diff --git a/pkg/agent/agent.go b/pkg/agent/agent.go
index c62809a11..637203dbe 100644
--- a/pkg/agent/agent.go
+++ b/pkg/agent/agent.go
@@ -156,6 +156,12 @@ func FlowsAgent(cfg *Config) (*Flows, error) {
 		},
 		Prefix: cfg.MetricsPrefix,
 	}
+	if cfg.MetricsTLSCertPath != "" && cfg.MetricsTLSKeyPath != "" {
+		metricsSettings.PromConnectionInfo.TLS = &metrics.PromTLS{
+			CertPath: cfg.MetricsTLSCertPath,
+			KeyPath:  cfg.MetricsTLSKeyPath,
+		}
+	}
 	m := metrics.NewMetrics(metricsSettings)
 
 	// configure selected exporter
diff --git a/pkg/agent/config.go b/pkg/agent/config.go
index 4fdcda288..ec6e99d2a 100644
--- a/pkg/agent/config.go
+++ b/pkg/agent/config.go
@@ -175,6 +175,10 @@ type Config struct {
 	MetricsServerAddress string `env:"METRICS_SERVER_ADDRESS"`
 	// MetricsPort is the port of the server that collects ebpf agent metrics.
 	MetricsPort int `env:"METRICS_SERVER_PORT" envDefault:"9090"`
+	// MetricsTLSCertPath is the path to the server certificate for TLS connections
+	MetricsTLSCertPath string `env:"METRICS_TLS_CERT_PATH"`
+	// MetricsTLSKeyPath is the path to the server private key for TLS connections
+	MetricsTLSKeyPath string `env:"METRICS_TLS_KEY_PATH"`
 	// MetricsPrefix is the prefix of the metrics that are sent to the server.
 	MetricsPrefix string `env:"METRICS_PREFIX" envDefault:"ebpf_agent_"`
 
diff --git a/pkg/metrics/metrics.go b/pkg/metrics/metrics.go
index 57c494b28..1d49cf776 100644
--- a/pkg/metrics/metrics.go
+++ b/pkg/metrics/metrics.go
@@ -14,9 +14,15 @@ type MetricDefinition struct {
 	Labels []string
 }
 
+type PromTLS struct {
+	CertPath string
+	KeyPath  string
+}
+
 type PromConnectionInfo struct {
 	Address string
 	Port    int
+	TLS     *PromTLS
 }
 
 type Settings struct {
diff --git a/pkg/prometheus/prom_server.go b/pkg/prometheus/prom_server.go
index c78f89fab..c50639a2e 100644
--- a/pkg/prometheus/prom_server.go
+++ b/pkg/prometheus/prom_server.go
@@ -53,7 +53,12 @@ func StartServerAsync(conn *metrics.Settings, registry *prom.Registry) *http.Ser
 	httpServer = defaultServer(httpServer)
 
 	go func() {
-		err := httpServer.ListenAndServe()
+		var err error
+		if conn.TLS != nil {
+			err = httpServer.ListenAndServeTLS(conn.TLS.CertPath, conn.TLS.KeyPath)
+		} else {
+			err = httpServer.ListenAndServe()
+		}
 		if err != nil && err != http.ErrServerClosed {
 			maybePanic("error in http.ListenAndServe: %v", err)
 		}