Features
Integrations
Dashboards
Log Management
APM
Continuous Profiler
Security Monitoring
Network Monitoring
Synthetic Monitoring
Real User Monitoring
Serverless
Alerts
API
Network Traffic
Traffic is always initiated by the Agent to Datadog. No sessions are ever initiated from Datadog back to the Agent:
- All traffic is sent over SSL
The destination for:
- APM data is
trace.agent.datadoghq.com - Live Containers data is
process.datadoghq.com - Logs data is
agent-intake.logs.datadoghq.comfor TCP traffic All other Agent data:
- Agents < 5.2.0
app.datadoghq.com - Agents >= 5.2.0
<VERSION>-app.agent.datadoghq.com
This decision was taken after the POODLE problem. Versioned endpoints start with Agent v5.2.0, where each version of the Agent calls a different endpoint based on the version of the Forwarder. For example, Agent v5.2.0 calls
5-2-0-app.agent.datadoghq.com. Therefore you must whitelist*.agent.datadoghq.comin your firewall(s).- Agents < 5.2.0
- APM data is
Since v6.1.0, the Agent also queries Datadog’s API to provide non-critical functionality (ex.: display validity of configured API key):
- Agent >= 7.18.0/6.18.0
api.datadoghq.com - Agent < 7.18.0/6.18.0
app.datadoghq.com
All of these domains are CNAME records pointing to a set of static IP addresses. These addresses can be found at:
- https://ip-ranges.datadoghq.com for Datadog US region.
- All traffic is sent over SSL
The destination for:
- APM data is
trace.agent.datadoghq.eu - Live Containers data is
process.datadoghq.eu - Logs data is
agent-intake.logs.datadoghq.eufor TCP traffic All other Agent data:
- Agents < 5.2.0
app.datadoghq.eu - Agents >= 5.2.0
<VERSION>-app.agent.datadoghq.eu
This decision was taken after the POODLE problem. Versioned endpoints start with Agent v5.2.0, where each version of the Agent calls a different endpoint based on the version of the Forwarder. For example, Agent v5.2.0 calls
5-2-0-app.agent.datadoghq.com. Therefore you must whitelist*.agent.datadoghq.euin your firewall(s).- Agents < 5.2.0
- APM data is
Since v6.1.0, the Agent also queries Datadog’s API to provide non-critical functionality (ex.: display validity of configured API key):
- Agent >= 7.18.0/6.18.0
api.datadoghq.eu - Agent < 7.18.0/6.18.0
app.datadoghq.eu
All of these domains are CNAME records pointing to a set of static IP addresses. These addresses can be found at:
- https://ip-ranges.datadoghq.eu for Datadog EU region.
The information is structured as JSON following this schema:
{
"version": 1, // <-- incremented every time this information is changed
"modified": "YYYY-MM-DD-HH-MM-SS", // <-- timestamp of the last modification
"agents": { // <-- the IPs used by the Agent to submit metrics to Datadog
"prefixes_ipv4": [ // <-- list of IPv4 CIDR blocks
"a.b.c.d/x",
...
],
"prefixes_ipv6": [ // <-- list of IPv6 CIDR blocks
...
]
},
"api": {...}, // <-- same for non-critical Agent functionality (querying informaton from API)
"apm": {...}, // <-- same structure as "agents" but IPs used for the APM Agent data
"logs": {...}, // <-- same for the logs Agent data
"process": {...}, // <-- same for the process Agent data
"synthetics": {...}, // <-- not used for Agent traffic (Datadog source IPs of bots for synthetic tests)
"webhooks": {...} // <-- not used for Agent traffic (Datadog source IPs delivering webhooks)
}Each section has a dedicated endpoint at, for example:
- https://ip-ranges.datadoghq.com/logs.json for the IPs used to receive logs data over TCP for Datadog US region.
- https://ip-ranges.datadoghq.com/apm.json for the IPs used to receive APM data for Datadog US region.
Each section has a dedicated endpoint, for example:
- https://ip-ranges.datadoghq.eu/logs.json for the IPs used to receive logs data over TCP for Datadog EU region.
- https://ip-ranges.datadoghq.eu/apm.json for the IPs used to receive APM data for Datadog EU region.
Note
You should whitelist all of these IPs. While only a subset are active at any given moment, there are variations over time within the entire set due to regular network operation and maintenance.
Open Ports
All outbound traffic is sent over SSL via TCP / UDP.
Open the following ports in order to benefit from all the Agent functionalities:
Outbound:
443/tcp: port for most Agent data. (Metrics, APM, Live Processes/Containers)123/udp: NTP - More details on the importance of NTP.10516/tcp: port for the Log collection over TCP for Datadog US region,443/tcpfor the Datadog EU region.10255/tcp: port for the Kubernetes http kubelet10250/tcp: port for the Kubernetes https kubelet
Inbound (used for Agent services communicating among themselves locally within the host only):
5000/tcp: port for the go_expvar server5001/tcp: port on which the IPC api listens5002/tcp: port for the Agent browser GUI to be served8125/udp: dogstatsd. Unlessdogstatsd_non_local_trafficis set to true. This port is available on localhost:127.0.0.1::1fe80::1
8126/tcp: port for the APM Receiver
Outbound:
443/tcp: port for most Agent data. (Metrics, APM, Live Processes/Containers)123/udp: NTP - More details on the importance of NTP.
Inbound:
8125/udp: DogStatsd. Unlessnon_local_trafficis set to true. This port is available on localhost:127.0.0.1::1fe80::1
8126/tcp: port for the APM Receiver17123/tcp: Agent forwarder, used to buffer traffic in case of network splits between the Agent and Datadog17124/tcp: optional graphite adapter
Using Proxies
For a detailed configuration guide on proxy setup, see Agent Proxy Configuration.
Further Reading
Additional helpful documentation, links, and articles:
On this Page