Rapid7 Agent (Insight Agent) requirements - network traffic and connectivity
In order for the Rapid7 Agent (Insight Agent) to successfully transmit data between the asset on which it is installed and the Command Platform (Insight Platform), your network must allow communication with a variety of endpoints through specific network ports based on the Rapid7 data storage region to which your organization is subscribed. Additionally, your network must allow agent-related data in transit to reach the Command Platform (Insight Platform) without undergoing decryption or any other process that modifies the data from the format Rapid7 services are expecting.
This article covers all network traffic and connectivity requirements you need to be aware of, along with other common network scenarios that could impact the functionality of your agent deployment.
Rapid7 Agent (Insight Agent) data must be excluded from SSL decryption
If your network decrypts traffic in transit to perform deep packet inspection (DPI) using a transparent proxy, Rapid7 Agent (Insight Agent)-related data must be excluded from this process.
The Command Platform (Insight Platform) will only accept data transmitted by an Rapid7 Agent (Insight Agent) if the data is accompanied by the X.509 certificate that the Command Platform (Insight Platform) is expecting. DPI technologies often replace this certificate with their own as a final step before allowing traffic to continue to its destination. Without the original certificate, the Command Platform (Insight Platform) will not accept the data.
Network traffic allowance requirements by region
The assets on which the Rapid7 Agent (Insight Agent) is installed (or the proxy you configure to receive all agent-related traffic) must be able to communicate with several Command Platform (Insight Platform) endpoints for the agent to function properly and power your Rapid7 products. Consult the following data region tables for a breakdown on what endpoints need to be reachable.
If you deploy a network traffic filtering solution that supports wildcards, each table indicates an optional wildcard endpoint that can accommodate multiple endpoint traffic allowances if you want to simplify your configuration.
Support for alternative static IP addresses
Most, but not all, endpoints documented in these sections support static IP address alternatives. You can configure traffic rules for these IP addresses (if indicated) instead of doing so for the endpoint if you prefer.
Rapid7 does not plan on changing these IP addresses in the near future. If changes are required, we’ll update this document and communicate the details on the Command Platform Release Notes site.
United States - 1
All endpoints listed here must be reachable through port 443.
| Optional wildcard | Endpoint | Description | Supported static IP addresses |
|---|---|---|---|
| *endpoint.ingress.rapid7.com | endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) messages and beacons. | 34.226.68.35 54.144.111.231 52.203.25.223 34.236.161.191 |
| ” “ | us.storage.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) file uploads. | 34.226.68.35 54.144.111.231 52.203.25.223 34.236.161.191 |
| ” “ | us.api.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) messages, beacons, and file uploads. | 34.226.68.35 54.144.111.231 52.203.25.223 34.236.161.191 |
| ” “ | us.bootstrap.endpoint.ingress.rapid7.com | Updates for the Rapid7 Agent (Insight Agent) software. | 34.226.68.35 54.144.111.231 52.203.25.223 34.236.161.191 |
| ” “ | us.deployment.endpoint.ingress.rapid7.com | Certificate files for token-based Rapid7 Agent (Insight Agent) installations. | 34.226.68.35 54.144.111.231 52.203.25.223 34.236.161.191 |
| ” “ | us.main.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) messages and beacons. | 193.149.136.0/24 |
| ” “ | us.storage.main.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) file uploads. | 193.149.136.0/24 |
| ” “ | us.api.main.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) file uploads and beacons. | 193.149.136.0/24 |
| *.insight.rapid7.com | data.insight.rapid7.com | Rapid7 Agent (Insight Agent) messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector. | None |
| ” “ | us.data.insight.rapid7.com | ” “ | None |
| ” “ | us.data.logs.insight.rapid7.com | Logs to Log Management (InsightOps). | None |
United States - 2
All endpoints listed here must be reachable through port 443.
| Optional wildcard | Endpoint | Description | Supported static IP addresses |
|---|---|---|---|
| *.endpoint.ingress.rapid7.com | us2.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) messages and beacons. | 13.58.19.32 3.131.127.126 3.139.243.230 |
| ” “ | us2.storage.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) file uploads. | 13.58.19.32 3.131.127.126 3.139.243.230 |
| ” “ | us2.api.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) messages, beacons, and file uploads. | 13.58.19.32 3.131.127.126 3.139.243.230 |
| ” “ | us2.bootstrap.endpoint.ingress.rapid7.com | Updates for the Rapid7 Agent (Insight Agent) software. | 13.58.19.32 3.131.127.126 3.139.243.230 |
| ” “ | us2.deployment.endpoint.ingress.rapid7.com | Certificate files for token-based Rapid7 Agent (Insight Agent) installations. | 13.58.19.32 3.131.127.126 3.139.243.230 |
| *.insight.rapid7.com | us2.data.insight.rapid7.com | Rapid7 Agent (Insight Agent) messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector. | None |
| ” “ | us2.data.logs.insight.rapid7.com | Logs to Log Management (InsightOps). | None |
United States - 3
All endpoints listed here must be reachable through port 443.
| Optional wildcard | Endpoint | Description | Supported static IP addresses |
|---|---|---|---|
| *.endpoint.ingress.rapid7.com | us3.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) messages and beacons. | 44.242.59.199 52.41.171.59 54.213.168.123 |
| ” “ | us3.storage.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) file uploads. | 44.242.59.199 52.41.171.59 54.213.168.123 |
| ” “ | us3.api.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) messages, beacons, and file uploads. | 44.242.59.199 52.41.171.59 54.213.168.123 |
| ” “ | us3.bootstrap.endpoint.ingress.rapid7.com | Updates for the Rapid7 Agent (Insight Agent) software. | 44.242.59.199 52.41.171.59 54.213.168.123 |
| ” “ | us3.deployment.endpoint.ingress.rapid7.com | Certificate files for token-based Rapid7 Agent (Insight Agent) installations. | 44.242.59.199 52.41.171.59 54.213.168.123 |
| *.insight.rapid7.com | us3.data.insight.rapid7.com | Rapid7 Agent (Insight Agent) messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector. | None |
| ” “ | us3.data.logs.insight.rapid7.com | Logs to Log Management (InsightOps). | None |
Europe
All endpoints listed here must be reachable through port 443.
| Optional wildcard | Endpoint | Description | Supported static IP addresses |
|---|---|---|---|
| *.endpoint.ingress.rapid7.com | eu.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) messages and beacons. | 3.120.196.152 3.120.221.108 18.192.78.218 |
| ” “ | eu.storage.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) file uploads. | 3.120.196.152 3.120.221.108 18.192.78.218 |
| ” “ | eu.api.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) messages, beacons, and file uploads. | 3.120.196.152 3.120.221.108 18.192.78.218 |
| ” “ | eu.bootstrap.endpoint.ingress.rapid7.com | Updates for the Rapid7 Agent (Insight Agent) software. | 3.120.196.152 3.120.221.108 18.192.78.218 |
| ” “ | eu.deployment.endpoint.ingress.rapid7.com | Certificate files for token-based Rapid7 Agent (Insight Agent) installations. | 3.120.196.152 3.120.221.108 18.192.78.218 |
| *.insight.rapid7.com | eu.data.insight.rapid7.com | Rapid7 Agent (Insight Agent) messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector. | None |
| ” “ | eu.data.logs.insight.rapid7.com | Logs to Log Management (InsightOps). | None |
Canada
All endpoints listed here must be reachable through port 443.
| Optional wildcard | Endpoint | Description | Supported static IP addresses |
|---|---|---|---|
| *.endpoint.ingress.rapid7.com | ca.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) messages and beacons. | 52.60.40.157 52.60.107.153 |
| ” “ | ca.storage.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) file uploads. | 52.60.40.157 52.60.107.153 |
| ” “ | ca.api.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) messages, beacons, and file uploads. | 52.60.40.157 52.60.107.153 |
| ” “ | ca.bootstrap.endpoint.ingress.rapid7.com | Updates for the Rapid7 Agent (Insight Agent) software. | 52.60.40.157 52.60.107.153 |
| ” “ | ca.deployment.endpoint.ingress.rapid7.com | Certificate files for token-based Rapid7 Agent (Insight Agent) installations. | 52.60.40.157 52.60.107.153 |
| *.insight.rapid7.com | ca.data.insight.rapid7.com | Rapid7 Agent (Insight Agent) messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector. | None |
| ” “ | ca.data.logs.insight.rapid7.com | Logs to Log Management (InsightOps). | None |
Japan
All endpoints listed here must be reachable through port 443.
| Optional wildcard | Endpoint | Description | Supported static IP addresses |
|---|---|---|---|
| *.endpoint.ingress.rapid7.com | ap.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) messages and beacons. | 103.4.8.209 18.182.167.99 |
| ” “ | ap.storage.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) file uploads. | 103.4.8.209 18.182.167.99 |
| ” “ | ap.api.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) messages, beacons, and file uploads. | 103.4.8.209 18.182.167.99 |
| ” “ | ap.bootstrap.endpoint.ingress.rapid7.com | Updates for the Rapid7 Agent (Insight Agent) software. | 103.4.8.209 18.182.167.99 |
| ” “ | ap.deployment.endpoint.ingress.rapid7.com | Certificate files for token-based Rapid7 Agent (Insight Agent) installations. | 103.4.8.209 18.182.167.99 |
| *.insight.rapid7.com | ap.data.insight.rapid7.com | Rapid7 Agent (Insight Agent) messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector. | None |
| ” “ | ap.data.logs.insight.rapid7.com | Logs to Log Management (InsightOps). | None |
Australia
All endpoints listed here must be reachable through port 443.
| Optional wildcard | Endpoint | Description | Supported static IP addresses |
|---|---|---|---|
| *.endpoint.ingress.rapid7.com | au.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) messages and beacons. | 52.64.24.140 13.55.81.47 13.236.168.124 |
| ” “ | au.storage.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) file uploads. | 52.64.24.140 13.55.81.47 13.236.168.124 |
| ” “ | au.api.endpoint.ingress.rapid7.com | Rapid7 Agent (Insight Agent) messages, beacons, and file uploads. | 52.64.24.140 13.55.81.47 13.236.168.124 |
| ” “ | au.bootstrap.endpoint.ingress.rapid7.com | Updates for the Rapid7 Agent (Insight Agent) software. | 52.64.24.140 13.55.81.47 13.236.168.124 |
| ” “ | au.deployment.endpoint.ingress.rapid7.com | Certificate files for token-based Rapid7 Agent (Insight Agent) installations. | 52.64.24.140 13.55.81.47 13.236.168.124 |
| *.insight.rapid7.com | au.data.insight.rapid7.com | Rapid7 Agent (Insight Agent) messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector. | None |
| ” “ | au.data.logs.insight.rapid7.com | Logs to Log Management (InsightOps). | None |
Reserved CDN IP Addresses
The Rapid7 Agent (Insight Agent) has the ability to download updates and content from a Content Delivery Network (CDN) if allowed by your network. A CDN’s specialized infrastructure offers faster downloads than the Command Platform (Insight Platform) endpoints. If the InsightAgent cannot reach the CDN for any reason, it will instead use the regional endpoints documented in the region requirements section.
The following IP addresses (all endpoints must be reachable through port 443) are reserved for Rapid7’s content delivery and are not region-dependent:
- 3.163.232.9
- 3.163.233.9
- 3.163.234.9
- 3.163.235.9
- 3.163.236.9
- 3.163.237.9
- 3.163.238.9
- 3.163.239.9
- 3.163.240.9
- 3.163.241.9
- 3.163.242.9
- 3.163.243.9
- 3.163.244.9
- 3.163.245.9
- 3.163.246.9
- 3.163.247.9
- 3.163.248.9
- 3.163.249.9
- 3.163.250.9
- 3.163.251.9
- 3.163.252.9
Port requirements for assets when using Rapid7 Collectors as proxies
If you use the Rapid7 Collector as a proxy destination for Rapid7 Agent (Insight Agent) traffic, your assets must also be allowed to communicate with your Collector host through these ports:
- 5508 - Used for agent messages and beacons.
- 6608 - Used for agent update requests and file uploads for collection.
- 8037 - Used for agent messages and beacons.