From 99285eda22b63c287c9fb89df0610a222d9bd57e Mon Sep 17 00:00:00 2001
From: xenolinux <sdudhgao@redhat.com>
Date: Wed, 8 Oct 2025 14:06:16 +0530
Subject: [PATCH] OSDOCS#16434: Open the firewall port 53 on TCP for HCP

---
 hosted_control_planes/hcp-prepare/hcp-requirements.adoc | 2 ++
 modules/hcp-proxy-cp-workloads.adoc                     | 6 ++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/hosted_control_planes/hcp-prepare/hcp-requirements.adoc b/hosted_control_planes/hcp-prepare/hcp-requirements.adoc
index 2a42fd4e01..79c20a505b 100644
--- a/hosted_control_planes/hcp-prepare/hcp-requirements.adoc
+++ b/hosted_control_planes/hcp-prepare/hcp-requirements.adoc
@@ -14,6 +14,8 @@ The following requirements apply to {hcp}:
 
 * In order to run the HyperShift Operator, your management cluster needs at least three worker nodes.
 
+* You must open the firewall port `53` on Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) to allow the Domain Name Service (DNS) protocol to work as expected.
+
 * You can run both the management cluster and the worker nodes on-premise, such as on a bare-metal platform or on {VirtProductName}. In addition, you can run both the management cluster and the worker nodes on cloud infrastructure, such as {aws-first}.
 
 * If you use a mixed infrastructure, such as running the management cluster on {aws-short} and your worker nodes on-premise, or running your worker nodes on {aws-short} and your management cluster on-premise, you must use the `PublicAndPrivate` publishing strategy and follow the latency requirements in the support matrix.
diff --git a/modules/hcp-proxy-cp-workloads.adoc b/modules/hcp-proxy-cp-workloads.adoc
index ce0c68bd44..9b3f5eb644 100644
--- a/modules/hcp-proxy-cp-workloads.adoc
+++ b/modules/hcp-proxy-cp-workloads.adoc
@@ -16,9 +16,11 @@ Operators that run in the control plane need to access external services through
 
 * The Ingress Operator needs access to validate external canary routes.
 
-In a hosted cluster, you must send traffic that originates from the Control Plane Operator, Ingress Operator, OAuth server, and OpenShift API server pods through the data plane to the configured proxy and then to its final destination. 
+* You must open the firewall port `53` on Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) to allow the Domain Name Service (DNS) protocol to work as expected.
+
+In a hosted cluster, you must send traffic that originates from the Control Plane Operator, Ingress Operator, OAuth server, and OpenShift API server pods through the data plane to the configured proxy and then to its final destination.
 
 [NOTE]
 ====
 Some operations are not possible when a hosted cluster is reduced to zero compute nodes; for example, when you import OpenShift image streams from a registry that requires proxy access.
-====
\ No newline at end of file
+====