Important
New Relic has discontinued the use of the following IP ranges: 3.145.244.128/25, 3.77.79.0/25, 3.27.118.128/25, 20.51.136.0/25, 4.197.217.128/25, 18.246.82.0/25, 158.177.65.64/29, 159.122.103.184/29, 161.156.125.32/28. As of May 1, 2025 these ranges may be reallocated by the cloud provider to other customers for purposes out of our control. Please update your network configurations accordingly.
This list is current. Networks, IPs, domains, ports, and endpoints last updated March 4, 2025.
This is a list of the networks, IP addresses, domains, ports, and endpoints used by API clients or agents to communicate with New Relic. TLS is required for all domains.
Tip
This doc provides information for ensuring our integrations can access New Relic domains. To monitor the performance of your network, see Get started with network monitoring.
TLS encryption
To ensure data security for our customers and to be in compliance with FedRAMP and other standards for data encryption, all inbound connections for all domains require Transport Layer Security (TLS) 1.2. For more details, see our Support Forum post about TLS 1.2.
For future updates to required and supported protocol versions, follow the Security Notifications tag in New Relic's Support Forum.
New Relic telemetry endpoints
This table contains the endpoints for New Relic telemetry data ingest, and other functionality related to telemetry monitoring. (For an easy-to-copy list of these endpoints, see Endpoint list.)
For more detail on specific agents and integrations, and about ports, keep reading below the table.
Capability | US data center endpoint | EU data center endpoint |
|---|---|---|
APM | ||
APM agent ingest |
|
|
APM agent ingest, when you forward logs through our APM agents |
|
|
AWS | ||
AWS Metric Streams ingest |
|
|
AWS VPC Flow Logs and RDS Enhanced ingest |
|
|
Browser | ||
Browser monitoring ingest |
|
|
IAST | ||
Validator Service URL
|
|
|
Ingest APIs | ||
Our Event API |
|
|
Our Log API |
|
|
Our Metric API |
|
|
Our Trace API |
|
|
Infrastructure | ||
Infrastructure agent ingest |
|
|
Infrastructure entity registration |
|
|
Infrastructure agent control |
|
|
Lookup tables | ||
Lookup table upload |
|
|
Mobile | ||
Mobile agent ingest |
|
|
Mobile agent crash report ingest |
|
|
Symbolication, deobfuscation, and related |
|
|
OpenTelemetry | ||
OpenTelemetry ingest |
|
|
Telemetry endpoints in simple list format
The telemetry endpoints in the table above are included below in easy-to-copy lists:
FedRAMP ingest endpoints
See FedRAMP endpoints.
Ports
For all data ingest applications, with the exception of OpenTelemetry, use port 443, a secure channel for encrypted HTTPS traffic and our default.
If you have an existing configuration that uses port 80, we recommend updating it to use 443.
OpenTelemetry ports
The ports used for otlp.nr-data.net and otlp.eu01.nr-data.net are:
- 443
- 4317 (HTTP/2)
- 4318 (HTTP/1.1)
Data ingest IP blocks
We use these blocks for data ingestion:
162.247.240.0/22152.38.128.0/19185.221.84.0/22212.32.0.0/2064.251.192.0/20
New Relic telemetry dualstack endpoints
These endpoints support both IPv4 and IPv6, and have HTTP/2 and HTTP/3 enabled.
Capability | US data center endpoint | EU data center endpoint |
|---|---|---|
APM | ||
APM agent ingest |
|
|
AWS | ||
AWS Metric Streams ingest |
|
|
AWS VPC Flow Logs and RDS Enhanced ingest |
|
|
Browser | ||
Browser monitoring ingest |
|
|
Ingest APIs | ||
Our Event API |
|
|
Our Log API |
|
|
Our Metric API |
|
|
Our Trace API |
|
|
Infrastructure | ||
Infrastructure agent ingest |
|
|
Infrastructure entity registration |
|
|
Infrastructure agent control |
|
|
Mobile | ||
Mobile agent ingest |
|
|
Mobile agent crash report ingest |
|
|
OpenTelemetry | ||
OpenTelemetry ingest |
|
|
Data ingest IP blocks
We use these blocks for data ingestion:
IPv4
- US data center endpoints:
162.247.240.0/22 - EU data center endpoints:
185.221.84.0/22
IPv6
- US data center endpoints:
2602:816:5000::/40and2620:16:4000::/48 - EU data center endpoints:
2a0d:8000::/29
User-facing domains
Your browser must be able to communicate with a number of domains for New Relic to work properly. Update your allow list to ensure New Relic can communicate with a number of integral domains listed in this section. Blocking domains can cause issues with individual product features or prevent pages from loading altogether.
This list doesn't cover domains that New Relic connects to that can be blocked without affecting your usage of the product. It also doesn't cover Nerdpacks or other features that communicate with external services that have additional domain requirements.
If your organization uses a firewall that restricts outbound traffic, follow the specific procedures for the operating system and the firewall you use to add the following domains to the allow list.
Domain | Description |
|---|---|
| New Relic and supporting services |
| Static New Relic assets |
| New Relic Nerdpacks and assets |
| Support for Gravatar avatars |
| Support for Google Fonts |
| Support for Google Fonts |
| Support for reCAPTCHA |
| Support for reCAPTCHA |
| OpenTelemetry and Pixie |
| New Relic sharing permalinks |
| Synthetics code editor autocompletion functionality |
| Synthetics screenshots, logs, and similar assets (US region only) |
| Synthetics screenshots, logs, and similar assets (EU region only) |
| New Relic Partner API |
Agent downloads
TLS is required for all domains. Service for download.newrelic.com is provided through CDN and is subject to change without warning.
Important
New Relic is updating its IP configuration for agent downloads. Starting April 22, 2025, download.newrelic.com will use IP addresses from the block 162.247.240.0/22. Please update your network settings to accommodate this change.
Infrastructure details
In order to report data to New Relic, our infrastructure monitoring needs outbound access to endpoints in the endpoints table. TLS is required for all domains.
If your system needs a proxy to connect to New Relic, use the Infrastructure proxy setting.
Our infrastructure monitoring makes use of several other ingest endpoints, including the Metric API endpoint and the Log API endpoint (included in the endpoint table).
Details about the non-ingest-related endpoints:
identity-api.newrelic.com|identity-api.eu.newrelic.com: Required for entity registration (for example, ahostentity).infrastructure-command-api.newrelic.com|infrastructure-command-api.eu.newrelic.com: Used by the agent to control aspects of agent behavior (for example, use of feature flags).
APM agent details
To enhance network performance and data security, New Relic uses a CDN and DDoS prevention service with a large IP range. New Relic agents require your firewall to allow outgoing connections to the APM-related endpoints in the ingest endpoints table. To add them to your allow list, follow the specific procedures for the operating system and the firewall you use.
TLS is required for all domains.
Browser monitoring details
In addition to the endpoints used by our agent and our agents, applications monitored by our browser agent use outgoing connections to js-agent.newrelic.com.
For more information about CDN access for the js-agent.newrelic.com file to the domain bam.nr-data.net or to one of the New Relic beacons, see Security for browser monitoring.
TLS is required for all domains.
Security data endpoints
See Security data API.
Synthetic monitors
Public locations
To configure your firewall to allow synthetic monitors to access your monitored URL, use Synthetic public minion IPs. TLS is required for all domains.
Private locations
Synthetic private minions report to a specific endpoint based on region. To allow the private minion to access the endpoint or the static IP addresses associated with the endpoint, follow the specific procedures for the operating system and the firewall you use. These IP addresses may change in the future.
TLS is required for all domains. Use the IP connections for your data center region (US or EU):
IP connections | Synthetics private location data |
|---|---|
Endpoint | US data center region:
|
IP addresses |
|
Alerts webhooks, api.newrelic.com, cloud integrations, and ticketing integrations
Endpoints that use api.newrelic.com (such as our NerdGraph API) and our New Relic-generated webhooks for alert policies use an IP address from designated network blocks for the US or EU region. TLS is required for all addresses in these blocks.
Important
New Relic has discontinued the use of the following IP ranges: 3.145.244.128/25, 3.77.79.0/25, 3.27.118.128/25, 20.51.136.0/25, 4.197.217.128/25, 18.246.82.0/25, 158.177.65.64/29, 159.122.103.184/29, 161.156.125.32/28. As of May 1, 2025 these ranges may be reallocated by the cloud provider to other customers for purposes out of our control. Please update your network configurations accordingly.
Network blocks:
162.247.240.0/22152.38.128.0/19(effective June 20, 2024)185.221.84.0/22212.32.0.0/20(effective June 20, 2024)64.251.192.0/20(effective June 20, 2024)
JSON file of New Relic public IP addresses
- You can automate your allow lists based on this file: IP range list
These network blocks also apply to third-party ticketing integrations and New Relic cloud integrations. However, they don't apply to the Azure Monitor integration.
Pixie integration
The Pixie integration runs in your Kubernetes cluster and pulls a set of curated observability data from Pixie to send it to New Relic using the OpenTelemetry Protocol (OTLP).
The Pixie integration requires outbound network access to the following:
work.withpixie.ai:443withpixie.ai:443otlp.nr-data.net:4317(US data center)otlp.eu01.nr-data.net:4317(EU data center)
Tip
If the 4317 port doesn't work, you can use port 443.
The Pixie community project uses container images hosted in Google Container Registry. Ensure your cluster can pull images from gcr.io.
CodeStream
New Relic CodeStream is a developer collaboration platform that enables your development team to discuss and review code in a natural and contextual way.
It uses the following domains:
*.newrelic.com*.eu.newrelic.com*.pubnub.com*.pubnub.net*.pndsn.com*.pubnubapi.com