Your data. Anywhere you go.

New Relic for iOS or Android


Download on the App Store    Android App on Google play


New Relic Insights App for iOS


Download on the App Store


Learn more

Close icon

Range of required outbound destinations for Agents


#1

I’m evaluating New Relic for use in monitoring. Our network admin has indicated that New Relic can’t be used due to the large range of outbound destinations required:

The number of external outbound IP destinations that need to be opened needs to be reduced from over 1,082,000 possible targets to a more reasonable address range.

Is there any way to reduce the range of IP destinations that must be opened?

(The range is from https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/networks for Agents.)


#2

While you can certainly reduce the address range to whatever suits your network admin, we cannot guarantee proper functionality of our agents in that case. The reason we have such a wide range allowed is that our service provider for Distributed Denial of Service attack mitigation uses that as their netblock, and their algorithm for mitigating attacks requires a sizable range of IP addresses as some mitigation is DNS based and might be updated frequently during an attack. Yes, that netblock is shared with other customers of that provider, but as you can tell your network administrator, we never initiate contact from our networks (except for synthetics and availability monitoring) - so you need only whitelist the blocks for outgoing, not incoming traffic. If someone can convince our agents on your network to talk to “their” host within the shared netblock - your DNS or network has been compromised.

Do we use that range every day, week, or month? No. At present, the smallest netblock listed - 50.31.164.0/24 - is sufficient. But the other netblocks are for futureproofing in case we a) need more space (we have a lot of data coming into that /24), b) we get attacked, or c) we need to grow - we promise not to change things from the 4 blocks listed in a shorter timeframe than 3 months.

While you can choose to whitelist only that small netblock, when you write in about your agents not reporting in case of a network change, we will help you troubleshoot it, but we won’t be able to back-populate lost data. It is not a best practice not to include all the networks listed.


#3

Hi again @owingsbj - just wanted to point out that we have updated our networks doc. As you can see here:

https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/networks ,

…we are now clearer about what we use now, and what we might use in the future.