From f41102d3ea33bece5716050f23a18ad336954497 Mon Sep 17 00:00:00 2001
From: magdalena-alicja-michalska <magda.michalska@elastic.co>
Date: Thu, 18 Jun 2026 12:25:02 -0700
Subject: [PATCH 1/2] Update ECE login page: HTTPS required for browser access
 since 3.7.0

---
 .../deploy/cloud-enterprise/log-into-cloud-ui.md       | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md b/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md
index 68fad46f8e..f79b500d8e 100644
--- a/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md
+++ b/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md
@@ -12,14 +12,17 @@ products:
 
 To access the Cloud UI in a web browser:
 
-1. Connect to one of the URLs provided at the end of the installation process on your first host, replacing `FIRST_HOST` with the correct IP address or DNS hostname.
+1. Connect to the HTTPS URL provided at the end of the installation process on your first host, replacing `FIRST_HOST` with the correct IP address or DNS hostname.
 
     ```sh
-    http://<FIRST_HOST>:12400
     https://<FIRST_HOST>:12443
     ```
 
-    Secure access through the HTTPS protocol is available with certificates generated during the installation of {{ece}}, but will prompt you with a warning in your browser. To avoid this warning, you can add [your own TLS/SSL security certificates](../../security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md). If you are on AWS and can’t access the Cloud UI, [check if the URL points to a private IP address](../../../troubleshoot/deployments/cloud-enterprise/common-issues.md#ece-aws-private-ip).
+    :::{note}
+    Starting with ECE 3.7.0, browser access to the Cloud UI requires HTTPS on port 12443. HTTP on port 12400 remains available for API calls (for example, using `curl`), but browsers will not render the UI correctly over HTTP due to security policy headers.
+    :::
+
+    Secure access through the HTTPS protocol is available with certificates generated during the installation of {{ece}}, but will prompt you with a warning in your browser. To avoid this warning, you can add [your own TLS/SSL security certificates](../../security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md). If you are on AWS and can't access the Cloud UI, [check if the URL points to a private IP address](../../../troubleshoot/deployments/cloud-enterprise/common-issues.md#ece-aws-private-ip).
 
 2. Log in as user `admin` with the credentials provided.
 3. On your first login, agree to the software license agreement to continue. You can opt out of sharing some basic usage statistics with Elastic. [Here is what we collect.](statistics-collected-by-cloud-enterprise.md)
@@ -29,4 +32,3 @@ The Cloud UI displays the available deployments and some important information a
 * `admin-console-elasticsearch`: Backs the Cloud UI itself.
 * `logging-and-metrics`: Collects logs and performance metrics for your ECE installation. You must not use this deployment to index monitoring data from your own {{es}} clusters or use it to index data from Beats and Logstash. Always create a separate, dedicated monitoring deployment for your own use.
 * `security`: Stores all security-related configurations.
-

From e15768b5b3f2a424cd61696ff7d067d0a279c52b Mon Sep 17 00:00:00 2001
From: magdalena-alicja-michalska <magda.michalska@elastic.co>
Date: Thu, 18 Jun 2026 12:25:39 -0700
Subject: [PATCH 2/2] Update networking prereqs: clarify port 12443 required
 for browser access

---
 .../deploy/cloud-enterprise/ece-networking-prereq.md        | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/deploy-manage/deploy/cloud-enterprise/ece-networking-prereq.md b/deploy-manage/deploy/cloud-enterprise/ece-networking-prereq.md
index 8f8737a07a..4b29a22977 100644
--- a/deploy-manage/deploy/cloud-enterprise/ece-networking-prereq.md
+++ b/deploy-manage/deploy/cloud-enterprise/ece-networking-prereq.md
@@ -34,7 +34,11 @@ When there are multiple hosts for each role, the inbound networking and ports ca
 | 3 | Proxy | 9200, 9243 | {{es}} REST API. 9200 is plain text and 9243 is with TLS, also required by load balancers<br> |
 | 3 | Proxy | 9300, 9343 | {{es}} transport client. 9300 is plain text and 9343 is with TLS, also required by load balancers<br> |
 | 3 | Proxy | 9400, 9443 | {{es}} Cross Cluster Search and Cross Cluster Replication with TLS authentication (9400) or API key authentication (9443), also required by load balancers. Can be blocked if [CCR/CCS](../../remote-clusters/ece-enable-ccs.md) is not used.<br> |
-| 7 | Coordinator | 12400/12443 | Cloud UI console to API  (HTTP/HTTPS)<br> |
+| 7 | Coordinator | 12443 (required), 12400 (optional) | Cloud UI console (HTTPS required for browser access, HTTP for API only)<br> |
+
+:::{note}
+Starting with ECE 3.7.0, browser access to the Cloud UI requires HTTPS on port 12443. Port 12400 (HTTP) remains functional for programmatic API access (for example, `curl`), but browsers cannot render the Cloud UI over HTTP due to security policy headers. Ensure that port 12443 is open in your network policies before upgrading to ECE 3.7.0 or later.
+:::
 
 **Inbound traffic from other ECE hosts**