Revise TCP port requirements for ECE remote clusters

eedugon · web-flow · commit c527782a3b9c · 2025-11-09T11:25:46.000+01:00
Updated TCP request port requirements for ECE proxies and load balancers based on the selected security model.
diff --git a/deploy-manage/remote-clusters/ece-enable-ccs.md b/deploy-manage/remote-clusters/ece-enable-ccs.md
@@ -31,9 +31,19 @@ To use CCS or CCR, your environment must meet the following criteria:
   
   :::{include} _snippets/remote-cluster-certificate-compatibility.md
   :::
+
+* ECE proxies must answer TCP requests on the port used by the selected [security model](./security-models.md):
+  * `9400` when using TLS certificate–based authentication (deprecated).
+  * `9443` when using API key–based authentication.
   
-* Proxies must answer TCP requests on the port 9400. Check the [prerequisites for the ports that must permit outbound or inbound traffic](../deploy/cloud-enterprise/ece-networking-prereq.md).
-* Load balancers must pass-through TCP requests on port 9400. Check the [configuration details](../deploy/cloud-enterprise/ece-load-balancers.md).
+  For details, refer to the [remote cluster security models](../path/to/security-models.md) documentation and [ECE networking prerequisites](../deploy/cloud-enterprise/ece-networking-prereq.md).
+
+* Load balancers must pass through TCP requests on the port that corresponds to the security model:
+  * `9400` for TLS certificate–based authentication (deprecated).
+  * `9443` for API key–based authentication.
+
+  For configuration details, refer to the [ECE load balancer requirements](../deploy/cloud-enterprise/ece-load-balancers.md).
+
 * If your deployment was created before ECE version `2.9.0`, the Remote clusters page in {{kib}} must be enabled manually from the **Security** page of your deployment, by selecting **Enable CCR** under **Trust management**.
 
 ::::{note}
@@ -62,4 +72,4 @@ The steps, information, and authentication method required to configure CCS and
 
 ## Remote clusters and network security [ece-ccs-ccr-network-security]
 
-If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to the remote cluster, you might need to take extra steps on the remote side to allow traffic from the local cluster. Some remote cluster configurations have limited compatibility with network security. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to the remote cluster, you might need to take extra steps on the remote side to allow traffic from the local cluster. Some remote cluster configurations have limited compatibility with network security. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
