This list is current. Networks, IPs, domains, ports, and endpoints last updated March 22, 2022.
This is a list of the networks, IP addresses, domains, ports, and endpoints used by API clients or agents to communicate with New Relic. TLS is required for all domains.
For information on our FedRAMP endpoints, see our FedRAMP endpoints documentation.
Tip
This doc describes how to ensure our agents and integrations can access New Relic's domains. To monitor the performance of your network, see Get started with network performance monitoring.
TLS encryption
To ensure data security for our customers and to be in compliance with FedRAMP and other standards for data encryption, all inbound connections for all domains require Transport Layer Security (TLS) 1.2 or above. For more information, see our Support Forum post about TLS 1.2.
For future updates to required and supported protocol versions, follow the Security Notifications tag in New Relic's Support Forum.
User-facing domains
Your browser must be able to communicate with a number of domains for New Relic to work properly. Update your allow list to ensure New Relic can communicate with a number of integral domains that are listed in this section. Blocking domains can cause issues with individual product features or prevent pages from loading altogether.
This list doesn't cover domains that New Relic connects to that can be blocked without affecting your usage of the product. It also doesn't cover Nerdpacks or other features that communicate with external services that have additional domain requirements.
If your organization uses a firewall that restricts outbound traffic, follow the specific procedures for the operating system and the firewall you use to add the following domains to the allow list.
Domain | Description |
|---|---|
*.newrelic.com | New Relic and supporting services |
*.nr-assets.net | Static New Relic assets |
*.nr-ext.net | New Relic Nerdpacks and assets |
*.amazonaws.com | New Relic catalog assets behind AWS S3 |
*.cloudfront.net | Static New Relic assets behind AWS CloudFront CDN |
secure.gravatar.com | Support for Gravatar avatars |
fonts.googleapis.com | Support for Google Fonts |
fonts.gstatic.com | Support for Google Fonts |
Support for reCAPTCHA | |
Support for reCAPTCHA | |
*.nr-data.net | OpenTelemetry and Pixie |
onenr.io | New Relic sharing permalinks |
*.typescript.azureedge.net | Synthetics code editor autocompletion functionality |
APM agents
To enhance network performance and data security, New Relic uses a CDN and DDoS prevention service with a large IP range. New Relic agents require your firewall to allow outgoing connections to the following networks and ports. To add the following IP connections to the allow list, follow the specific procedures for the operating system and the firewall you use.
TLS is required for all domains. Use the IP connections for account data in the US or European Union region as appropriate:
IP connections | data |
|---|---|
Networks | US region accounts:
|
Ports | US region accounts:
|
Endpoints | US region accounts:
|
Port 443 recommended
Recommendation: Use port 443, a secured channel for encrypted HTTPS traffic. Some New Relic agents also offer port 80, an unsecured channel open to all HTTP traffic.
While some agents can be configured to use both port 80 and port 443, we recommend that you choose the port 443 (default). If you have an existing configuration that uses port 80, you can update it to use port 443, the default New Relic connection.
Agent downloads
TLS is required for all domains. Service for download.newrelic.com is provided through Fastly and is subject to change without warning. For the most current list of public IP addresses for New Relic agent downloads, see api.fastly.com/public-ip-list.
Infrastructure agents
In order to report data to New Relic, our infrastructure monitoring needs outbound access to these domains, networks, and ports. TLS is required for all domains.
Use the IP connections for account data in the US or European Union region as appropriate:
IP connections | Infrastructure data |
|---|---|
Domains |
|
Networks | For US region accounts:
|
Port |
|
Domains + Port | For US region accounts:
|
Proxy | If your system needs a proxy to connect to this domain, use the Infrastructure |
Browser domains
In addition to the IP addresses for APM agents, applications monitored by our browser agents use outgoing connections to the following domains. TLS is required for all domains.
Use the IP connections for account data in the US or European Union region as appropriate:
For US region accounts:
bam.nr-data.net(recommended)bam-cell.nr-data.net(available if needed for older US region accounts that use the copy/paste method for browser monitoring)js-agent.newrelic.com
For EU region accounts:
eu01.nr-data.netbam.eu01.nr-data.net
For more information about CDN access for the js-agent.newrelic.com file to the domain bam.nr-data.net or to one of the New Relic beacons, see Security for browser monitoring.
Mobile domains
In addition to the IP addresses for APM agents, applications monitored by our mobile agents use outgoing connections to the following domains. TLS is required for all domains.
Use the IP connections for account data in the US or European Union region as appropriate:
For US region accounts:
mobile-collector.newrelic.commobile-crash.newrelic.commobile-symbol-upload.newrelic.com
For EU region accounts:
mobile-collector.eu01.nr-data.netmobile-crash.eu01.nr-data.netmobile-symbol-upload.eu01.nr-data.net
Synthetic monitor public locations
To configure your firewall to allow synthetic monitors to access your monitored URL, use Synthetic public minion IPs. TLS is required for all domains.
Synthetic monitor private locations
Synthetic private minions report to a specific endpoint based on region. To allow the private minion to access the endpoint or the static IP addresses associated with the endpoint, follow the specific procedures for the operating system and the firewall you use. These IP addresses may change in the future.
TLS is required for all domains. Use the IP connections for account data in the US or European Union region as appropriate:
IP connections | Synthetics private location data |
|---|---|
Endpoint | For US region accounts:
|
IP addresses | For US region accounts:
|
Alerts webhooks, api.newrelic.com, cloud integrations, and ticketing integrations
Endpoints that use api.newrelic.com (such as our GraphQL API for NerdGraph) and our New Relic-generated webhooks for alert policies use an IP address from designated network blocks for the US or European Union region. TLS is required for all addresses in these blocks.
Network blocks for US region accounts:
- 162.247.240.0/22
Network blocks for EU region accounts:
- 158.177.65.64/29
- 159.122.103.184/29
- 161.156.125.32/28
These network blocks also apply to third-party ticketing integrations and New Relic cloud integrations.
Pixie integration
The Pixie integration runs in your Kubernetes cluster and pulls a set of curated observability data from Pixie to send it to New Relic using the OpenTelemetry Protocol (OTLP).
The Pixie integration requires outbound network access to the following:
- work.withpixie.ai:443
- withpixie.ai:443
- otlp.nr-data.net:4317 (US region accounts)
- otlp.eu01.nr-data.net:4317 (EU region accounts)
Tip
If the 4317 port doesn't work, you can use port 443.
The Pixie community project uses container images hosted in Google Container Registry (https://cloud.google.com/container-registry/). Please ensure your cluster can pull images from gcr.io.
CodeStream
New Relic CodeStream is a developer collaboration platform that enables your development team to discuss and review code in a natural and contextual way.
It uses the following domains:
api.codestream.com*.pubnub.com*.pubnub.net*.pndsn.com*.pubnub.io
OpenTelemetry
New Relic supports OpenTelemetry Protocol (OTLP) for exporting telemetry data. This allows you to use the vendor neutral components developed by the OpenTelemetry community to export your data to New Relic.
To export OTLP data to New Relic:
- Configure the OTLP exporter to add a header (api-key) with your account license key.
- Based on your region, configure the endpoint where the exporter sends data to New Relic. See the OpenTelemetry quick start for more information.
- otlp.nr-data.net:(443/4317/4318) (US region accounts)
- otlp.eu01.nr-data.net:(443/4317/4318) (EU region accounts)
Network blocks:
- 162.247.240.0/22 (US region accounts)
- 185.221.84.0/22 (EU region accounts)