🔒 Networking

Configure Windows Firewall for Grafana

Allow inbound access to Grafana on Windows 10, 11 and Server. Covers opening port 3000, restricting by IP or subnet, HTTPS firewall rules, and best practices for production environments.

Open port 3000 with PowerShell (recommended)

Run an elevated PowerShell prompt and use New-NetFirewallRule to allow inbound traffic on Grafana's default port.

# Allow all inbound traffic on port 3000 (Grafana default)
New-NetFirewallRule `
  -DisplayName "Grafana Web UI (Port 3000)" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 3000 `
  -Action Allow `
  -Profile Domain,Private,Public

Production tip: Restrict access by IP range (see below) rather than allowing all sources. Exposing Grafana to the open internet without authentication hardening is a security risk.

Restrict access to a specific IP range

To allow only your LAN or a specific subnet to reach Grafana, add a -RemoteAddress parameter:

# Allow only the 192.168.1.0/24 subnet
New-NetFirewallRule `
  -DisplayName "Grafana Web UI — LAN only" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 3000 `
  -RemoteAddress 192.168.1.0/24 `
  -Action Allow

# Allow a single management IP
New-NetFirewallRule `
  -DisplayName "Grafana Web UI — Admin PC" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 3000 `
  -RemoteAddress 192.168.1.10 `
  -Action Allow

Open port via Windows Defender Firewall GUI

Open Windows Defender Firewall

Search for Windows Defender Firewall with Advanced Security in Start Menu, or run wf.msc.

Create Inbound Rule

Click Inbound Rules → New Rule in the right panel. Select Port as the rule type.

Enter port number

Select TCP and enter 3000 (or your custom Grafana port) in the Specific local ports field.

Set action and scope

Choose Allow the connection. On the Scope tab, set remote IP addresses to your allowed subnet. Name the rule Grafana Web UI.

HTTPS firewall rule (port 443)

If you're running Grafana behind a reverse proxy (Nginx or IIS) with HTTPS, open port 443 instead of (or in addition to) 3000. Block external access to port 3000 itself so all traffic goes through the proxy.

# Allow HTTPS traffic (reverse proxy)
New-NetFirewallRule `
  -DisplayName "HTTPS Inbound (Grafana via Proxy)" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 443 `
  -Action Allow

# Block direct access to Grafana port from external IPs
# (allow only localhost / 127.0.0.1)
New-NetFirewallRule `
  -DisplayName "Block Grafana 3000 External" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 3000 `
  -RemoteAddress Internet `
  -Action Block

Manage and remove firewall rules

# List all Grafana firewall rules
Get-NetFirewallRule | Where-Object {$_.DisplayName -like "*Grafana*"}

# Remove a rule by display name
Remove-NetFirewallRule -DisplayName "Grafana Web UI (Port 3000)"

# Temporarily disable a rule (without deleting)
Disable-NetFirewallRule -DisplayName "Grafana Web UI (Port 3000)"

# Re-enable
Enable-NetFirewallRule -DisplayName "Grafana Web UI (Port 3000)"

Firewall best practices for Grafana

Never expose port 3000 to the public internet without authentication hardening. Always use a reverse proxy with HTTPS.
Use specific RemoteAddress ranges (your LAN, VPN subnet) rather than allowing all sources.
For cloud or internet-facing deployments, place Grafana behind a reverse proxy on port 443 and block direct access to 3000.
Review firewall rules after upgrades — MSI upgrades usually preserve existing rules, but verify.
Use Windows Defender Firewall logging (Monitoring → Firewall) to troubleshoot dropped connections.

Set up HTTPS next

Firewall rules alone aren't enough for production. Encrypt Grafana traffic with HTTPS via Nginx or IIS.

HTTPS / SSL Setup → Nginx Reverse Proxy Change Port from 3000