Insight Agent requirements - network traffic and connectivity
In order for the Insight Agent to successfully transmit data between the asset on which it is installed and the Insight Platform, your network must allow communication with a variety of endpoints through specific network ports based on the Rapid7 data storage region to which your organization is subscribed. Additionally, your network must allow agent-related data in transit to reach the Insight Platform without undergoing decryption or any other process that modifies the data from the format Rapid7 services are expecting.
This article covers all network traffic and connectivity requirements you need to be aware of, along with other common network scenarios that could impact the functionality of your agent deployment.
Insight Agent data must be excluded from SSL decryption
If your network decrypts traffic in transit to perform deep packet inspection (DPI) using a transparent proxy, Insight Agent-related data must be excluded from this process.
The Insight Platform will only accept data transmitted by an Insight Agent if the data is accompanied by the X.509 certificate that the Insight Platform is expecting. DPI technologies often replace this certificate with their own as a final step before allowing traffic to continue to its destination. Without the original certificate, the Insight Platform will not accept the data.
Network traffic allowance requirements by region
The assets on which the Insight Agent is installed (or the proxy you configure to receive all agent-related traffic) must be able to communicate with several Insight Platform endpoints for the agent to function properly and power your Insight products. Consult the following data region tables for a breakdown on what endpoints need to be reachable.
If you deploy a network traffic filtering solution that supports wildcards, each table indicates an optional wildcard endpoint that can accommodate multiple endpoint traffic allowances if you want to simplify your configuration.
Support for alternative static IP addresses
Most, but not all, endpoints documented in these sections support static IP address alternatives. You can configure traffic rules for these IP addresses (if indicated) instead of doing so for the endpoint if you prefer.
Rapid7 does not plan on changing these IP addresses in the near future. If changes are required, we'll update this document and communicate the details on the Insight Agent release notes page.
United States - 1
All endpoints listed here must be reachable through port 443.
| Optional wildcard | Endpoint | Description | Supported static IP addresses |
|---|---|---|---|
| *endpoint.ingress.rapid7.com | endpoint.ingress.rapid7.com | Insight Agent messages and beacons. | 34.226.68.35 54.144.111.231 52.203.25.223 34.236.161.191 |
| " " | us.storage.endpoint.ingress.rapid7.com | Insight Agent file uploads. | 34.226.68.35 54.144.111.231 52.203.25.223 34.236.161.191 |
| " " | us.api.endpoint.ingress.rapid7.com | Insight Agent messages, beacons, and file uploads. | 34.226.68.35 54.144.111.231 52.203.25.223 34.236.161.191 |
| " " | us.bootstrap.endpoint.ingress.rapid7.com | Updates for the Insight Agent software. | 34.226.68.35 54.144.111.231 52.203.25.223 34.236.161.191 |
| " " | us.deployment.endpoint.ingress.rapid7.com | Certificate files for token-based Insight Agent installations. | 34.226.68.35 54.144.111.231 52.203.25.223 34.236.161.191 |
| " " | us.main.endpoint.ingress.rapid7.com | Insight Agent messages and beacons. | 193.149.136.0/24 |
| " " | us.storage.main.endpoint.ingress.rapid7.com | Insight Agent file uploads. | 193.149.136.0/24 |
| " " | us.api.main.endpoint.ingress.rapid7.com | Insight Agent file uploads and beacons. | 193.149.136.0/24 |
| *.insight.rapid7.com | data.insight.rapid7.com | Insight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector. | None |
| " " | us.data.insight.rapid7.com | " " | None |
| " " | us.data.logs.insight.rapid7.com | Logs to InsightOps. | None |
United States - 2
All endpoints listed here must be reachable through port 443.
| Optional wildcard | Endpoint | Description | Supported static IP addresses |
|---|---|---|---|
| *.endpoint.ingress.rapid7.com | us2.endpoint.ingress.rapid7.com | Insight Agent messages and beacons. | 13.58.19.32 3.131.127.126 3.139.243.230 |
| " " | us2.storage.endpoint.ingress.rapid7.com | Insight Agent file uploads. | 13.58.19.32 3.131.127.126 3.139.243.230 |
| " " | us2.api.endpoint.ingress.rapid7.com | Insight Agent messages, beacons, and file uploads. | 13.58.19.32 3.131.127.126 3.139.243.230 |
| " " | us2.bootstrap.endpoint.ingress.rapid7.com | Updates for the Insight Agent software. | 13.58.19.32 3.131.127.126 3.139.243.230 |
| " " | us2.deployment.endpoint.ingress.rapid7.com | Certificate files for token-based Insight Agent installations. | 13.58.19.32 3.131.127.126 3.139.243.230 |
| *.insight.rapid7.com | us2.data.insight.rapid7.com | Insight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector. | None |
| " " | us2.data.logs.insight.rapid7.com | Logs to InsightOps. | None |
United States - 3
All endpoints listed here must be reachable through port 443.
| Optional wildcard | Endpoint | Description | Supported static IP addresses |
|---|---|---|---|
| *.endpoint.ingress.rapid7.com | us3.endpoint.ingress.rapid7.com | Insight Agent messages and beacons. | 44.242.59.199 52.41.171.59 54.213.168.123 |
| " " | us3.storage.endpoint.ingress.rapid7.com | Insight Agent file uploads. | 44.242.59.199 52.41.171.59 54.213.168.123 |
| " " | us3.api.endpoint.ingress.rapid7.com | Insight Agent messages, beacons, and file uploads. | 44.242.59.199 52.41.171.59 54.213.168.123 |
| " " | us3.bootstrap.endpoint.ingress.rapid7.com | Updates for the Insight Agent software. | 44.242.59.199 52.41.171.59 54.213.168.123 |
| " " | us3.deployment.endpoint.ingress.rapid7.com | Certificate files for token-based Insight Agent installations. | 44.242.59.199 52.41.171.59 54.213.168.123 |
| *.insight.rapid7.com | us3.data.insight.rapid7.com | Insight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector. | None |
| " " | us3.data.logs.insight.rapid7.com | Logs to InsightOps. | None |
Europe
All endpoints listed here must be reachable through port 443.
| Optional wildcard | Endpoint | Description | Supported static IP addresses |
|---|---|---|---|
| *.endpoint.ingress.rapid7.com | eu.endpoint.ingress.rapid7.com | Insight Agent messages and beacons. | 3.120.196.152 3.120.221.108 18.192.78.218 |
| " " | eu.storage.endpoint.ingress.rapid7.com | Insight Agent file uploads. | 3.120.196.152 3.120.221.108 18.192.78.218 |
| " " | eu.api.endpoint.ingress.rapid7.com | Insight Agent messages, beacons, and file uploads. | 3.120.196.152 3.120.221.108 18.192.78.218 |
| " " | eu.bootstrap.endpoint.ingress.rapid7.com | Updates for the Insight Agent software. | 3.120.196.152 3.120.221.108 18.192.78.218 |
| " " | eu.deployment.endpoint.ingress.rapid7.com | Certificate files for token-based Insight Agent installations. | 3.120.196.152 3.120.221.108 18.192.78.218 |
| *.insight.rapid7.com | eu.data.insight.rapid7.com | Insight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector. | None |
| " " | eu.data.logs.insight.rapid7.com | Logs to InsightOps. | None |
Canada
All endpoints listed here must be reachable through port 443.
| Optional wildcard | Endpoint | Description | Supported static IP addresses |
|---|---|---|---|
| *.endpoint.ingress.rapid7.com | ca.endpoint.ingress.rapid7.com | Insight Agent messages and beacons. | 52.60.40.157 52.60.107.153 |
| " " | ca.storage.endpoint.ingress.rapid7.com | Insight Agent file uploads. | 52.60.40.157 52.60.107.153 |
| " " | ca.api.endpoint.ingress.rapid7.com | Insight Agent messages, beacons, and file uploads. | 52.60.40.157 52.60.107.153 |
| " " | ca.bootstrap.endpoint.ingress.rapid7.com | Updates for the Insight Agent software. | 52.60.40.157 52.60.107.153 |
| " " | ca.deployment.endpoint.ingress.rapid7.com | Certificate files for token-based Insight Agent installations. | 52.60.40.157 52.60.107.153 |
| *.insight.rapid7.com | ca.data.insight.rapid7.com | Insight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector. | None |
| " " | ca.data.logs.insight.rapid7.com | Logs to InsightOps. | None |
Japan
All endpoints listed here must be reachable through port 443.
| Optional wildcard | Endpoint | Description | Supported static IP addresses |
|---|---|---|---|
| *.endpoint.ingress.rapid7.com | ap.endpoint.ingress.rapid7.com | Insight Agent messages and beacons. | 103.4.8.209 18.182.167.99 |
| " " | ap.storage.endpoint.ingress.rapid7.com | Insight Agent file uploads. | 103.4.8.209 18.182.167.99 |
| " " | ap.api.endpoint.ingress.rapid7.com | Insight Agent messages, beacons, and file uploads. | 103.4.8.209 18.182.167.99 |
| " " | ap.bootstrap.endpoint.ingress.rapid7.com | Updates for the Insight Agent software. | 103.4.8.209 18.182.167.99 |
| " " | ap.deployment.endpoint.ingress.rapid7.com | Certificate files for token-based Insight Agent installations. | 103.4.8.209 18.182.167.99 |
| *.insight.rapid7.com | ap.data.insight.rapid7.com | Insight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector. | None |
| " " | ap.data.logs.insight.rapid7.com | Logs to InsightOps. | None |
Australia
All endpoints listed here must be reachable through port 443.
| Optional wildcard | Endpoint | Description | Supported static IP addresses |
|---|---|---|---|
| *.endpoint.ingress.rapid7.com | au.endpoint.ingress.rapid7.com | Insight Agent messages and beacons. | 52.64.24.140 13.55.81.47 13.236.168.124 |
| " " | au.storage.endpoint.ingress.rapid7.com | Insight Agent file uploads. | 52.64.24.140 13.55.81.47 13.236.168.124 |
| " " | au.api.endpoint.ingress.rapid7.com | Insight Agent messages, beacons, and file uploads. | 52.64.24.140 13.55.81.47 13.236.168.124 |
| " " | au.bootstrap.endpoint.ingress.rapid7.com | Updates for the Insight Agent software. | 52.64.24.140 13.55.81.47 13.236.168.124 |
| " " | au.deployment.endpoint.ingress.rapid7.com | Certificate files for token-based Insight Agent installations. | 52.64.24.140 13.55.81.47 13.236.168.124 |
| *.insight.rapid7.com | au.data.insight.rapid7.com | Insight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector. | None |
| " " | au.data.logs.insight.rapid7.com | Logs to InsightOps. | None |
Reserved CDN IP Addresses
The Insight Agent has the ability to download updates and content from a Content Delivery Network (CDN) if allowed by your network. A CDN's specialized infrastructure offers faster downloads than the Insight Platform endpoints. If the InsightAgent cannot reach the CDN for any reason, it will instead use the regional endpoints documented in the region requirements section.
The following IP addresses (all endpoints must be reachable through port 443) are reserved for Rapid7's content delivery and are not region-dependent:
- 3.163.232.9
- 3.163.233.9
- 3.163.234.9
- 3.163.235.9
- 3.163.236.9
- 3.163.237.9
- 3.163.238.9
- 3.163.239.9
- 3.163.240.9
- 3.163.241.9
- 3.163.242.9
- 3.163.243.9
- 3.163.244.9
- 3.163.245.9
- 3.163.246.9
- 3.163.247.9
- 3.163.248.9
- 3.163.249.9
- 3.163.250.9
- 3.163.251.9
- 3.163.252.9
Port requirements for assets when using Rapid7 Collectors as proxies
If you use the Rapid7 Collector as a proxy destination for Insight Agent traffic, your assets must also be allowed to communicate with your Collector host through these ports:
- 5508 - Used for agent messages and beacons.
- 6608 - Used for agent update requests and file uploads for collection.
- 8037 - Used for agent messages and beacons.