The Service Map for APM is here!

Network Traffic

Traffic is always initiated by the Agent to Datadog. No sessions are ever initiated from Datadog back to the Agent:

  • All traffic is sent over SSL
  • The destination for APM data is trace.agent.datadoghq.com
  • The destination for Live Containers data is process.datadoghq.com
  • The destination for Logs data is agent-intake.logs.datadoghq.com
  • The destination for all other Agent data is
    • Agents < 5.2.0 app.datadoghq.com
    • Agents >= 5.2.0 <version>-app.agent.datadoghq.com

This decision was taken after the POODLE problem. Versioned endpoints start with Agent v5.2.0, where each version of the Agent calls a different endpoint based on the version of the Forwarder. For example, Agent v5.2.0 calls 5-2-0-app.agent.datadoghq.com. Therefore you must whitelist *.agent.datadoghq.com in your firewall(s).

These domains are CNAME records pointing to a set of static IP addresses. These addresses can be found at:

The information is structured as JSON following this schema:

{
    "version": 1,                       // <-- incremented every time this information is changed
    "modified": "YYYY-MM-DD-HH-MM-SS",  // <-- timestamp of the last modification
    "agents": {                         // <-- the IPs used by the Agent to submit metrics to Datadog
        "prefixes_ipv4": [              // <-- list of IPv4 CIDR blocks
            "a.b.c.d/x",
            ...
        ],
        "prefixes_ipv6": [              // <-- list of IPv6 CIDR blocks
            ...
        ]
    },
    "apm": {...},                       // <-- same structure as "agents" but IPs used for the APM Agent data
    "logs": {...},                      // <-- same for the logs Agent data
    "process": {...},                   // <-- same for the process Agent data
    "api": {...},                       // <-- not used for Agent traffic (submitting data via API)
    "webhooks": {...}                   // <-- not used for Agent traffic (Datadog source IPs delivering webhooks)
}

Each section has a dedicated endpoint at https://ip-ranges.datadoghq.com/<section>.json, for example:

Note

You should whitelist all of these IPs; while only a subset are active at any given moment, there are variations over time within the entire set due to regular network operation and maintenance.

Open Ports

All traffic is sent (outbound only) over SSL via TCP.

Open the following ports in order to benefit from all the Agent functionalities:

  • Outbound:

  • Inbound:

    • 8125/udp: dogstatsd. Unless dogstatsd_non_local_traffic is set to true. This port is available on localhost:

      • 127.0.0.1
      • ::1
      • fe80::1
    • 8126/tcp: port for the APM Receiver

    • 17123/tcp: Agent forwarder, used to buffer traffic in case of network splits between the Agent and Datadog

    • 17124/tcp: optional graphite adapter

Using Proxies

For a detailed configuration guide on proxy setup, head over to Proxy Configuration.

Further Reading