diff --git a/docs/operations.md b/docs/operations.md
index 151a1caa7..4375eef9a 100644
--- a/docs/operations.md
+++ b/docs/operations.md
@@ -157,7 +157,8 @@ We strongly recommend a separate user and systemd services for the Wormhole serv
 See the separate [wormhole-networks](https://github.com/wormhole-foundation/wormhole-networks) repository for examples
 on how to set up the guardiand unit for a specific network.
 
-You need to open port 8999/udp in your firewall for the P2P network. Nothing else has to be exposed externally.
+You need to open port 8999/udp in your firewall for the P2P network and 8996/udp for
+[cross chain queries](../whitepapers/0013_ccq.md). Nothing else has to be exposed externally.
 
 journalctl can show guardiand's colored output using the `-a` flag for binary output, i.e.: `journalctl -a -f -u guardiand`.
 
@@ -169,6 +170,10 @@ Refer to [devnet/](../devnet) for example k8s deployments as a starting point fo
 have to build your own containers. Unless you already run Kubernetes in production, we strongly recommend a traditional
 deployment on a dedicated instance - it's easier to understand and troubleshoot.
 
+When running in kubernetes, or behind any kind of NAT, pass `--gossipAdvertiseAddress=external.ip.address` to the
+guardiand node process to ensure the external address is advertized in p2p. If this is not done, reobservation
+requests and [ccq](https://wormhole.com/queries) will not function as intended.
+
 ### Monitoring
 
 Wormhole exposes a status server for readiness and metrics. By default, it listens on port 6060 on localhost.