--- title: Cloud Network Monitoring Setup description: Collect your Network Data with the Agent. breadcrumbs: >- Docs > Network Monitoring > Cloud Network Monitoring > Cloud Network Monitoring Setup --- # Cloud Network Monitoring Setup Datadog Cloud Network Monitoring (CNM) gives you visibility into your network traffic between services, containers, availability zones, and any other tag in Datadog so you can: - Pinpoint unexpected or latent service dependencies. - Optimize costly cross-regional or multi-cloud communication. - Identify outages of cloud provider regions and third-party tools. - Troubleshoot faulty service discovery with DNS server metrics. Cloud Network Monitoring requires [Datadog Agent v6.14+](https://app.datadoghq.com/account/settings/agent/latest). Because metrics are automatically collected in higher versions of the Agent, see the [metrics setup section](https://docs.datadoghq.com/network_monitoring/dns/#setup) to configure DNS Monitoring. ## Supported platforms{% #supported-platforms %} ### Operating systems{% #operating-systems %} #### Linux OS{% #linux-os %} Data collection is done using eBPF, so Datadog minimally requires platforms that have underlying Linux kernel versions of 4.4.0+ or have eBPF features backported. CNM supports the following Linux distributions: - Ubuntu 16.04+ - Debian 9+ - Fedora 26+ - SUSE 15+ - Amazon AMI 2016.03+ - Amazon Linux 2 - CentOS/RHEL 7.6+ **Note:** There is an exception to the 4.4.0+ kernel requirement for [CentOS/RHEL 7.6+](https://www.redhat.com/en/blog/introduction-ebpf-red-hat-enterprise-linux-7). The [DNS Resolution](https://docs.datadoghq.com/network_monitoring/dns/) feature is not supported on CentOS/RHEL 7.6. #### Windows OS{% #windows-os %} Data collection is done using a network kernel device driver. Support is available as of Datadog Agent version 7.27.1, for Windows versions 2012 R2 (and equivalent desktop OSs, including Windows 10) and up. #### macOS{% #macos %} Datadog Cloud Network Monitoring does not support macOS platforms. ### Containers{% #containers %} CNM helps you visualize the architecture and performance of your containerized and orchestrated environments, with support for [Docker](https://docs.datadoghq.com/agent/docker/), [Kubernetes](https://docs.datadoghq.com/agent/kubernetes/), [ECS](https://docs.datadoghq.com/agent/amazon_ecs), and other container technologies. Datadog's container integrations enable you to aggregate traffic by meaningful entities–such as containers, tasks, pods, clusters, and deployments–with out-of-the-box tags such as `container_name`, `task_name`, and `kube_service`. ### Network routing tools{% #network-routing-tools %} #### Istio{% #istio %} With CNM, you can map network communication between containers, pods, and services over the Istio service mesh. Datadog monitors every aspect of your Istio environment, so you can also: - Assess the health of Envoy and the Istio control plane with [logs](https://docs.datadoghq.com/integrations/istio/). - Break down the performance of your service mesh with request, bandwidth, and resource consumption [metrics](https://docs.datadoghq.com/integrations/istio/). - Examine distributed traces for applications transacting over the mesh with [APM](https://docs.datadoghq.com/tracing/setup_overview/proxy_setup/?tab=istio). CNM supports Istio v1.6.4+ with [Datadog Agent v7.24.1+](https://app.datadoghq.com/account/settings/agent/latest). To learn more about monitoring your Istio environment with Datadog, [see the Istio blog](https://www.datadoghq.com/blog/istio-datadog/). #### Cilium{% #cilium %} Cloud Network Monitoring is compatible with **Cilium** installations, provided the following requirements are met: 1. Cilium version 1.6 and above, and 1. Kernel version 5.1.16 and above, or 4.19.57 and above for 4.19.x kernels ### Provisioning systems{% #provisioning-systems %} Cloud Network Monitoring supports use of the following provisioning systems: - Daemonset / Helm 1.38.11+: See the [Datadog Helm chart](https://github.com/DataDog/helm-charts/blob/master/charts/datadog/README.md#enabling-system-probe-collection) - Chef 12.7+: See the [Datadog Chef recipe](https://github.com/DataDog/chef-datadog) - Ansible 2.6+: See the [Datadog Ansible role](https://github.com/DataDog/ansible-datadog/blob/master/README.md#system-probe) ## Setup{% #setup %} Cloud Network Monitoring is designed to analyze traffic *between* network endpoints and map network dependencies. Datadog recommends installing CNM on a meaningful subset of your infrastructure and a ***minimum of 2 hosts*** to maximize value. {% tab title="Agent (Linux)" %} To enable Cloud Network Monitoring with the Datadog Agent, use the following configurations: 1. **If you are using an Agent older than v6.14**, enable [live process collection](https://docs.datadoghq.com/infrastructure/process/?tab=linuxwindows#installation) first, otherwise skip this step. 1. Copy the system-probe example configuration: ```shell sudo -u dd-agent install -m 0640 /etc/datadog-agent/system-probe.yaml.example /etc/datadog-agent/system-probe.yaml ``` 1. Edit `/etc/datadog-agent/system-probe.yaml` to set the enable flag to `true`: ```yaml network_config: # use system_probe_config for Agent's older than 7.24.1 ## @param enabled - boolean - optional - default: false ## Set to true to enable Cloud Network Monitoring. # enabled: true ``` **Optional**: To monitor DNS traffic on non-standard ports (Agent v7.76.0+), add the `dns_monitoring_ports` option: ```yaml network_config: enabled: true dns_monitoring_ports: - 53 - 5353 ``` 1. **If you are running an Agent older than v6.18 or 7.18**, manually start the system-probe and enable it to start on boot (since v6.18 and v7.18 the system-probe starts automatically when the Agent is started): ```shell sudo systemctl start datadog-agent-sysprobe sudo systemctl enable datadog-agent-sysprobe ``` **Note**: If the `systemctl` command is not available on your system, start it with following command instead: `sudo service datadog-agent-sysprobe start` and then set it up to start on boot before `datadog-agent` starts. 1. [Restart the Agent](https://docs.datadoghq.com/agent/configuration/agent-commands/#restart-the-agent). ```shell sudo systemctl restart datadog-agent ``` **Note**: If the `systemctl` command is not available on your system, run the following command instead: `sudo service datadog-agent restart` ### SELinux-enabled systems{% #selinux-enabled-systems %} On systems with SELinux enabled, the system-probe binary needs special permissions to use eBPF features. The Datadog Agent RPM package for CentOS-based systems bundles an [SELinux policy](https://github.com/DataDog/datadog-agent/blob/master/cmd/agent/selinux/system_probe_policy.te) to grant these permissions to the system-probe binary. If you need to use Cloud Network Monitoring on other systems with SELinux enabled, do the following: 1. Modify the base [SELinux policy](https://github.com/DataDog/datadog-agent/blob/master/cmd/agent/selinux/system_probe_policy.te) to match your SELinux configuration. Depending on your system, some types or attributes may not exist (or have different names). 1. Compile the policy into a module; assuming your policy file is named `system_probe_policy.te`: ```shell checkmodule -M -m -o system_probe_policy.mod system_probe_policy.te semodule_package -o system_probe_policy.pp -m system_probe_policy.mod ``` 1. Apply the module to your SELinux system: ```shell semodule -v -i system_probe_policy.pp ``` 1. Change the system-probe binary type to use the one defined in the policy; assuming your Agent installation directory is `/opt/datadog-agent`: ```shell semanage fcontext -a -t system_probe_t /opt/datadog-agent/embedded/bin/system-probe restorecon -v /opt/datadog-agent/embedded/bin/system-probe ``` 1. [Restart the Agent](https://docs.datadoghq.com/agent/configuration/agent-commands/#restart-the-agent). **Note**: these instructions require to have some SELinux utilities installed on the system (`checkmodule`, `semodule`, `semodule_package`, `semanage` and `restorecon`) that are available on most standard distributions (Ubuntu, Debian, RHEL, CentOS, SUSE). Check your distribution for details on how to install them. If these utilities do not exist in your distribution, follow the same procedure but using the utilities provided by your distribution instead. {% /tab %} {% tab title="Agent (Windows)" %} Data collection for Windows relies on a filter driver for collecting network data. To enable Cloud Network Monitoring for Windows hosts: 1. Install the [Datadog Agent](https://docs.datadoghq.com/agent/basic_agent_usage/windows/?tab=commandline) (version 7.27.1 or above) with the network driver component enabled. [DEPRECATED] *(version 7.44 or below)* During installation pass `ADDLOCAL="MainApplication,NPM"` to the `msiexec` command, or select "Cloud Network Monitoring" when running the Agent installation through the GUI. 1. Edit `C:\ProgramData\Datadog\system-probe.yaml` to set the enabled flag to `true`: ```yaml network_config: enabled: true ``` **Optional**: To monitor DNS traffic on non-standard ports (Agent v7.76.0+), add the `dns_monitoring_ports` option: ```yaml network_config: enabled: true dns_monitoring_ports: - 53 - 5353 ``` 1. [Restart the Agent](https://docs.datadoghq.com/agent/configuration/agent-commands/#restart-the-agent). For PowerShell (`powershell.exe`): ```shell restart-service -f datadogagent ``` For Command Prompt (`cmd.exe`): ```shell net /y stop datadogagent && net start datadogagent ``` **Note**: Cloud Network Monitoring monitors Windows hosts only, and not Windows containers. {% /tab %} {% tab title="Helm" %} To enable Cloud Network Monitoring with Kubernetes using Helm, add the below to your `values.yaml` file.**Note:** Helm chart v3.135.3+ is required. For more information, see the [Datadog Helm Chart documentation](https://github.com/DataDog/helm-charts/blob/main/charts/datadog/README.md#enabling-npm-collection). ```yaml datadog: ... networkMonitoring: enabled: true ``` **Optional**: To monitor DNS traffic on non-standard ports (Agent v7.76.0+), add the `dnsMonitoringPorts` option: ```yaml datadog: networkMonitoring: enabled: true dnsMonitoringPorts: - 53 - 5353 ``` You may require one of the following additional steps depending on your environment: {% collapsible-section %} #### Google GKE Autopilot If your cluster is running Google's GKE Autopilot, add the following to your values file: ``` providers: gke: autopilot: true ``` {% /collapsible-section %} {% collapsible-section %} #### Google Container-Optimized OS (COS) If your cluster is running Google Container-Optimized OS (COS), add the following to your values file: ``` providers: gke: cos: true ``` {% /collapsible-section %} {% collapsible-section %} #### Bottlerocket Linux If your cluster is using the Bottlerocket Linux distribution for its nodes, add the following to your values file: ``` agents: containers: systemProbe: securityContext: seLinuxOptions: user: "system_u" role: "system_r" type: "super_t" level: "s0" ``` {% /collapsible-section %} {% /tab %} {% tab title="Kubernetes without Helm" %} If you are not using Helm, you can enable Cloud Network Monitoring with Kubernetes from scratch: 1. Download the [datadog-agent.yaml manifest](https://docs.datadoghq.com/resources/yaml/datadog-agent-npm.yaml) template. 1. Replace `` with your [Datadog API key](https://app.datadoghq.com/organization-settings/api-keys). 1. Optional - **Set your Datadog site**. If you are using the Datadog EU site, set the `DD_SITE` environment variable to `datadoghq.eu` in the `datadog-agent.yaml` manifest. 1. **Deploy the DaemonSet** with the command: ```shell kubectl apply -f datadog-agent.yaml ``` If you already have the [Agent running with a manifest](https://docs.datadoghq.com/agent/kubernetes/): 1. For Kubernetes versions below `1.30`, add the annotation `container.apparmor.security.beta.kubernetes.io/system-probe: unconfined` on the `datadog-agent` template: ```yaml spec: selector: matchLabels: app: datadog-agent template: metadata: labels: app: datadog-agent name: datadog-agent annotations: container.apparmor.security.beta.kubernetes.io/system-probe: unconfined ``` For Kubernetes versions `1.30+`, add the following `securityContext` on the `datadog-agent` template: ```yaml spec: selector: matchLabels: app: datadog-agent template: metadata: labels: app: datadog-agent name: datadog-agent spec: serviceAccountName: datadog-agent securityContext: appArmorProfile: type: Unconfined containers: # (...) ``` 1. Enable process collection and the system probe with the following environment variables in the Agent DaemonSet. If you are running a container per Agent process, add the following environment variables to the Process Agent container; otherwise, add them to the Agent container. ```yaml # (...) env: # (...) - name: DD_PROCESS_AGENT_ENABLED value: 'true' - name: DD_SYSTEM_PROBE_ENABLED value: 'true' - name: DD_SYSTEM_PROBE_EXTERNAL value: 'true' - name: DD_SYSPROBE_SOCKET value: /var/run/sysprobe/sysprobe.sock - name: DD_AUTH_TOKEN_FILE_PATH value: /etc/datadog-agent/auth/token ``` 1. Mount the following extra volumes into the `datadog-agent` container: ```yaml # (...) spec: serviceAccountName: datadog-agent containers: - name: datadog-agent image: 'registry.datadoghq.com/agent:latest' # (...) volumeMounts: - name: procdir mountPath: /host/proc readOnly: true - name: cgroups mountPath: /host/sys/fs/cgroup readOnly: true - name: debugfs mountPath: /sys/kernel/debug - name: sysprobe-socket-dir mountPath: /var/run/sysprobe - name: auth-token mountPath: /etc/datadog-agent/auth readOnly: false # needs RW to write auth token ``` 1. Add a new system-probe as a side car to the Agent: ```yaml # (...) spec: serviceAccountName: datadog-agent containers: - name: datadog-agent image: 'registry.datadoghq.com/agent:latest' # (...) - name: system-probe image: 'registry.datadoghq.com/agent:latest' imagePullPolicy: Always securityContext: capabilities: add: - SYS_ADMIN - SYS_RESOURCE - SYS_PTRACE - NET_ADMIN - NET_BROADCAST - NET_RAW - IPC_LOCK - CHOWN command: - /opt/datadog-agent/embedded/bin/system-probe env: - name: DD_SYSTEM_PROBE_ENABLED value: 'true' - name: DD_SYSPROBE_SOCKET value: /var/run/sysprobe/sysprobe.sock - name: DD_AUTH_TOKEN_FILE_PATH value: /etc/datadog-agent/auth/token resources: requests: memory: 150Mi cpu: 200m limits: memory: 300Mi cpu: 400m volumeMounts: - name: procdir mountPath: /host/proc readOnly: true - name: cgroups mountPath: /host/sys/fs/cgroup readOnly: true - name: debugfs mountPath: /sys/kernel/debug - name: sysprobe-socket-dir mountPath: /var/run/sysprobe - name: auth-token mountPath: /etc/datadog-agent/auth readOnly: true ``` 1. Finally, add the following volumes to your manifest: ```yaml volumes: - name: debugfs hostPath: path: /sys/kernel/debug - name: sysprobe-socket-dir emptyDir: { } - name: auth-token emptyDir: { } ``` {% /tab %} {% tab title="Operator" %} [The Datadog Operator](https://docs.datadoghq.com/containers/datadog_operator) simplifies deploying the Datadog Agent on Kubernetes and OpenShift. It provides deployment status, health, and error reporting through its Custom Resource status, while reducing the risk of misconfiguration with higher-level configuration options. To enable Cloud Network Monitoring on the Datadog Operator, use the following configuration: ```yaml apiVersion: datadoghq.com/v2alpha1 metadata: name: placeholder namespace: placeholder spec: features: npm: enabled: true ``` {% /tab %} {% tab title="Docker" %} To enable Cloud Network Monitoring in Docker, use the following configuration when starting the container Agent: ```shell docker run --cgroupns host \ --pid host \ -e DD_API_KEY="" \ -e DD_SYSTEM_PROBE_NETWORK_ENABLED=true \ -e DD_PROCESS_AGENT_ENABLED=true \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ -v /proc/:/host/proc/:ro \ -v /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \ -v /sys/kernel/debug:/sys/kernel/debug \ --security-opt apparmor:unconfined \ --cap-add=SYS_ADMIN \ --cap-add=SYS_RESOURCE \ --cap-add=SYS_PTRACE \ --cap-add=NET_ADMIN \ --cap-add=NET_BROADCAST \ --cap-add=NET_RAW \ --cap-add=IPC_LOCK \ --cap-add=CHOWN \ registry.datadoghq.com/agent:latest ``` Replace `` with your [Datadog API key](https://app.datadoghq.com/organization-settings/api-keys). If using `docker-compose`, make the following additions to the Datadog Agent service. ```shell version: '3' services: datadog: image: "registry.datadoghq.com/agent:latest" environment: - DD_SYSTEM_PROBE_NETWORK_ENABLED=true - DD_PROCESS_AGENT_ENABLED=true - DD_API_KEY= volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - /proc/:/host/proc/:ro - /sys/fs/cgroup/:/host/sys/fs/cgroup:ro - /sys/kernel/debug:/sys/kernel/debug cap_add: - SYS_ADMIN - SYS_RESOURCE - SYS_PTRACE - NET_ADMIN - NET_BROADCAST - NET_RAW - IPC_LOCK - CHOWN security_opt: - apparmor:unconfined ``` {% /tab %} {% tab title="ECS" %} To set up CNM on Amazon ECS, see the [Amazon ECS](https://docs.datadoghq.com/agent/amazon_ecs/#network-performance-monitoring-collection-linux-only) documentation page. {% /tab %} {% tab title="ECS Fargate" %} {% alert level="info" %} ECS Fargate for CNM is in Preview. Reach out to your Datadog representative to sign up. {% /alert %} To enable Cloud Network Monitoring on ECS Fargate, use the following instructions: **Requires Agent version `7.58` or higher**. - For a new Fargate deployment, configure the Datadog Agent to monitor Fargate on ECS by enabling [process collection](https://docs.datadoghq.com/integrations/ecs_fargate/?tab=webui#process-collection) on your Fargate hosts. - For existing deployments, update your `task.json` file to include the following configuration settings: ```json { "containerDefinitions": [ (...) "environment": [ (...) { "name": "DD_SYSTEM_PROBE_NETWORK_ENABLED", "value": "true" }, { "name": "DD_NETWORK_CONFIG_ENABLE_EBPFLESS", "value": "true" }, { "name": "DD_PROCESS_AGENT_ENABLED", "value": "true" } ], "linuxParameters": { "capabilities": { "add": [ "SYS_PTRACE" ] } }, ], } ``` {% /tab %} {% callout %} # Important note for users on the following Datadog sites: app.datadoghq.com, us3.datadoghq.com, us5.datadoghq.com, app.datadoghq.eu ### Enhanced resolution{% #enhanced-resolution %} Optionally, enable resource collection for cloud integrations to allow Cloud Network Monitoring to discover cloud-managed entities. - Install the [Azure integration](https://docs.datadoghq.com/integrations/azure) for visibility into Azure load balancers and application gateways. - Install the [AWS Integration](https://docs.datadoghq.com/integrations/amazon_web_services/#resource-collection) for visibility into AWS Load Balancer. **you must enable ENI and EC2 metric collection** For additional information around these capabilities, see [Cloud service enhanced resolution](https://docs.datadoghq.com/network_monitoring/cloud_network_monitoring/network_analytics/#cloud-service-enhanced-resolution). {% /callout %} ### Failed connections{% #failed-connections %} Failed Connections allows collection and reporting of TCP failures including [resets, refusals, and timeouts](https://docs.datadoghq.com/network_monitoring/cloud_network_monitoring/network_analytics/?tab=loadbalancers#tcp). This feature is enabled by default in Agent version `7.59+`, and it is accessible on the [CNM Analytics](https://app.datadoghq.com/network) page in the **Customize** menu by turning on the **Failures** toggle. **Note**: If some Agents in your infrastructure are running a version earlier than `7.59`, you might encounter failures being under-reported. CNM advises maintaining the same Agent version across *all* hosts. {% image source="https://datadog-docs.imgix.net/images/network_performance_monitoring/setup/cnm_tcp_failures_toggle.ff74a865702da66aeaf5be45f988c1c8.png?auto=format" alt="Screenshot of the CNM customize menu, highlighting the Failures toggle" /%} ## Further Reading{% #further-reading %} - [Cloud Network Monitoring](https://www.datadoghq.com/blog/network-performance-monitoring) - [Datadog CNM with containers and service-meshed networks](https://www.datadoghq.com/blog/monitor-containers-with-npm/) - [Network Device Monitoring](https://docs.datadoghq.com/network_monitoring/devices) - [Datadog CNM now supports Consul networking](https://www.datadoghq.com/blog/monitor-consul-with-datadog-npm/) - [How Datadog Cloud Network Monitoring helps you move to a deny-by-default network egress policy at scale](https://www.datadoghq.com/blog/cnm-kubernetes-egress/) - [CNM Terms and Concepts](https://docs.datadoghq.com/network_monitoring/cloud_network_monitoring/glossary)