• English日本語한국어
  • Log inStart now

New Relic network traffic

This list is current. Networks, IPs, domains, ports, and endpoints last updated May 1, 2023.

This is a list of the networks, IP addresses, domains, ports, and endpoints used by API clients or agents to communicate with New Relic. TLS is required for all domains.

Tip

This doc provides information for ensuring our integrations can access New Relic domains. To monitor the performance of your network, see Get started with network performance monitoring.

TLS encryption

To ensure data security for our customers and to be in compliance with FedRAMP and other standards for data encryption, all inbound connections for all domains require Transport Layer Security (TLS) 1.2 or above. For more information, see our Support Forum post about TLS 1.2.

For future updates to required and supported protocol versions, follow the Security Notifications tag in New Relic's Support Forum.

User-facing domains

Your browser must be able to communicate with a number of domains for New Relic to work properly. Update your allow list to ensure New Relic can communicate with a number of integral domains listed in this section. Blocking domains can cause issues with individual product features or prevent pages from loading altogether.

This list doesn't cover domains that New Relic connects to that can be blocked without affecting your usage of the product. It also doesn't cover Nerdpacks or other features that communicate with external services that have additional domain requirements.

If your organization uses a firewall that restricts outbound traffic, follow the specific procedures for the operating system and the firewall you use to add the following domains to the allow list.

Domain

Description

\*.newrelic.com

New Relic and supporting services

\*.nr-assets.net

Static New Relic assets

\*.nr-ext.net

New Relic Nerdpacks and assets

\*.amazonaws.com

New Relic catalog assets behind AWS S3

\*.cloudfront.net

Static New Relic assets behind AWS CloudFront CDN

secure.gravatar.com

Support for Gravatar avatars

fonts.googleapis.com

Support for Google Fonts

fonts.gstatic.com

Support for Google Fonts

[www.google.com](http://www.google.com)

Support for reCAPTCHA

[www.gstatic.com](http://www.gstatic.com)

Support for reCAPTCHA

\*.nr-data.net

OpenTelemetry and Pixie

onenr.io

New Relic sharing permalinks

\*.typescript.azureedge.net

Synthetics code editor autocompletion functionality

Data ingest endpoints

This table contains endpoints for data ingested to New Relic accounts. For more detail about specific agents and integrations, keep reading below the ingest tables.

US data center ingest endpoints

These are the default ingest endpoints unless you're using our EU data center region endpoints. For port details, see Ports.

Endpoint

Purpose and notes

aws-api.newrelic.com

AWS Metric Streams ingest.

bam.nr-data.net

Browser ingest. Recommended browser endpoint.

bam-cell.nr-data.net

Browser ingest. Available if needed for older US region accounts that use the copy/paste method for browser monitoring.

cloud-collector.newrelic.com

Ingest for AWS VPC Flow Logs and RDS Enhanced.

collector*.newrelic.com

APM agent ingest.

infra-api.newrelic.com

Infrastructure agent ingest.

insights-collector.newrelic.com

Event API ingest.

log-api.newrelic.com

Our Log API, used by various agents and integrations.

metric-api.newrelic.com

Our Metric API for dimensional metrics, used by various agents and integrations.

mobile-collector.newrelic.com

Mobile agent ingest.

mobile-crash.newrelic.com

Mobile agent crash report ingest.

otlp.nr-data.net

OpenTelemetry ingest. Configure using the quick start guide with your account license key in the api-key header.

trace-api.newrelic.com

Trace API ingest.

EU data center ingest endpoints

Here are data ingest endpoints for our EU data center region. For port details, see Ports.

Endpoint

Purpose and notes

aws-api.eu.newrelic.com

AWS Metric Streams ingest.

aws-api.eu01.nr-data.net

Cloud integrations ingest.

bam.eu01.nr-data.net

Browser ingest (recommended for browser).

cloud-collector.eu01.newrelic.com

Ingest for AWS VPC Flow Logs and RDS Enhanced.

collector*.eu.newrelic.com

APM agent ingest.

collector*.eu01.nr-data.net

APM agent ingest.

eu01.nr-data.net

Browser ingest.

infra-api.eu.newrelic.com

Infrastructure agent ingest.

infra-api.eu01.nr-data.net

Infrastructure agent ingest.

insights-collector.eu01.nr-data.net

Event API ingest.

log-api.eu.newrelic.com

Our Log API, used by various agents and integrations.

metric-api.eu.newrelic.com

Our Metric API for dimensional metrics, used by various agents and integrations.

mobile-collector.eu01.nr-data.net

Mobile agent ingest.

mobile-crash.eu01.nr-data.net

Mobile agent crash report ingest.

otlp.eu01.nr-data.net

OpenTelemetry ingest. Configure using the quick start guide with your account license key in the api-key header.

trace-api.eu.newrelic.com

Trace API ingest.

FedRAMP ingest endpoints

See FedRAMP endpoints.

Port details

For all data ingest applications, with the exception of OpenTelemetry, use port 443, a secure channel for encrypted HTTPS traffic and our default.

If you have an existing configuration that uses port 80, we recommend updating it to use 443.

OpenTelemetry ports

The ports used for otlp.nr-data.net and otlp.eu01.nr-data.net are:

  • 443
  • 4317 (HTTP/2)
  • 4318 (HTTP/1.1)

Data ingest IP blocks

New Relic uses these blocks for data ingestion:

  • US data center endpoints: 162.247.240.0/22
  • EU data center endpoints: 185.221.84.0/22

Agent downloads

TLS is required for all domains. Service for download.newrelic.com is provided through Fastly and is subject to change without warning. For the most current list of public IP addresses for New Relic agent downloads, see api.fastly.com/public-ip-list.

Infrastructure details

In order to report data to New Relic, our infrastructure monitoring needs outbound access to endpoints in the endpoints table. TLS is required for all domains.

If your system needs a proxy to connect to New Relic, use the Infrastructure proxy setting.

Our infrastructure monitoring makes use of several other ingest endpoints, including the Metric API endpoint and the Log API endpoint (included in the endpoint table). It also uses these non-ingest-related endpoints:

  • identity-api.newrelic.com: Required for entity registration (for example, a host entity). EU endpoint: identity-api.eu.newrelic.com.
  • infrastructure-command-api.newrelic.com: Used by the agent to control aspects of agent behavior (for example, use of feature flags). EU endpoint: infrastructure-command-api.eu.newrelic.com.

APM agent details

To enhance network performance and data security, New Relic uses a CDN and DDoS prevention service with a large IP range. New Relic agents require your firewall to allow outgoing connections to the following networks and ports. To add the IP connections to your allow list, follow the specific procedures for the operating system and the firewall you use.

TLS is required for all domains.

Browser monitoring details

In addition to the endpoints used by our browser agent and our APM agents, applications monitored by our browser agent use outgoing connections to js-agent.newrelic.com.

For more information about CDN access for the js-agent.newrelic.com file to the domain bam.nr-data.net or to one of the New Relic beacons, see Security for browser monitoring.

TLS is required for all domains.

Mobile monitoring details

In addition to the ingest endpoints, apps monitored by our mobile agents use outgoing connections to mobile-symbol-upload.newrelic.com (EU endpoint: mobile-symbol-upload.eu01.nr-data.net).

TLS is required for all domains.

Security data endpoints

See Security data API.

Synthetic monitors

Public locations

To configure your firewall to allow synthetic monitors to access your monitored URL, use Synthetic public minion IPs. TLS is required for all domains.

Private locations

Synthetic private minions report to a specific endpoint based on region. To allow the private minion to access the endpoint or the static IP addresses associated with the endpoint, follow the specific procedures for the operating system and the firewall you use. These IP addresses may change in the future.

TLS is required for all domains. Use the IP connections for account data in the US or EU region as appropriate:

IP connections

Synthetics private location data

Endpoint

For US region accounts:

  • https://synthetics-horde.nr-data.net/

    For EU region accounts:

  • https://synthetics-horde.eu01.nr-data.net/

IP addresses

For US data center region accounts:

  • 13.248.153.51

  • 76.223.21.185

    For EU data center region accounts:

  • 185.221.86.57

  • 185.221.86.25

Alerts webhooks, api.newrelic.com, cloud integrations, and ticketing integrations

Endpoints that use api.newrelic.com (such as our NerdGraph API) and our New Relic-generated webhooks for alert policies use an IP address from designated network blocks for the US or EU region. TLS is required for all addresses in these blocks.

Network blocks for US region accounts:

  • 162.247.240.0/22 (Private Data Center)
  • 18.246.82.0/25 (AWS, US-WEST-2 , effective July 1st, 2023)
  • 3.145.244.128/25 (AWS, US-EAST-2, effective July 1st, 2023)

Network blocks for EU region accounts:

  • 158.177.65.64/29 (Private Data Center)
  • 159.122.103.184/29 (Private Data Center)
  • 161.156.125.32/28 (Private Data Center)
  • 3.77.79.0/25 (AWS, EU-CENTRAL-1, effective July 1st, 2023)

These network blocks also apply to third-party ticketing integrations and New Relic cloud integrations. However, they don't apply to the Azure Monitor integration.

Pixie integration

The Pixie integration runs in your Kubernetes cluster and pulls a set of curated observability data from Pixie to send it to New Relic using the OpenTelemetry Protocol (OTLP).

The Pixie integration requires outbound network access to the following:

  • work.withpixie.ai:443
  • withpixie.ai:443
  • otlp.nr-data.net:4317 (US data center accounts)
  • otlp.eu01.nr-data.net:4317 (EU data center accounts)

Tip

If the 4317 port doesn't work, you can use port 443.

The Pixie community project uses container images hosted in Google Container Registry. Ensure your cluster can pull images from gcr.io.

CodeStream

New Relic CodeStream is a developer collaboration platform that enables your development team to discuss and review code in a natural and contextual way.

It uses the following domains:

  • api.codestream.com
  • *.pubnub.com
  • *.pubnub.net
  • *.pndsn.com
  • *.pubnub.io
Copyright © 2023 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.