This list is current. Networks, IPs, domains, ports, and endpoints last updated May 1, 2023.
This is a list of the networks, IP addresses, domains, ports, and endpoints used by API clients or agents to communicate with New Relic. TLS is required for all domains.
Tip
This doc provides information for ensuring our integrations can access New Relic domains. To monitor the performance of your network, see Get started with network performance monitoring.
TLS encryption
To ensure data security for our customers and to be in compliance with FedRAMP and other standards for data encryption, all inbound connections for all domains require Transport Layer Security (TLS) 1.2 or above. For more information, see our Support Forum post about TLS 1.2.
For future updates to required and supported protocol versions, follow the Security Notifications tag in New Relic's Support Forum.
User-facing domains
Your browser must be able to communicate with a number of domains for New Relic to work properly. Update your allow list to ensure New Relic can communicate with a number of integral domains listed in this section. Blocking domains can cause issues with individual product features or prevent pages from loading altogether.
This list doesn't cover domains that New Relic connects to that can be blocked without affecting your usage of the product. It also doesn't cover Nerdpacks or other features that communicate with external services that have additional domain requirements.
If your organization uses a firewall that restricts outbound traffic, follow the specific procedures for the operating system and the firewall you use to add the following domains to the allow list.
Domain | Description |
|---|---|
| New Relic and supporting services |
| Static New Relic assets |
| New Relic Nerdpacks and assets |
| New Relic catalog assets behind AWS S3 |
| Static New Relic assets behind AWS CloudFront CDN |
| Support for Gravatar avatars |
| Support for Google Fonts |
| Support for Google Fonts |
| Support for reCAPTCHA |
| Support for reCAPTCHA |
| OpenTelemetry and Pixie |
| New Relic sharing permalinks |
| Synthetics code editor autocompletion functionality |
Data ingest endpoints
This table contains endpoints for data ingested to New Relic accounts. For more detail about specific agents and integrations, keep reading below the ingest tables.
US data center ingest endpoints
These are the default ingest endpoints unless you're using our EU data center region endpoints. For port details, see Ports.
Endpoint | Purpose and notes |
|---|---|
| |
| Browser ingest. Recommended browser endpoint. |
| Browser ingest. Available if needed for older US region accounts that use the copy/paste method for browser monitoring. |
| Ingest for AWS VPC Flow Logs and RDS Enhanced. |
| APM agent ingest. |
| |
| |
| Our Log API, used by various agents and integrations. |
| Our Metric API for dimensional metrics, used by various agents and integrations. |
| |
| |
| OpenTelemetry ingest. Configure using the quick start guide with your account license key in the |
|
EU data center ingest endpoints
Here are data ingest endpoints for our EU data center region. For port details, see Ports.
Endpoint | Purpose and notes |
|---|---|
| |
| |
| Browser ingest (recommended for browser). |
| Ingest for AWS VPC Flow Logs and RDS Enhanced. |
| APM agent ingest. |
| APM agent ingest. |
| |
| |
| |
| |
| Our Log API, used by various agents and integrations. |
| Our Metric API for dimensional metrics, used by various agents and integrations. |
| |
| |
| OpenTelemetry ingest. Configure using the quick start guide with your account license key in the |
|
FedRAMP ingest endpoints
See FedRAMP endpoints.
Port details
For all data ingest applications, with the exception of OpenTelemetry, use port 443, a secure channel for encrypted HTTPS traffic and our default.
If you have an existing configuration that uses port 80, we recommend updating it to use 443.
OpenTelemetry ports
The ports used for otlp.nr-data.net and otlp.eu01.nr-data.net are:
- 443
- 4317 (HTTP/2)
- 4318 (HTTP/1.1)
Data ingest IP blocks
New Relic uses these blocks for data ingestion:
- US data center endpoints:
162.247.240.0/22 - EU data center endpoints:
185.221.84.0/22
Agent downloads
TLS is required for all domains. Service for download.newrelic.com is provided through Fastly and is subject to change without warning. For the most current list of public IP addresses for New Relic agent downloads, see api.fastly.com/public-ip-list.
Infrastructure details
In order to report data to New Relic, our infrastructure monitoring needs outbound access to endpoints in the endpoints table. TLS is required for all domains.
If your system needs a proxy to connect to New Relic, use the Infrastructure proxy setting.
Our infrastructure monitoring makes use of several other ingest endpoints, including the Metric API endpoint and the Log API endpoint (included in the endpoint table). It also uses these non-ingest-related endpoints:
identity-api.newrelic.com: Required for entity registration (for example, ahostentity). EU endpoint:identity-api.eu.newrelic.com.infrastructure-command-api.newrelic.com: Used by the agent to control aspects of agent behavior (for example, use of feature flags). EU endpoint:infrastructure-command-api.eu.newrelic.com.
APM agent details
To enhance network performance and data security, New Relic uses a CDN and DDoS prevention service with a large IP range. New Relic agents require your firewall to allow outgoing connections to the following networks and ports. To add the IP connections to your allow list, follow the specific procedures for the operating system and the firewall you use.
TLS is required for all domains.
Browser monitoring details
In addition to the endpoints used by our browser agent and our APM agents, applications monitored by our browser agent use outgoing connections to js-agent.newrelic.com.
For more information about CDN access for the js-agent.newrelic.com file to the domain bam.nr-data.net or to one of the New Relic beacons, see Security for browser monitoring.
TLS is required for all domains.
Mobile monitoring details
In addition to the ingest endpoints, apps monitored by our mobile agents use outgoing connections to mobile-symbol-upload.newrelic.com (EU endpoint: mobile-symbol-upload.eu01.nr-data.net).
TLS is required for all domains.
Security data endpoints
See Security data API.
Synthetic monitors
Public locations
To configure your firewall to allow synthetic monitors to access your monitored URL, use Synthetic public minion IPs. TLS is required for all domains.
Private locations
Synthetic private minions report to a specific endpoint based on region. To allow the private minion to access the endpoint or the static IP addresses associated with the endpoint, follow the specific procedures for the operating system and the firewall you use. These IP addresses may change in the future.
TLS is required for all domains. Use the IP connections for account data in the US or EU region as appropriate:
IP connections | Synthetics private location data |
|---|---|
Endpoint | For US region accounts:
|
IP addresses | For US data center region accounts:
|
Alerts webhooks, api.newrelic.com, cloud integrations, and ticketing integrations
Endpoints that use api.newrelic.com (such as our NerdGraph API) and our New Relic-generated webhooks for alert policies use an IP address from designated network blocks for the US or EU region. TLS is required for all addresses in these blocks.
Network blocks for US region accounts:
162.247.240.0/22(Private Data Center)18.246.82.0/25(AWS, US-WEST-2 , effective July 1st, 2023)3.145.244.128/25(AWS, US-EAST-2, effective July 1st, 2023)
Network blocks for EU region accounts:
158.177.65.64/29(Private Data Center)159.122.103.184/29(Private Data Center)161.156.125.32/28(Private Data Center)3.77.79.0/25(AWS, EU-CENTRAL-1, effective July 1st, 2023)
These network blocks also apply to third-party ticketing integrations and New Relic cloud integrations. However, they don't apply to the Azure Monitor integration.
Pixie integration
The Pixie integration runs in your Kubernetes cluster and pulls a set of curated observability data from Pixie to send it to New Relic using the OpenTelemetry Protocol (OTLP).
The Pixie integration requires outbound network access to the following:
work.withpixie.ai:443withpixie.ai:443otlp.nr-data.net:4317(US data center accounts)otlp.eu01.nr-data.net:4317(EU data center accounts)
Tip
If the 4317 port doesn't work, you can use port 443.
The Pixie community project uses container images hosted in Google Container Registry. Ensure your cluster can pull images from gcr.io.
CodeStream
New Relic CodeStream is a developer collaboration platform that enables your development team to discuss and review code in a natural and contextual way.
It uses the following domains:
api.codestream.com*.pubnub.com*.pubnub.net*.pndsn.com*.pubnub.io