Outbound network access requirements for Instana SaaS deployments

Before you deploy Instana SaaS, set the firewall and proxy properly to allow the outbound network access.

Configuring firewall settings

If you use a public network to access the global instance of Container Registry by using the domain icr.io, you must add the following domains to your firewall rules:

  • dd0.icr.io
  • dd2.icr.io
  • dd4.icr.io
  • dd6.icr.io

If you are located in China, you must also allow the following domains:

  • dd1-icr.ibm-zh.com
  • dd3-icr.ibm-zh.com
  • dd5-icr.ibm-zh.com
  • dd7-icr.ibm-zh.com

Instana agent and sensor repositories

  • Access the following repository to download static host agents and dynamic host agents:

    Repository: https://containers.instana.io

    • Port: 443
    • Protocol: HTTPS
    • Authentication: no

  • Access the following repository to download agent images from the IBM Cloud Container Registry (ICR):

    Repository: https://icr.io/instana

    • Port: 443
    • Protocol: HTTPS
    • Authentication: no

  • Access the following repository to use the packages installation method to install the host agent:

    Repository: https://packages.instana.io/

    • Port: 443
    • Protocol: HTTPS
    • Authentication: no

  • Access the following repository to use the one-liner installation procedure to install the host agent:

    Repository: https://setup.instana.io/

    • Port: 443
    • Protocol: HTTPS
    • Authentication: no

  • New sensors, updates to existing sensors, and agent updates are pulled daily from the following repository if dynamic agents are installed:

    Repository: http://artifact-public.instana.io/

    • Port: 443
    • Protocol: HTTPS
    • Authentication: yes

  • Access the following repository to store Synthetic PoP Helm packages, autotrace-webhook, and agent Helm packages:

    Repository: https://agents.instana.io/helm

    • Port: 443
    • Protocol: HTTPS
    • Authentication: yes

Other network access requirements

Requirement Regions
Blue(AWS EU), Red(AWS US)
Green(GCP EU), Orange(GCP US), Coral(GCP US)
 Teal(AWS APAC), Mizu(AWS APAC))
To access the URL of the Instana SaaS instance UI URL: https://[unit]-[tenant].instana.io
Port: 443
Protocol: HTTPS
Authentication: no
To access the URL of the APM endpoint URL: https://ingress-[Region]-saas.instana.io
Port: 443
Protocol: HTTPS
Authentication: no
To access the URL of the End-user monitoring (EUM) endpoint URL: https://eum-[Region]-saas.instana.io/
Port: 443
Protocol: HTTPS
Authentication: no
 URL: https://[Region].instana.io/eum/
Port: 443
Protocol: HTTPS
Authentication: no
To access the URL of the Synthetic endpoint URL: https://synthetics-[Region]-saas.instana.io/
Port: 443
Protocol: HTTPS
Authentication: no
 URL: https://[Region].instana.io/synthetics/
Port: 443
Protocol: HTTPS
Authentication: no
To access the URL of the Serverless endpoint URL: https://serverless-[Region]-saas.instana.io
Port: 443
Protocol: HTTPS
Authentication: no
 URL: https://[Region].instana.io/serverless/
Port: 443
Protocol: HTTPS
Authentication: no
To access the URL of the OpenTelemetry Protocol (OTLP) endpoint URL: https://otlp-[Region]-saas.instana.io
Port: 443
Protocol: HTTPS
Authentication: no
 URL (HTTP): https://otlp-http-[Region]-saas.instana.io
URL (GRPC): https://otlp-grpc-[Region]-saas.instana.io
Port: 443
Protocol: HTTPS
Authentication: no
Product user analytics and guidance is optional and you can disable it. URL: https://cdn.walkme.com
To download the Instana website monitoring agent eum.min.js URL: https://eum.instana.io