This list is current. Last updated 31 May 2021.
This is a list of the networks, IP addresses, domains, ports, and endpoints used by API clients or agents to communicate with New Relic. TLS is required for all domains.
Your browser must be able to communicate with a number of domains for New Relic One to work properly. See User-facing domains for the list of domains that should be allowed through your firewall.
TLS encryption
To ensure data security for our customers and to be in compliance with FedRAMP and other standards for data encryption, Transport Layer Security (TLS) is required for all domains. Our preferred protocol for all domains is TLS 1.2. For more information, see New Relic's Explorers Hub post about TLS 1.2.
In addition, TLS 1.2 is required for most domains, except:
- APM agent connections
- Browser agent connections
- Event API
For future updates to required and supported protocol versions, follow the Security Notifications tag in New Relic's Explorers Hub.
User-facing domains
Update your allow list to ensure New Relic can communicate with a number of integral domains (listed below). Blocking domains can cause issues with individual product features or prevent pages from loading altogether.
This list doesn't cover domains that New Relic connects to that can be blocked without affecting your usage of the product. It also doesn't cover Nerdpacks or other features that communicate with external services that have additional domain requirements.
If your organization uses a firewall that restricts outbound traffic, ensure that the following domains are added to the allow list:
Domain | Description |
|---|---|
*.newrelic.com | New Relic One and supporting services |
*.nr-assets.net | Static New Relic assets |
*.nr-ext.net | New Relic One Nerdpacks and assets |
*.amazonaws.com | New Relic One catalog assets behind AWS S3 |
*.cloudfront.net | Static New Relic assets behind AWS CloudFront CDN |
secure.gravatar.com | Support for Gravatar avatars |
fonts.googleapis.com | Support for Google Fonts |
fonts.gstatic.com | Support for Google Fonts |
Support for reCAPTCHA | |
Support for reCAPTCHA |
APM agents
To enhance network performance and data security, New Relic uses a CDN and DDoS prevention service with a large IP range. New Relic agents require your firewall to allow outgoing connections to the following networks and ports.
TLS is required for all domains. Use the IP connections for account data in the US or European Union region as appropriate:
IP connections | APM data |
|---|---|
Networks | US region accounts:
|
Ports | US region accounts:
|
Endpoints | US region accounts:
|
Recommendation: Use port 443, a secured channel for encrypted HTTPS traffic. Some New Relic agents also offer port 80, an unsecured channel open to all HTTP traffic.
While some agents can be configured to use both port 80 and port 443, we recommend that you choose the port 443 (default). If you have an existing configuration that uses port 80, you can update it to use port 443, the default New Relic connection.
Agent downloads
TLS is required for all domains. Service for download.newrelic.com is provided through Fastly and is subject to change without warning. For the most current list of public IP addresses for New Relic agent downloads, see api.fastly.com/public-ip-list.
Infrastructure agents
In order to report data to New Relic, our infrastructure monitoring needs outbound access to these domains, networks, and ports. TLS is required for all domains.
Use the IP connections for account data in the US or European Union region as appropriate:
IP connections | Infrastructure data |
|---|---|
Domains |
|
Networks | For US region accounts:
|
Port |
|
Domains + Port | For US region accounts:
|
Proxy | If your system needs a proxy to connect to this domain, use the Infrastructure |
Browser domains
In addition to the IP addresses for APM agents, applications monitored by our browser agents use outgoing connections to the following domains. TLS is required for all domains.
Use the IP connections for account data in the US or European Union region as appropriate:
For US region accounts:
bam.nr-data.netjs-agent.newrelic.com
For EU region accounts:
eu01.nr-data.netbam.eu01.nr-data.net
For more information about CDN access for the js-agent.newrelic.com file to the domain bam.nr-data.net or to one of the New Relic beacons, see Security for browser monitoring.
Mobile domains
In addition to the IP addresses for APM agents, applications monitored by our mobile agents use outgoing connections to the following domains. TLS is required for all domains.
Use the IP connections for account data in the US or European Union region as appropriate:
For US region accounts:
mobile-collector.newrelic.commobile-crash.newrelic.commobile-symbol-upload.newrelic.com
For EU region accounts:
mobile-collector.eu01.nr-data.netmobile-crash.eu01.nr-data.netmobile-symbol-upload.eu01.nr-data.net
Synthetic monitor public locations
To configure your firewall to allow synthetic monitors to access your monitored URL, use Synthetic public minion IPs. TLS is required for all domains.
Synthetic monitor private locations
Synthetic private minions report to a specific endpoint based on region. Configure your firewall to allow the private minion to access the endpoint or the static IP addresses associated with the endpoint. These IP addresses may change in the future.
TLS is required for all domains. Use the IP connections for account data in the US or European Union region as appropriate:
IP connections | Synthetics private location data |
|---|---|
Endpoint | For US region accounts:
|
IP addresses | For US region accounts:
|
Alerts webhooks, api.newrelic.com, and ticketing integrations
Endpoints that use api.newrelic.com (such as our GraphQL API for NerdGraph) and our New Relic-generated webhooks for alert policies use an IP address from designated network blocks for the US or European Union region. TLS is required for all addresses in these blocks.
Network blocks for US region accounts:
- 162.247.240.0/22
Network blocks for EU region accounts:
- 158.177.65.64/29
- 159.122.103.184/29
- 161.156.125.32/28
These network blocks also apply to third-party ticketing integrations.
Pixie integration
The Pixie integration runs in your Kubernetes cluster and pulls a set of curated observability data from Pixie to send it to New Relic using the OpenTelemetry line protocol.
The Pixie integration requires outbound network access to the following:
- work.withpixie.ai:443
- otlp.nr-data.net:4317 (US region accounts)
- eu.otlp.nr-data.net:4317 (EU region accounts)
For more help
If you need more help, check out these support and learning resources:
- Browse the Explorers Hub to get help from the community and join in discussions.
- Find answers on our sites and learn how to use our support portal.
- Run New Relic Diagnostics, our troubleshooting tool for Linux, Windows, and macOS.
- Review New Relic's data security and licenses documentation.