FedRAMP-compliant endpoints

New Relic is FedRAMP Authorized Moderate for accounts that meet specific criteria. As a cloud service provider, we are committed to ensuring our compliance with FedRAMP's requirements for the confidentiality, integrity, and availability of your data. Please ensure that you comply with the requirements for using our FedRAMP environment, then use our FedRAMP-compliant endpoints to get your data into New Relic via your agent configuration or API.

Customer FedRAMP obligations

New Relic customers must meet all of the following requirements for our FedRAMP environment:

New Relic-approved customers: Our FedRAMP-Moderate authorized environment is only available for New Relic-approved customers. For more information, contact your New Relic account representative.
Subscription level: Customer must have a current and valid subscription for our Enterprise edition with the Data Plus option, or have an alternative New Relic-approved subscription.
Authorized New Relic endpoints: Customer must send their data only to our FedRAMP-designated endpoints.
Authorized services and features: Customer must use only FedRAMP audited and authorized New Relic services and features.

FedRAMP inheritance

A customer can have FedRAMP and non-FedRAMP enabled accounts as required by their business needs. To add accounts, talk to your New Relic account representative.

Note: If FedRAMP is enabled on a parent account (the recommended configuration), then all its child accounts are FedRAMP. In this configuration, newly created child accounts are FedRAMP by default. FedRAMP cannot be “removed” from child accounts when the parent is FedRAMP. This option ensures compliance by default.

There are multiple ways to get data into New Relic, including:

Agent settings for our APM agents, infrastructure monitoring agent, browser monitoring agent, and mobile monitoring agent
Data-ingest APIs for our Metric API, Event API, Log API, and Trace API, as well as the integrations that use those APIs

This document provides information on FedRAMP-compliant endpoints in New Relic. For more information about our security accreditation for the Federal Risk and Authorization Management Program (FedRAMP), see our data encryption documentation. For further information on New Relic networks, domains, and ports, see our networking documentation.

중요

If a service's endpoint is not listed in this document and the service is not found in our list of services not in scope, then the service's standard endpoint already meets FedRAMP compliance requirements as is, without the need for a distinct FedRAMP endpoint.

Agents

New Relic has several agents for reporting data, including our APM agents, infrastructure monitoring agent, browser monitoring agent, and mobile monitoring agents. To send FedRAMP-compliant data with these agents, adjust their configuration setting to use the relevant FedRAMP endpoint.

APM agents

To ensure FedRAMP compliance, all APM agent configurations must report to gov-collector.newrelic.com rather than the default. Depending on the agent, you can either use code-based configuration or an environment variable to enable the FedRAMP-compliant endpoint.

Language	Code or environment variable
Go	In code: `app, err = newrelic.NewApplication( newrelic.ConfigAppName("App Name"), newrelic.ConfigLicense(os.Getenv("NEW_RELIC_LICENSE_KEY")), func(cfg *newrelic.Config) { cfg.Host = "gov-collector.newrelic.com" }, )` Environment variable: `NEW_RELIC_HOST`
Java	In `newrelic.yml`: `common: &default_settings host: gov-collector.newrelic.com` Or set a system property of: `newrelic.config.host` Environment variable: `NEW_RELIC_HOST`
.NET	In your XML config next to the : `<service licenseKey="YOUR_LICENSE_KEY" host="gov-collector.newrelic.com"/>` Environment variable: `NEW_RELIC_HOST`
Node.js	In `newrelic.js`: `host: 'gov-collector.newrelic.com'` Environment variable: `NEW_RELIC_HOST`
PHP	In `newrelic.ini`: `newrelic.daemon.collector_host = gov-collector.newrelic.com` Environment variable: none
Python	In `newrelic.ini`: `[newrelic] host = gov-collector.newrelic.com` Environment variable: `NEW_RELIC_HOST`
Ruby	In `newrelic.yml`: `common: &default_settings host: gov-collector.newrelic.com` Environment variable: `NEW_RELIC_HOST`
Elixir (open source agent)	In `config.exs`: `config :new_relic_agent, host: "gov-collector.newrelic.com"` Environment variable: `NEW_RELIC_HOST`

Infrastructure monitoring

If you have infrastructure agent version 1.15.0 or higher, simply enable the FedRAMP configuration option. This enables FedRAMP compliancy for data reported by the infrastructure agent.

This also enables FedRAMP compliancy for any on-host integrations that work with the infrastructure monitoring agent to report data. Exception: Currently the AWS CloudWatch Metric Streams integration is not FedRAMP compliant.

If you have an infrastructure agent version below 1.15.0, you must change three of the endpoints used for reporting. To set these endpoints, you can change your YAML configuration or use environment variables.

YAML config field	Endpoint URL
`collector_url`	`https://gov-infra-api.newrelic.com`
`identity_url`	`https://gov-identity-api.newrelic.com`
`command_channel_url`	`https://gov-infrastructure-command-api.newrelic.com`

To edit environment variables, use these values:

Environment variable	Endpoint URL
`NRIA_COLLECTOR_URL`	`https://gov-infra-api.newrelic.com`
`NRIA_IDENTITY_URL`	`https://gov-identity-api.newrelic.com`
`NRIA_COMMAND_CHANNEL_URL`	`https://gov-infrastructure-command-api.newrelic.com`

Browser monitoring agent

Browser monitoring agents will automatically update your account information to use the correct endpoints.

Mobile monitoring agents

To ensure FedRAMP compliance when using our mobile monitoring agents, all agent configurations must report to gov-mobile-collector.newrelic.com rather than the default. You must use code-based configuration. Environment variables are not available.

Framework-specific configurations:

Agent	Code or environment variable
Android	In code: `NewRelic.withApplicationToken({APP_TOKEN}) .usingCollectorAddress("gov-mobile-collector.newrelic.com") .usingCrashCollectorAddress("gov-mobile-crash.newrelic.com") .start(this.getApplication());` Environment variable: none
iOS	In code: `[NewRelic startWithApplicationToken:@"{APP_TOKEN}" andCollectorAddress:@"gov-mobile-collector.newrelic.com" andCrashCollectorAddress:@"gov-mobile-crash.newrelic.com"];` Environment variable: none

Agent

Code or environment variable

Android

In code:

NewRelic.withApplicationToken({APP_TOKEN})
    .usingCollectorAddress("gov-mobile-collector.newrelic.com")
    .usingCrashCollectorAddress("gov-mobile-crash.newrelic.com")
    .start(this.getApplication());

Environment variable: none

iOS

In code:

[NewRelic startWithApplicationToken:@"{APP_TOKEN}"
    andCollectorAddress:@"gov-mobile-collector.newrelic.com"
    andCrashCollectorAddress:@"gov-mobile-crash.newrelic.com"];

Environment variable: none

Data-ingest APIs

Follow these instructions as applicable to set the FedRAMP endpoint for a specific API or the integration that uses the API.

OTLP API

To ensure FedRAMP compliance when using the OpenTelemetry API, only send data to the following endpoints based on the data type and protocol:

Data type	Protocol	Port	URL
Traces and logs	gRPC	4317, 443	`https://gov-otlp.nr-data.net:4317` `https://gov-otlp.nr-data.net:443` We don't recommend that you use the gRPC protocol at this time because the endpoint only accepts traces and logs. This is due to technical limitations in the OTLP metrics integration. We recommend you send your all your OTLP FedRamp data (metrics, traces, and logs) via the HTTP protocol. If your application doesn't support HTTP, you can still just send traces and logs via gRPC (not metrics).
Traces and logs	HTTP	4318	`https://gov-otlp.nr-data.net:4318`
Metrics	HTTP	4318	`https://gov-otlp.nr-data.net:4318` You can configure your OTLP exporter to use HTTP by using the otlphttp exporter.

Data type

Protocol

Port

URL

Traces and logs

gRPC

4317, 443

https://gov-otlp.nr-data.net:4317

https://gov-otlp.nr-data.net:443

We don't recommend that you use the gRPC protocol at this time because the endpoint only accepts traces and logs. This is due to technical limitations in the OTLP metrics integration. We recommend you send your all your OTLP FedRamp data (metrics, traces, and logs) via the HTTP protocol. If your application doesn't support HTTP, you can still just send traces and logs via gRPC (not metrics).

Traces and logs

HTTP

4318

https://gov-otlp.nr-data.net:4318

Metrics

HTTP

4318

https://gov-otlp.nr-data.net:4318

You can configure your OTLP exporter to use HTTP by using the otlphttp exporter.

중요

Do NOT send data to the US OTLP API endpoint of https://otlp.nr-data.net:4317.

See our OTLP integration support matrix for more details on FedRAMP compliance with OTLP.

Metric API

To ensure FedRAMP compliance when using the Metric API, do not send metric data to the default Metric API endpoint of https://metric-api.newrelic.com/metric/v1. Instead, send metric data to https://gov-metric-api.newrelic.com/metric/v1.

The Metric API can be used directly, but it's mainly used by various New Relic tools. Follow these instructions as applicable to edit the configuration for setting the FedRAMP endpoint.

Telemetry integrations for metric data

Here are instructions for our open source telemetry integrations that report metric data:

Open-source telemetry integration	Configuration
Dropwizard	Use the `overrideUri` configuration on GitHub.
Kamon	Use the `metric-ingest-url` configuration. See the Kamon documentation to override endpoints.
Micrometer	Override the `public String uri()` method on your `NewRelicRegistryConfig` to return the new endpoint. See the example in GitHub.
Prometheus OpenMetrics	If you're using our nri-prometheus helm chart, you can change the endpoint in your `values.yml` file, like in this example on GitHub. If you're using the nri-bundle chart, you need to nest this value under the `nri-prometheus` key to propagate it to the sub-chart.
Prometheus remote write integration	Replace `https://metric-api.newrelic.com/prometheus/v1` with the FedRAMP-compliant endpoint `https://gov-metric-api.newrelic.com/prometheus/v1` in the `url` configuration parameter in your Prometheus YML file.

Telemetry SDKs for metric data

Here are instructions for our Telemetry SDKs that report metric data:

Telemetry SDK for APM agents	Configuration
Go	Use the `MetricsURLOverride` configuration found on GitHub.
Java	In the `MetricBatchSender` section, configure the endpoint. See the example on GitHub.
.NET	Use the `MetricUrlOverride` configuration found on GitHub.
Node.js	Edit the `METRIC_HOST = 'metric-api.newrelic.com'` configuration found on GitHub.
Python	Edit the `HOST = "metric-api.newrelic.com"` configuration found on GitHub.

Event API

To ensure FedRAMP compliance for the Event API, all traffic reporting to insights-collector.newrelic.com must instead report to gov-insights-collector.newrelic.com.

The Event API endpoint is configurable for the following Telemetry SDKs. The Telemetry SDKs are used by our open-source telemetry integrations.

Language	Solution
Java Telemetry SDK	In code: `SenderConfiguration configuration = SenderConfiguration .builder( "gov-insights-collector.newrelic.com", EventBatchSender.EVENTS_PATH) .build(); EventBatchSender eventBatchSender = EventBatchSender.create(configuration);`
Python Telemetry SDK	In code: `event_client = EventClient(host="gov-insights-collector.newrelic.com")` For more information, see our Telemetry API documentation in GitHub.

Language

Solution

Java Telemetry SDK

In code:

SenderConfiguration configuration = SenderConfiguration
  .builder(
    "gov-insights-collector.newrelic.com",
    EventBatchSender.EVENTS_PATH)
  .build();

EventBatchSender eventBatchSender = EventBatchSender.create(configuration);

Python Telemetry SDK

In code:

event_client = EventClient(host="gov-insights-collector.newrelic.com")

For more information, see our Telemetry API documentation in GitHub.

Log API

To ensure FedRAMP compliance for data sent via the Log API, the solution for almost all of our log forwarders is to replace the https://log-api.newrelic.com/log/v1 endpoint with https://gov-log-api.newrelic.com/log/v1. Or, to use the Log API directly, edit the Log API endpoint configuration.

Here are details on changing the endpoint for our log forwarders. If a log forwarder is not listed, FedRAMP endpoint configuration is not available.

Log forwarder	Configuration
AWS Firelens	Add the `endpoint` property to the `options` field of the `logConfiguration`, similar to the EU account endpoint change shown in the Firelens endpoint configuration instructions.
Fluentbit	Use our Fluentbit endpoint configuration found on GitHub.
Fluentd	Use our Fluentd endpoint instructions.
Infrastructure agent	See the FedRAMP configuration instructions for infrastructure monitoring.
Kubernetes	Our Kubernetes integration logs are based on Fluentbit's output plugin. Use the Helm chart endpoint instructions found on GitHub.
Logstash	Use our Logstash endpoint configuration.
Syslog	For configuring syslog clients, see our documentation about TCP endpoint configuration.

Trace API

To ensure FedRAMP compliance for data sent via the Trace API (including telemetry integrations that use this API), replace the https://trace-api.newrelic.com/trace/v1 endpoint with https://gov-trace-api.newrelic.com/trace/v1.

Notes about FedRAMP compliance for other trace data:

Trace data is reported by some of our agents for APM, infrastructure monitoring, browser monitoring, and mobile monitoring. To enable FedRAMP compliance for trace data, follow the procedures for the applicable agent.
To enable FedRAMP compliance for Infinite Tracing, create a new FedRAMP-compliant trace observer in Infinite Tracing settings.