VOOZH about

URL: https://docs.datadoghq.com/agent/configuration/network/

⇱ Network Traffic

For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/agent/configuration/network.md. A documentation index is available at /llms.txt.

Network Traffic

Overview

Traffic is always initiated by the Agent to Datadog. No sessions are ever initiated from Datadog back to the Agent.

All Agent traffic is sent over SSL. The destination is dependent on the Datadog service and site. To see destinations based on your Datadog site, click the DATADOG SITE selector on the right.

Installation

Add the following domains to your inclusion list to allow for Agent installation:

  • install.datadoghq.com
  • yum.datadoghq.com
  • keys.datadoghq.com
  • apt.datadoghq.com
  • windows-agent.datadoghq.com

Destinations

Starting with version 7.67.0, the Agent converts Datadog sites to fully qualified domain names (by adding a dot at the end of the domain) to reduce the number of DNS queries. For example, it sends APM payloads to trace.agent.datadoghq.com..
This behavior can be disabled in version 7.72.0 and later by setting convert_dd_site_fqdn.enabled to false in the configuration, or with the environment variable DD_CONVERT_DD_SITE_FQDN_ENABLED=false.
APM
trace.agent.
instrumentation-telemetry-intake.
LLM Observabilty
llmobs-intake.
Container Images
contimage-intake.
Live Containers, Live Process, Cloud Network Monitoring, Universal Service Monitoring
process.
Network Device Monitoring
ndm-intake.
snmp-traps-intake.
ndmflow-intake.
Network Path
netpath-intake.
In Agent v7.75+, Network Path contacts external services over HTTPS to resolve the source host’s public IP. This is optional and Network Path functions without it, but if your network restricts outbound traffic and you want source public IP resolution, add the following to your allowlist: icanhazip.com, ipinfo.io, checkip.amazonaws.com, api.ipify.org, whatismyip.akamai.com. See Network Path Setup for details.
Orchestrator
orchestrator.
contlcycle-intake.
Profiling
intake.profile.
Real User Monitoring (RUM)
Cloud Security Vulnerabilities
sbom-intake.
Synthetic Monitoring Private Locations
Synthetics Worker v1.5.0 or later: intake.synthetics. is the only endpoint you need to configure.
API test results for the Synthetics Worker > v0.1.6: intake.synthetics.
Browser test results for the Synthetics Worker > v0.2.0: intake-v2.synthetics.
API test results for the Synthetics Worker < v0.1.5: api.
Remote Configuration
config.
Database Monitoring
dbm-metrics-intake.
dbquery-intake.
TCP log collection is not supported. Datadog provides no delivery or reliability guarantees when using TCP, and log data may be lost without notice. For reliable ingestion, use the HTTP intake endpoint, an official Datadog Agent, or forwarder integration instead. For more information, see Log Collection.
Logs & HIPAA logs
(Deprecated) TCP:
HTTP:
Other: See logs endpoints
HIPAA logs legacy (Deprecated, TCP not supported)
Metrics, Service Checks, Events, and other Agent metadata
<VERSION>-app.agent.
For example, Agent v7.31.0 reports to 7-31-0-app.agent.. You must add *.agent. to your inclusion list in your firewall(s).
Since v6.1.0, the Agent also queries Datadog’s API to provide non-critical functionality (For example, display validity of configured API key):
Agent v7.18.0 or 6.18.0 and later: api.
Agent < v7.18.0 or 6.18.0: app.
Agent flare
<VERSION>-flare.agent.
For example, Agent v7.31.0 sends flare data to 7-31-0-flare.agent.. You must add *.agent. to your inclusion list in your firewall(s).

Static IP addresses

All of these domains are CNAME records pointing to a set of static IP addresses. These addresses can be found at https://ip-ranges..

The information is structured as JSON following this schema:

{
 "version": 1, // <-- incremented every time this information is changed
 "modified": "YYYY-MM-DD-HH-MM-SS", // <-- timestamp of the last modification
 "agents": { // <-- the IPs used by the Agent to submit metrics to Datadog
 "prefixes_ipv4": [ // <-- list of IPv4 CIDR blocks
 "a.b.c.d/x",
 ...
 ],
 "prefixes_ipv6": [ // <-- list of IPv6 CIDR blocks
 ...
 ]
 },
 "api": {...}, // <-- the IPs used by the Agent for non-critical functionality (querying information from API)
 "apm": {...}, // <-- the IPs used by the Agent to submit APM data to Datadog
 "logs": {...}, // <-- the IPs used by the Agent to submit logs to Datadog
 "process": {...}, // <-- the IPs used by the Agent to submit process data to Datadog
 "orchestrator": {...}, // <-- the IPs used by the Agent to submit container data to Datadog
 "remote-configuration": {...}, // <-- the IPs used by the Agent to retrieve its dynamic configuration
 "synthetics": {...}, // <-- the source IPs used by Synthetic workers (not used by the Agent)
 "synthetics-private-locations": {...}, // <-- the IPs used by Synthetics Private Locations workers to submit data to Datadog (not used by the Agent)
 "webhooks": {...} // <-- the source IPs used by Datadog to connect to 3rd party infrastructure over HTTP (not used by the Agent)
}

Each section has a dedicated endpoint, for example:

  • https://ip-ranges./logs.json for the IPs used to receive logs data over TCP.
  • https://ip-ranges./apm.json for the IPs used to receive APM data.

Inclusion

Add all of the ip-ranges to your inclusion list. While only a subset are active at any given moment, there are variations over time within the entire set due to regular network operation and maintenance.

Open ports

All outbound traffic is sent over SSL through TCP or UDP.

Ensure the Agent is only accessible by your applications or trusted network sources using a firewall rule or similar network restriction. Untrusted access can allow malicious actors to perform several invasive actions, including but not limited to writing traces and metrics to your Datadog account, or obtaining information about your configuration and services.

Open the following ports to benefit from all the Agent functionalities:

Outbound

Product/FunctionalityPortProtocolDescription
Agent
APM
Containers
Live Processes
Metrics
Cloud Network Monitoring
Universal Service Monitoring		443TCPMost Agent data uses port 443.
Custom Agent Autoscaling8443TCP
Log collection(Deprecated) TCPLogging over TCP.
Note:TCP log collection is not supported. Datadog provides no delivery or reliability guarantees when using TCP, and log data may be lost without notice. For reliable ingestion, use the HTTP intake endpoint, an official Datadog Agent, or forwarder integration instead. For other connection types, see logs endpoints.
NTP123UDPNetwork Time Protocol (NTP). See default NTP targets.
For information on troubleshooting NTP, see NTP issues.
Connectivity test8042TCPRemote configuration connectivity test.
Note: this is a telemetry endpoint containing no customer data for protocol development, and is only used when Remote Config is enabled.
Product/FunctionalityPortProtocolDescription
Agent
APM
Containers
Live Processes
Metrics
Cloud Network Monitoring
Universal Service Monitoring		443TCPMost Agent data uses port 443.
NTP123UDPNetwork Time Protocol (NTP). See default NTP targets.
For information on troubleshooting NTP, see NTP issues.

Inbound

Used for Agent services communicating with each other locally within the host only.

Product/FunctionalityPortProtocolDescription
Agent browser GUI5002TCP
APM receiver8126TCPIncludes Tracing and the Profiler.
DogStatsD8125UDPPort for DogStatsD unless dogstatsd_non_local_traffic is set to true. This port is available on IPv4 localhost: 127.0.0.1.
go_expvar server (APM)5012TCPFor more information, see the go_expar integration documentation.
go_expvar integration server5000TCPFor more information, see the go_expar integration documentation.
IPC API5001TCPPort used for Inter Process Communication (IPC).
Process Agent debug6062TCPDebug endpoints for the Process Agent.
Process Agent runtime6162TCPRuntime configuration settings for the Process Agent.

Configure ports

If you need to change an inbound port because the default port is already in use by an existing service on your network, edit the datadog.yaml configuration file. You can find most of the ports in the Advanced Configuration section of the file:

datadog.yaml

## @param expvar_port - integer - optional - default: 5000## @env DD_EXPVAR_PORT - integer - optional - default: 5000## The port for the go_expvar server.## expvar_port: 5000## @param cmd_port - integer - optional - default: 5001## @env DD_CMD_PORT - integer - optional - default: 5001## The port on which the IPC api listens.## cmd_port: 5001## @param GUI_port - integer - optional## @env DD_GUI_PORT - integer - optional## The port for the browser GUI to be served.## Setting 'GUI_port: -1' turns off the GUI completely## Default is:## * Windows & macOS : `5002`## * Linux: `-1`#### GUI_port: <GUI_PORT>

The APM receiver and the DogStatsD ports are located in the Trace Collection Configuration and DogStatsD Configuration sections of the datadog.yaml configuration file, respectively:

datadog.yaml

## @param dogstatsd_port - integer - optional - default: 8125## @env DD_DOGSTATSD_PORT - integer - optional - default: 8125## Override the Agent DogStatsD port.## Note: Make sure your client is sending to the same UDP port.## dogstatsd_port: 8125[...]## @param receiver_port - integer - optional - default: 8126## @env DD_APM_RECEIVER_PORT - integer - optional - default: 8126## The port that the trace receiver should listen on.## Set to 0 to disable the HTTP receiver.## receiver_port: 8126
If you change the DogStatsD port or APM receiver port value here, you must also change the Datadog SDK configuration for the corresponding port. See the information about configuring ports in the Library Configuration docs for your language.

Using proxies

For a detailed configuration guide on proxy setup, see Agent Proxy Configuration.

Data buffering

If the network becomes unavailable, the Agent stores the metrics in memory. The maximum memory usage for storing the metrics is defined by the forwarder_retry_queue_payloads_max_size configuration setting. When this limit is reached, the metrics are dropped.

Agent v7.27.0 or later stores the metrics on disk when the memory limit is reached. Enable this capability by setting forwarder_storage_max_size_in_bytes to a positive value indicating the maximum amount of storage space, in bytes, that the Agent can use to store the metrics on disk.

The metrics are stored in the folder defined by the forwarder_storage_path setting, which is by default /opt/datadog-agent/run/transactions_to_retry on Unix systems, and C:\ProgramData\Datadog\run\transactions_to_retry on Windows.

To avoid running out of storage space, the Agent stores the metrics on disk only if the total storage space used is less than 80 percent. This limit is defined by forwarder_storage_max_disk_ratio setting.

Installing the Datadog Operator

If you are installing the Datadog Operator in a Kubernetes environment with limited connectivity, you need to allowlist the following endpoints for TCP port 443, based on your registry:

  • registry.datadoghq.com (Datadog Container Registry)
    • us-docker.pkg.dev/datadog-prod/public-images (may receive redirects from registry.datadoghq.com)
  • gcr.io/datadoghq (GCR US)
  • eu.gcr.io/datadoghq (GCR Europe)
  • asia.gcr.io/datadoghq (GCR Asia)
  • datadoghq.azurecr.io (Azure)
  • public.ecr.aws/datadog (AWS)
  • docker.io/datadog (DockerHub)

Further Reading