FedRAMP-compliant endpoints | New Relic Documentation

This document provides information on FedRAMP-compliant endpoints in New Relic. For more information about our security accreditation for the Federal Risk and Authorization Management Program (FedRAMP), see our data encryption documentation. For further information on New Relic networks, domains, and ports see our networking documentation.

Important

If a service's endpoint is not listed in this document and the service is not found in our list of services not in scope, then the service's standard endpoint already meets FedRAMP compliance requirements as-is, without the need for a distinct FedRAMP endpoint.

Customer FedRAMP obligations

New Relic customers must meet all of the following requirements for New Relic’s FedRAMP environment:

New Relic-approved customers: New Relic’s FedRAMP-Moderate authorized environment is only available to New Relic-approved customers. For more information, contact your New Relic account representative.
Order form: Customer’s order form with New Relic must include customer’s eligibility for FedRAMP.
Subscription level: Customer must have a current and valid subscription to our Enterprise edition or a New Relic-approved subscription.
Authorized New Relic endpoints: Customer must send its data only to New Relic’s FedRAMP-designated endpoints.
Authorized services and features: Customer must use only FedRAMP audited and authorized New Relic services and features (see below).

Overview of data sources

There are multiple ways to get data into New Relic. This doc has two sections:

Agent settings: for our APM agents, infrastructure agent, browser agent, and mobile agent.
Data-ingest APIs: for our Metric API, Event API, Trace API, and Log API, and the integrations that use those APIs.

Agents

New Relic has several agents for reporting data, like our APM agents, infrastructure agents, mobile agents, and browser agent. Setting these agents to send FedRAMP-compliant data involves setting a configuration setting to use the relevant FedRAMP endpoint.

APM agents

To ensure FedRAMP compliance, all APM agent configurations must report to gov-collector.newrelic.com rather than the default. Depending on the agent, you can either use code-based configuration or an environment variable. Here are details on enabling this:

Language	Code or environment variable
C SDK	In code: `strcpy(_newrelic_app_config_t->redirect_collector, "gov-collector.newrelic.com");` Environment variable: none
Go	In code: `app, err = newrelic.NewApplication( newrelic.ConfigAppName("App Name"), newrelic.ConfigLicense(os.Getenv("NEW_RELIC_LICENSE_KEY")), func(cfg *newrelic.Config) { cfg.Host = "gov-collector.newrelic.com" }, )` Environment variable: `NEW_RELIC_HOST`
Java	In `newrelic.yml`: `common: &default_settings host: gov-collector.newrelic.com` Or set a system property of: `newrelic.config.host` Environment variable: `NEW_RELIC_HOST`
.NET	In your XML config next to the license key: `<service licenseKey="YOUR_LICENSE_KEY" host="gov-collector.newrelic.com"/>` Environment variable: `NEW_RELIC_HOST`
Node.js	In `newrelic.js`: `host: 'gov-collector.newrelic.com'` Environment variable: `NEW_RELIC_HOST`
PHP	In `newrelic.ini`: `newrelic.daemon.collector_host = gov-collector.newrelic.com` Environment variable: none
Python	In `newrelic.ini`: `[newrelic] host = gov-collector.newrelic.com` Environment variable: `NEW_RELIC_HOST`
Ruby	In `newrelic.yml`: `common: &default_settings host: gov-collector.newrelic.com` Environment variable: `NEW_RELIC_HOST`
Elixir (open source agent)	In `config.exs`: `config :new_relic_agent, host: "gov-collector.newrelic.com"` Environment variable: `NEW_RELIC_HOST`

For more on configuring APM agents, see APM configuration.

Mobile monitoring agents

To ensure FedRAMP compliance when using our mobile monitoring agents, all agent configurations must report to gov-mobile-collector.newrelic.com rather than the default. You must use code-based configuration. Environment variables are not available.

Framework-specific configurations:

Agent	Code or environment variable
Android	In code: `NewRelic.withApplicationToken({APP_TOKEN}) .usingCollectorAddress("gov-mobile-collector.newrelic.com") .usingCrashCollectorAddress("gov-mobile-crash.newrelic.com") .start(this.getApplication());` Environment variable: none
iOS	In code: `[NewRelic startWithApplicationToken:@"{APP_TOKEN}" andCollectorAddress:@"gov-mobile-collector.newrelic.com" andCrashCollectorAddress:@"gov-mobile-crash.newrelic.com"];` Environment variable: none

Agent

Code or environment variable

Android

In code:

NewRelic.withApplicationToken({APP_TOKEN})
    .usingCollectorAddress("gov-mobile-collector.newrelic.com")
    .usingCrashCollectorAddress("gov-mobile-crash.newrelic.com")
    .start(this.getApplication());

Environment variable: none

iOS

In code:

[NewRelic startWithApplicationToken:@"{APP_TOKEN}"
    andCollectorAddress:@"gov-mobile-collector.newrelic.com"
    andCrashCollectorAddress:@"gov-mobile-crash.newrelic.com"];

Environment variable: none

Infrastructure monitoring

If you have infrastructure agent version 1.15.0 or higher, simply enable the FedRAMP configuration option. This enables FedRAMP compliancy for data reported by the infrastructure agent, and for any on-host integrations that work with the infrastructure agent to report data.

Important

The AWS CloudWatch Metric Streams integration is not currently FedRAMP compliant.

If you have an older agent version, use the following values to edit your YAML configuration:

If you have an infrastructure agent version below 1.15.0, you must change three of the endpoints used for reporting. To set these endpoints, you can change your YAML configuration or use environment variables.

YAML config field	Endpoint URL
`collector_url`	`https://gov-infra-api.newrelic.com`
`identity_url`	`https://gov-identity-api.newrelic.com`
`command_channel_url`	`https://gov-infrastructure-command-api.newrelic.com`

To edit environment variables, use these values:

Environment variable	Endpoint URL
`NRIA_COLLECTOR_URL`	`https://gov-infra-api.newrelic.com`
`NRIA_IDENTITY_URL`	`https://gov-identity-api.newrelic.com`
`NRIA_COMMAND_CHANNEL_URL`	`https://gov-infrastructure-command-api.newrelic.com`

Browser agent

Browser agents will automatically update your account information to use the correct endpoints.

Data-ingest APIs

Below are details about the FedRAMP endpoint for our ingest APIs: Metric API, the Event API, the Log API, and the Trace API.

OTLP API

To ensure FedRAMP compliance when using the OTLP API, instead of sending to the US OTLP API endpoint of https://otlp.nr-data.net:4317, send data to https://gov-otlp.nr-data.net:4317. If your client does not support gRPC, you may use port 4318 for OTLP/HTTP instead. Port 443 may also be used for either transport, if necessary.

Metric API

To ensure FedRAMP compliance when using the Metric API, instead of sending metric data to the default Metric API endpoint of https://metric-api.newrelic.com/metric/v1, it must be sent to https://gov-metric-api.newrelic.com/metric/v1.

The Metric API can be used directly but it's mainly used by various New Relic tools. Below are instructions showing where to edit the configuration for setting the FedRAMP endpoint.

Telemetry integrations

Here are instructions for our open source telemetry integrations that report metric data:

Dropwizard: use the overrideUri configuration.
Kamon: use the metric-ingest-url configuration. See Override endpoints.
Micrometer: override the public String uri() method on your NewRelicRegistryConfig to return the new endpoint. See an example.
Prometheus:
- Prometheus OpenMetrics: if you are using our nri-prometheus helm chart, you can change the endpoint in your values.yml file, like in this example. If you're using the nri-bundle chart, you need to nest this value under the nri-prometheus key to propagate it to the sub-chart.

Caution

The Prometheus remote write integration is not available for use with the https://gov-metric-api.newrelic.com/metric/v1 endpoint at this time and attempted requests will result in an HTTP 501 Not Implemented status code. Consider using the Prometheus OpenMetrics integration instead.

Telemetry SDKs

Here are instructions for our Telemetry SDKs that report metric data:

Go: use the MetricsURLOverride configuration.
Java: in the MetricBatchSender section, configure the endpoint. See an example.
.NET: use the MetricUrlOverride configuration.
Node.js: edit the METRIC_HOST = 'metric-api.newrelic.com' configuration.
Python: edit the HOST = "metric-api.newrelic.com" configuration.

Event API

To ensure FedRAMP compliance for the Event API, all traffic reporting to insights-collector.newrelic.com must instead report to gov-insights-collector.newrelic.com.

The Event API endpoint is configurable for the following Telemetry SDKs. The Telemetry SDKs are used by our open-source telemetry integrations.

Language	Solution
Java Telemetry SDK	In code: `SenderConfiguration configuration = SenderConfiguration .builder( "gov-insights-collector.newrelic.com", EventBatchSender.EVENTS_PATH) .build(); EventBatchSender eventBatchSender = EventBatchSender.create(configuration);`
Python Telemetry SDK	In code: `event_client = EventClient(host="gov-insights-collector.newrelic.com")` For more information, see our Telemetry API documentation in GitHub.

Language

Solution

Java Telemetry SDK

In code:

SenderConfiguration configuration = SenderConfiguration
  .builder(
    "gov-insights-collector.newrelic.com",
    EventBatchSender.EVENTS_PATH)
  .build();

EventBatchSender eventBatchSender = EventBatchSender.create(configuration);

Python Telemetry SDK

In code:

event_client = EventClient(host="gov-insights-collector.newrelic.com")

For more information, see our Telemetry API documentation in GitHub.

Log API

To ensure FedRAMP compliance for data sent via the Log API, the solution for almost all our logging tools is to replace the https://log-api.newrelic.com/log/v1 endpoint with https://gov-log-api.newrelic.com/log/v1. Here are details for various tools:

Log forwarders

Here are details on changing the endpoint for our log forwarders:

AWS Firelens: Add the endpoint property to the options field of the logConfiguration, similar to to the EU account endpoint change shown in these Firelens endpoint configuration instructions.
Fluentbit: Use our Fluentbit endpoint configuration.
Fluentd: Use our Fluentd endpoint instructions.
Infrastructure agent: See FedRAMP for infrastructure.
Kubernetes: Our Kubernetes integration logs are based on fluentbit’s output plugin. Use these endpoint instructions.
Logstash: Use our Logstash endpoint configuration.
Syslog: For configuring syslog clients, see TCP endpoint configuration.
S3: Not available.
Vector: Not available.

To use the Log API directly, you'd edit the Log API endpoint configuration.

Trace API

To ensure FedRAMP compliance for data sent via the Trace API (including telemetry integrations that use this API), replace the https://trace-api.newrelic.com/trace/v1 endpoint with https://gov-trace-api.newrelic.com/trace/v1.

Notes about FedRAMP compliance for other trace data:

Trace data is reported by some of our agents, like our APM agents, browser agent, and mobile agent. To enable FedRAMP compliance for that data, you would enable FedRAMP for the applicable agent.
To enable FedRAMP compliance for Infinite Tracing, you would create a new FedRAMP compliant trace observer from the New Relic Edge app.