The Service Map for APM is here!

Network Traffic

Traffic is always initiated by the Agent to Datadog. No sessions are ever initiated from Datadog back to the Agent:

  • All traffic is sent over SSL
  • The destination for APM data is trace.agent.datadoghq.com
  • The destination for Live Containers data is process.datadoghq.com
  • The destination for Logs data is intake.logs.datadoghq.com
  • The destination for all other Agent data is
    • Agents < 5.2.0 app.datadoghq.com
    • Agents >= 5.2.0 <version>-app.agent.datadoghq.com

This decision was taken after the POODLE problem, now versioned endpoints start with Agent 5.2.0, i.e. each version of the Agent hits a different endpoint based on the version of the Forwarder.

  • i.e. Agent 5.2.0 hits 5-2-0-app.agent.datadoghq.com

As a consequence whitelist *.agent.datadoghq.com in your firewalls.

These domains are CNAME records pointing to a set of static IP addresses, these addresses can be found at:

The information is structured as JSON following this schema:

{
    "version": 1,                       // <-- we increment this every time the information is changed
    "modified": "YYYY-MM-DD-HH-MM-SS",  // <-- the timestamp of the last modification
    "agents": {                         // <-- in this section the IPs used by the agent to submit metrics to Datadog
        "prefixes_ipv4": [              // <-- a list of IPv4 CIDR blocks
            "a.b.c.d/x",
            ...
        ],
        "prefixes_ipv6": [              // <-- a list of IPv6 CIDR blocks
            ...
        ]
    },
    "apm": {...},                       // <-- same structure as "agents" but IPs used for the APM agent data
    "logs": {...},                      // <-- same for the logs agent data
    "process": {...},                   // <-- same for the process agent data
    "api": {...},                       // <-- not relevant for agent traffic (submitting data via API)
    "webhooks": {...}                   // <-- not relevant for agent traffic (Datadog source IPs delivering webhooks)
}

If you are interested by only one of the sections of this document, for each section there is also a dedicated endpoint at https://ip-ranges.datadoghq.com/<section>.json, for instance:

Open Ports

All traffic is sent (outbound only) over SSL via TCP.

Open the following ports in order to benefit from all the Agent functionalities:

Agent v6

Agent v4 and v5

  • Outbound

  • Inbound

    • 8125/udp: dogstatsd. Unless dogstatsd_non_local_traffic is set to true. This port is available on localhost:

      • 127.0.0.1
      • ::1
      • fe80::1
    • 8126/tcp: port for the APM Receiver

    • 17123/tcp: Agent forwarder, used to buffer traffic in case of network splits between the Agent and Datadog

    • 17124/tcp: optional graphite adapter

Using Proxies

For a detailed configuration guide on proxy setup, head over to Proxy Configuration.

Further Reading