Network Traffic

Traffic is always initiated by the Agent to Datadog. No sessions are ever initiated from Datadog back to the Agent.

Overview

All Agent traffic is sent over SSL. The destination is dependent on the Datadog service and site. To see destinations based on your site, use the SITE selector on the right.

Destinations

APM
trace.agent.
Live Containers & Live Process
process.
Network Device Monitoring
ndm-intake. snmp-traps-intake. ndmflow-intake.
Orchestrator
orchestrator.
Profiling
intake.profile.
Real User Monitoring (RUM)
rum.
session-replay.
Synthetics private location
Worker v>=1.5.0 intake.synthetics. is the only endpoint to configure.
API test results for worker v>0.1.6 intake.synthetics.
Browser test results for worker v>0.2.0 intake-v2.synthetics.
API test results for worker v<0.1.5 api.

Database Monitoring
dbm-metrics-intake.
dbquery-intake.

Logs & HIPAA logs
TCP: agent-intake.logs.datadoghq.com
HTTP: agent-http-intake.logs.datadoghq.com
Other: See logs endpoints
HIPAA logs legacy
tcp-encrypted-intake.logs.datadoghq.com
lambda-tcp-encrypted-intake.logs.datadoghq.com
gcp-encrypted-intake.logs.datadoghq.com
http-encrypted-intake.logs.datadoghq.com

Logs & HIPAA logs
TCP: agent-intake.logs.datadoghq.eu
HTTP: agent-http-intake.logs.datadoghq.eu
Other: See logs endpoints
HIPAA logs legacy
tcp-encrypted-intake.logs.datadoghq.eu
lambda-tcp-encrypted-intake.logs.datadoghq.eu
gcp-encrypted-intake.logs.datadoghq.eu
http-encrypted-intake.logs.datadoghq.eu

Logs & HIPAA logs
HTTP: agent-http-intake.logs.us3.datadoghq.com
Other: See logs endpoints
HIPAA logs legacy
lambda-tcp-encrypted-intake.logs.us3.datadoghq.com
gcp-encrypted-intake.logs.us3.datadoghq.com
http-encrypted-intake.logs.us3.datadoghq.com

Logs & HIPAA logs
HTTP: agent-http-intake.logs.us5.datadoghq.com
Other: See logs endpoints
HIPAA logs legacy
lambda-tcp-encrypted-intake.logs.us5.datadoghq.com
gcp-encrypted-intake.logs.us5.datadoghq.com
http-encrypted-intake.logs.us5.datadoghq.com

Logs & HIPAA logs
HTTP: agent-http-intake.logs.ddog-gov.com
Other: See logs endpoints
HIPAA logs legacy
lambda-tcp-encrypted-intake.logs.ddog-gov.com
gcp-encrypted-intake.logs.ddog-gov.com
http-encrypted-intake.logs.ddog-gov.com

All other Agent data
<VERSION>-app.agent.
For example, Agent v7.31.0 reports to 7-31-0-app.agent.. Therefore you must add *.agent. to your inclusion list in your firewall(s).
Since v6.1.0, the Agent also queries Datadog’s API to provide non-critical functionality (For example, display validity of configured API key):
Agent >= 7.18.0/6.18.0 api.
Agent < 7.18.0/6.18.0 app.

All of these domains are CNAME records pointing to a set of static IP addresses. These addresses can be found at https://ip-ranges..

The information is structured as JSON following this schema:

{
    "version": 1,                          // <-- incremented every time this information is changed
    "modified": "YYYY-MM-DD-HH-MM-SS",     // <-- timestamp of the last modification
    "agents": {                            // <-- the IPs used by the Agent to submit metrics to Datadog
        "prefixes_ipv4": [                 // <-- list of IPv4 CIDR blocks
            "a.b.c.d/x",
            ...
        ],
        "prefixes_ipv6": [                 // <-- list of IPv6 CIDR blocks
            ...
        ]
    },
    "api": {...},                          // <-- same for non-critical Agent functionality (querying information from API)
    "apm": {...},                          // <-- same structure as "agents" but IPs used for the APM Agent data
    "logs": {...},                         // <-- same for the logs Agent data
    "process": {...},                      // <-- same for the process Agent data
    "orchestrator": {...},                 // <-- same for the process Agent data
    "synthetics": {...},                   // <-- not used for Agent traffic (Datadog source IPs of bots for synthetic tests)
    "synthetics-private-locations": {...}, // <-- not used for Agent traffic (Datadog intake IPs for synthetics private locations)
    "webhooks": {...}                      // <-- not used for Agent traffic (Datadog source IPs delivering webhooks)
}

Each section has a dedicated endpoint, for example:

  • https://ip-ranges./logs.json for the IPs used to receive logs data over TCP.
  • https://ip-ranges./apm.json for the IPs used to receive APM data.

Inclusion

Add all of the ip-ranges to your inclusion list. While only a subset are active at any given moment, there are variations over time within the entire set due to regular network operation and maintenance.

Open ports

All outbound traffic is sent over SSL through TCP / UDP.

Open the following ports to benefit from all the Agent functionalities:

    Outbound

    443/tcp
    Port for most Agent data (Metrics, APM, Live Processes/Containers)
    123/udp
    Port for NTP (more details on the importance of NTP).
    See default NTP targets.
    6062/tcp
    Port for the debug endpoints for the Process Agent.
    6162/tcp
    Port for configuring runtime settings for the Process Agent.
    10516/tcp
    Port for log collection over TCP.
    See logs endpoints for other connection types.
    10255/tcp
    Port for the Kubernetes HTTP Kubelet
    10250/tcp
    Port for the Kubernetes HTTPS Kubelet

    443/tcp
    Port for most Agent data (Metrics, APM, Live Processes/Containers)
    123/udp
    Port for NTP (more details on the importance of NTP).
    See default NTP targets.
    443/tcp
    Port for log collection over TCP.
    See logs endpoints for other connection types.
    10255/tcp
    Port for the Kubernetes HTTP Kubelet
    10250/tcp
    Port for the Kubernetes HTTPS Kubelet

    443/tcp
    Port for most Agent data (Metrics, APM, Live Processes/Containers)
    123/udp
    Port for NTP (more details on the importance of NTP).
    See default NTP targets.
    10255/tcp
    Port for the Kubernetes HTTP Kubelet
    10250/tcp
    Port for the Kubernetes HTTPS Kubelet

    Inbound

    Used for Agent services communicating with each other locally within the host only.

    5000/tcp
    Port for the go_expvar server
    5001/tcp
    Port the IPC API listens to
    5002/tcp
    Port for the Agent browser GUI
    8125/udp
    Port for DogStatsD unless dogstatsd_non_local_traffic is set to true. This port is available on localhost: 127.0.0.1, ::1, fe80::1.
    8126/tcp
    Port for the APM receiver

    Outbound

    443/tcp
    Port for most Agent data (Metrics, APM, Live Processes/Containers)
    123/udp
    Port for NTP (more details on the importance of NTP).
    See default NTP targets.

    Inbound

    8125/udp
    Port for DogStatsD unless dogstatsd_non_local_traffic is set to true. This port is available on localhost: 127.0.0.1, ::1, fe80::1.
    8126/tcp
    Port for the APM Receiver
    17123/tcp
    Agent forwarder, used to buffer traffic in case of network splits between the Agent and Datadog
    17124/tcp
    Optional graphite adapter

    Configure ports

    If you need to change an inbound port because the default port is already in use by an existing service on your network, edit the datadog.yaml configuration file. You can find most of the ports in the Advanced Configuration section of the file:

    datadog.yaml

    ## @param expvar_port - integer - optional - default: 5000
## @env DD_EXPVAR_PORT - integer - optional - default: 5000
## The port for the go_expvar server.
#
# expvar_port: 5000

## @param cmd_port - integer - optional - default: 5001
## @env DD_CMD_PORT - integer - optional - default: 5001
## The port on which the IPC api listens.
#
# cmd_port: 5001

## @param GUI_port - integer - optional
## @env DD_GUI_PORT - integer - optional
## The port for the browser GUI to be served.
## Setting 'GUI_port: -1' turns off the GUI completely
## Default is:
##  * Windows & macOS : `5002`
##  * Linux: `-1`
##
#
# GUI_port: <GUI_PORT>

    The APM receiver and the DogStatsD ports are located in the Trace Collection Configuration and DogStatsD Configuration sections of the datadog.yaml configuration file, respectively:

    datadog.yaml

    ## @param dogstatsd_port - integer - optional - default: 8125
## @env DD_DOGSTATSD_PORT - integer - optional - default: 8125
## Override the Agent DogStatsD port.
## Note: Make sure your client is sending to the same UDP port.
#
# dogstatsd_port: 8125

[...]

## @param receiver_port - integer - optional - default: 8126
## @env DD_APM_RECEIVER_PORT - integer - optional - default: 8126
## The port that the trace receiver should listen on.
## Set to 0 to disable the HTTP receiver.
#
# receiver_port: 8126

    Using proxies

    For a detailed configuration guide on proxy setup, see Agent Proxy Configuration.

    Data buffering

    If the network becomes unavailable, the Agent stores the metrics in memory. The maximum memory usage for storing the metrics is defined by the forwarder_retry_queue_payloads_max_size configuration setting. When this limit is reached, the metrics are dropped.

    Agent v7.27.0+ stores the metrics on disk when the memory limit is reached. Enable this capability by setting forwarder_storage_max_size_in_bytes to a positive value indicating the maximum amount of storage space, in bytes, that the Agent can use to store the metrics on disk.

    The metrics are stored in the folder defined by the forwarder_storage_path setting, which is by default /opt/datadog-agent/run/transactions_to_retry on Unix systems and C:\ProgramData\Datadog\run\transactions_to_retry on Windows.

    To avoid running out of storage space, the Agent stores the metrics on disk only if the total storage space used is less than 95 percent. This limit is defined by forwarder_storage_max_disk_ratio setting.

    Further Reading

    Additional helpful documentation, links, and articles:

    Collect your logsDOCUMENTATION more more Collect your processesDOCUMENTATION more more Collect your tracesDOCUMENTATION more more