-NetFirewallRule -DisplayName "Grafana HTTP" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 3000 -Profile Private

Restrict to a subnet (recommended):

New-NetFirewallRule -DisplayName "Grafana HTTP (LAN)" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 3000 -Profile Private -RemoteAddress 192.168.1.0/24

Add inbound rule (netsh)

netsh advfirewall firewall add rule name="Grafana HTTP" dir=in action=allow protocol=TCP localport=3000 profile=private

Restrict to a subnet:

netsh advfirewall firewall add rule name="Grafana HTTP (LAN)" dir=in action=allow protocol=TCP localport=3000 remoteip=192.168.1.0/24 profile=private

HTTPS via reverse proxy

Terminate HTTPS at IIS/NGINX/Apache on port 443 with a valid certificate.
Open firewall for 443 (Private/Domain) and proxy internally to Grafana's port (e.g., 3000).
Restrict scope to required subnets; avoid Public profile when possible.

See: Upgrade & Rollback • Install as Service

Change port? Update firewall

Grafana default port is 3000. If you change it, adjust the firewall rule accordingly.
Delete old rule and add a new one for the new port.

netsh advfirewall firewall delete rule name="Grafana HTTP"

Verify connectivity

Test-NetConnection -ComputerName localhost -Port 3000

netstat -ano | findstr :3000

Open a browser from an allowed machine: http://HOSTNAME:3000

GUI path (Windows Defender Firewall)

Open Windows Defender Firewall with Advanced Security.
Inbound Rules → New Rule… → Port → TCP → Specific local ports: 3000.
Allow the connection → apply to Private (and Domain if applicable).
Name the rule (e.g., "Grafana HTTP") and finish.
Optionally edit the rule's Scope to restrict remote IP addresses.

Common pitfalls

Rule on wrong profile (Public only) → clients on Private network still blocked.
Endpoint protection or corporate firewall blocking traffic in addition to Windows Firewall.
Port already in use by another app — change Grafana port and update rules.

More help: Common Errors