diff --git a/k8s-base/roles/global-monitoring-frontend/templates/haproxy.cfg.j2 b/k8s-base/roles/global-monitoring-frontend/templates/haproxy.cfg.j2
index 7046366efab3cd1cb254a13a828b5853da4b7fd1..efae3807982690e8c1e2825bee3c6c43052fa130 100644
--- a/k8s-base/roles/global-monitoring-frontend/templates/haproxy.cfg.j2
+++ b/k8s-base/roles/global-monitoring-frontend/templates/haproxy.cfg.j2
@@ -27,3 +27,29 @@ backend k8s_prometheus_back
   server {{ host }} {{ hostvars[host]['local_ipv6_address'] }}:{{ k8s_global_monitoring_nodeport }} check verify none
   {% endif %}
   {% endfor %}
+
+frontend k8s_prometheus_sidecar_front
+  bind {{ networking_fixed_ip }}:{{ k8s_global_monitoring_nodeport_sidecar }}
+  {% if dualstack_support %}
+  bind {{ networking_fixed_ip_v6 }}:{{ k8s_global_monitoring_nodeport_sidecar }} transparent
+  {% endif %}
+  mode tcp
+  log global
+  option tcplog
+  timeout client 600s
+  default_backend k8s_prometheus_sidecar_back
+
+backend k8s_prometheus_sidecar_back
+  mode tcp
+  option redispatch
+  log global
+  balance roundrobin
+  timeout connect 10s
+  timeout server 600s
+
+  {% for host in groups['masters'] %}
+  server {{ host }} {{ hostvars[host]['local_ipv4_address'] }}:{{ k8s_global_monitoring_nodeport_sidecar }} check verify none
+  {% if dualstack_support %}
+  server {{ host }} {{ hostvars[host]['local_ipv6_address'] }}:{{ k8s_global_monitoring_nodeport_sidecar }} check verify none
+  {% endif %}
+  {% endfor %}
diff --git a/k8s-base/roles/global-monitoring-frontend/templates/nftables.conf.j2 b/k8s-base/roles/global-monitoring-frontend/templates/nftables.conf.j2
index f73781aa02d4a45bd717b77965a67a3f8b65c9c1..4d1388c3c7e22c667db6c1296b600db5d2653385 100644
--- a/k8s-base/roles/global-monitoring-frontend/templates/nftables.conf.j2
+++ b/k8s-base/roles/global-monitoring-frontend/templates/nftables.conf.j2
@@ -4,3 +4,4 @@
 {{ _auto_generated_preamble }}
 
 add element inet filter tcp_internal_accepted { {{ k8s_global_monitoring_nodeport }} }
+add element inet filter tcp_internal_accepted { {{ k8s_global_monitoring_nodeport_sidecar }} }
diff --git a/k8s-managed-services/roles/monitoring_v2/templates/prometheus-nodeport.yaml b/k8s-managed-services/roles/monitoring_v2/templates/prometheus-nodeport.yaml
index 2cece17819c27f0a3f43cd85b81178e96a2d77d4..48362a760736d5c8047b8d08ec04c58f9052f1cf 100644
--- a/k8s-managed-services/roles/monitoring_v2/templates/prometheus-nodeport.yaml
+++ b/k8s-managed-services/roles/monitoring_v2/templates/prometheus-nodeport.yaml
@@ -8,9 +8,14 @@ metadata:
 spec:
   type: NodePort
   ports:
-    - nodePort: {{ k8s_global_monitoring_nodeport | to_json }}
+    - name: prometheus
+      nodePort: {{ k8s_global_monitoring_nodeport | to_json }}
       port: 9090 # Prometheus
       protocol: TCP
+    - name: sidecar
+      nodePort: {{ k8s_global_monitoring_nodeport_sidecar | to_json }}
+      port: 10901 # Sidecar gRPC endpoint
+      protocol: TCP
   selector:
     prometheus: prometheus-stack-kube-prom-prometheus
     app.kubernetes.io/instance: prometheus-stack-kube-prom-prometheus