Linux Foundation PCA Exam - Topic 4 Question 14 Discussion

When Prometheus targets are behind firewalls or NAT and cannot be reached directly by the Prometheus server's pull mechanism, the recommended component to use is PushProx.

PushProx works by reversing the usual pull model. It consists of a PushProx Proxy (accessible by Prometheus) and PushProx Clients (running alongside the targets). The clients establish outbound connections to the proxy, which allows Prometheus to ''pull'' metrics indirectly. This approach bypasses network restrictions without compromising the Prometheus data model.

Unlike the Pushgateway (which is used for short-lived batch jobs, not network-isolated targets), PushProx maintains the Prometheus ''pull'' semantics while accommodating environments where direct scraping is impossible.

Verified from Prometheus documentation and official PushProx design notes -- Monitoring Behind NAT/Firewall, PushProx Overview, and Architecture and Usage Scenarios sections.