Network Traffic

Traffic is always initiated by the Agent to Datadog. No sessions are ever initiated from Datadog back to the Agent:

All traffic is sent over SSL
The destination for:
- APM data is trace.agent.
- Live Containers & Live Process data is process.
- Logs data includes agent-intake.logs. for TCP traffic, agent-http-intake.logs. in HTTP, and several others. Review the complete list of logs endpoints for more information.
- Orchestrator Resources data is orchestrator..
- Real User Monitoring (RUM) data is rum-http-intake.logs.
- Profiling data is intake.profile.
- HIPAA logs data is the same as for all Logs, but also the following legacy endpoints are supported:
  - tcp-encrypted-intake.logs.
  - lambda-tcp-encrypted-intake.logs.
  - gcp-encrypted-intake.logs.
  - http-encrypted-intake.logs.
- All other Agent data:
  - Agents < 5.2.0 app.
  - Agents >= 5.2.0 <VERSION>-app.agent.
    This decision was taken after the POODLE problem. Versioned endpoints start with Agent v5.2.0, where each version of the Agent calls a different endpoint based on the version of the Forwarder. For example, Agent v5.2.0 calls 5-2-0-app.agent.. Therefore you must whitelist *.agent. in your firewall(s).

Since v6.1.0, the Agent also queries Datadog’s API to provide non-critical functionality (For example, display validity of configured API key):

Agent >= 7.18.0/6.18.0 api.
Agent < 7.18.0/6.18.0 app.

All of these domains are CNAME records pointing to a set of static IP addresses. These addresses can be found at https://ip-ranges..

The information is structured as JSON following this schema:

{
    "version": 1,                       // <-- incremented every time this information is changed
    "modified": "YYYY-MM-DD-HH-MM-SS",  // <-- timestamp of the last modification
    "agents": {                         // <-- the IPs used by the Agent to submit metrics to Datadog
        "prefixes_ipv4": [              // <-- list of IPv4 CIDR blocks
            "a.b.c.d/x",
            ...
        ],
        "prefixes_ipv6": [              // <-- list of IPv6 CIDR blocks
            ...
        ]
    },
    "api": {...},                       // <-- same for non-critical Agent functionality (querying informaton from API)
    "apm": {...},                       // <-- same structure as "agents" but IPs used for the APM Agent data
    "logs": {...},                      // <-- same for the logs Agent data
    "process": {...},                   // <-- same for the process Agent data
    "orchestrator": {...},              // <-- same for the process Agent data
    "synthetics": {...},                // <-- not used for Agent traffic (Datadog source IPs of bots for synthetic tests)
    "webhooks": {...}                   // <-- not used for Agent traffic (Datadog source IPs delivering webhooks)
}

Each section has a dedicated endpoint, for example:

https://ip-ranges./logs.json for the IPs used to receive logs data over TCP.
https://ip-ranges./apm.json for the IPs used to receive APM data.

Note

You should whitelist all of these IPs. While only a subset are active at any given moment, there are variations over time within the entire set due to regular network operation and maintenance.

Open ports

All outbound traffic is sent over SSL via TCP / UDP.

Open the following ports in order to benefit from all the Agent functionalities:

Dropdown

Outbound:
- 443/tcp: port for most Agent data. (Metrics, APM, Live Processes/Containers)
- 123/udp: NTP - More details on the importance of NTP.
- 10516/tcp: port for the Log collection over TCP for Datadog US region, 443/tcp for the Datadog EU region.
- 10255/tcp: port for the Kubernetes http kubelet
- 10250/tcp: port for the Kubernetes https kubelet
Inbound (used for Agent services communicating among themselves locally within the host only):
- 5000/tcp: port for the go_expvar server
- 5001/tcp: port on which the IPC api listens
- 5002/tcp: port for the Agent browser GUI to be served
- 8125/udp: dogstatsd. Unless dogstatsd_non_local_traffic is set to true. This port is available on localhost:
  - 127.0.0.1
  - ::1
  - fe80::1
- 8126/tcp: port for the APM Receiver

Outbound:
- 443/tcp: port for most Agent data. (Metrics, APM, Live Processes/Containers)
- 123/udp: NTP - More details on the importance of NTP.
Inbound:
- 8125/udp: DogStatsd. Unless non_local_traffic is set to true. This port is available on localhost:
  - 127.0.0.1
  - ::1
  - fe80::1
- 8126/tcp: port for the APM Receiver
- 17123/tcp: Agent forwarder, used to buffer traffic in case of network splits between the Agent and Datadog
- 17124/tcp: optional graphite adapter

Using proxies

For a detailed configuration guide on proxy setup, see Agent Proxy Configuration.

Agent-side data buffering on network unavailability

If the network becomes unavailable, the Agent stores the metrics in memory. The maximum memory usage for storing the metrics is defined by the forwarder_retry_queue_payloads_max_size configuration setting. When this limit is reached, the metrics are dropped.

Agent version 7.27.0 and above can store the metrics on disk when the memory limit is reached. Enable this capability by setting forwarder_storage_max_size_in_bytes to a positive value indicating the maximum amount of storage space, in bytes, that the Agent can use to store the metrics on disk.

The metrics are stored in the folder defined by the forwarder_storage_path setting, which is by default /opt/datadog-agent/run/transactions_to_retry on Unix systems and C:\ProgramData\Datadog\run\transactions_to_retry on Windows.

To avoid running out of storage space, the Agent stores the metrics on disk only if the total storage space used is less than 95 percent. This limit is defined by forwarder_storage_max_disk_ratio setting.

Datadog Docs

Network Traffic

Note

Open ports

Using proxies

Agent-side data buffering on network unavailability

Further Reading