If your network configuration restricts outbound traffic, proxy all Agent traffic through one or several hosts that have more permissive outbound policies.
You have a few options to send traffic to Datadog over SSL/TLS for hosts that are not directly connected to the Internet:
Here is a common scenario with an Amazon VPC:
In the above diagram, the six EC2 instances in the VPC aren’t internet facing; however, they communicate with a single instance that is. The six instances are using it to route local traffic to Datadog via 443 TCP.
In the above diagram, the six physical servers in the data center aren’t internet facing; however, they communicate to a single instance acting as a proxy that is open and may be used to route local traffic (one way) from the hosts out to Datadog via 443 TCP/HTTPS for external communication.