System Architecture | Ports

Ports and Hostnames to whitelist

The Datadog Mule® Integration must have internet connection on port 443 for outbound connections at least.

In enterprises, it’s very common that all networks are behind a firewall to protect access. In many other cases, reverse proxies are used to protect outbound communications to restricted websites. Customers must configure rules in the firewall and proxies to ensure the communication to all IO Connect Services, Anypoint and Datadog.

IO Connect Services Networking Requirements

The Datadog Mule® Integration does a license check via SSL and hence it requires outbound access to:

https://api.ioconnectservices.com/

Port: 443

This is an outbound communication only and it’s initiated by the Datadog agent running on-premise.

MuleSoft Anypoint Networking Requirements

Communication from Mule servers, installed on-prem, must allow inbound and outbound connections to the following DNS names via port 443 (HTTPS) and 9999 (configurable websocket).

Here is a full list of the FQDNs that need to be whitelisted. Pick the ones corresponding to the region to which you MuleSoft organization belongs to.

• anypoint.mulesoft.com
• eu1.anypoint.mulesoft.com
• mule-manager.anypoint.mulesoft.com
• mule-manager.eu1.anypoint.mulesoft.com
• runtime-manager.anypoint.mulesoft.com
• runtime-manager.eu1.anypoint.mulesoft.com
• arm-auth-proxy.prod.cloudhub.io
• arm-auth-proxy.prod-eu.msap.io
• data-authenticator.anypoint.mulesoft.com
• data-authenticator.eu1.anypoint.mulesoft.com
• analytics-ingest.anypoint.mulesoft.com
• analytics-ingest.eu1.anypoint.mulesoft.com
• exchange2-asset-manager-kprod.s3.amazonaws.com
• exchange2-asset-manager-kprod-eu.s3.eu-central-1.amazonaws.com

Learn more about the MuleSoft Anypoint networking requisites in https://docs.mulesoft.com/runtime-manager/rtm-agent-whitelists

Datadog Networking Requirements

Communication from Datadog agent, installed on-prem, must allow outbound connections to *.datadoghq.com via port 443 (HTTPS). Other ports might be used for specific use cases.

The FQDNs that need to be whitelisted are:

• trace.agent.datadoghq.com: APM
• process.datadoghq.com: Live containers
• *.agent.datadoghq.com: Log collection
• api.datadoghq.com: Non-critical functions such as checking API Key validity

Modern firewalls can whitelist request based on OSI's layer 7.

Also, you can find these requisites in Datadog site, they are well documented. https://docs.datadoghq.com/agent/guide/network/?tab=agentv6v7

To know the full list of IP ranges that Datadog uses, see the following sites.

• https://ip-ranges.datadoghq.com/
• https://ip-ranges.datadoghq.eu/

In Datadog, all communication is outbound, meaning the agent sends data to Datadog and Datadog never requests to client servers.

All communication is done through these ports:

• 443/TCP: port for most Agent data. (Metrics, APM, Live Processes/Containers)
• 123/UDP: Network time protocol (NTP)
• 10516/TCP: port for the Log collection over TCP for Datadog US region, 443/tcp for the Datadog EU region.
• 10255/TCP: port for the Kubernetes http kubelet
• 10250/TCP: port for the Kubernetes https kubelet

The only inbound communication needed is to send data to agents within the same network, like it's the case of APM configured in a Mule application using the Datadog APM Connector to trace processes.

• 5000/TCP: port for the go_expvar server
• 5001/TCP: port on which the IPC api listens
• 5002/TCP: port for the Agent browser GUI to be served
• 8125/UDP: dogstatsd
• 8126/TCP: port for the APM Receiver