diff --git a/jobs/loggr-forwarder-agent-windows/monit b/jobs/loggr-forwarder-agent-windows/monit
index 783fd117a..93e2a72f1 100644
--- a/jobs/loggr-forwarder-agent-windows/monit
+++ b/jobs/loggr-forwarder-agent-windows/monit
@@ -17,6 +17,7 @@
     "executable" => "/var/vcap/packages/forwarder-agent-windows/forwarder-agent.exe",
     "args" => [],
     "env" => {
+       "AGENT_HOST" => "#{p("host")}",
        "AGENT_PORT" => "#{p("port")}",
        "AGENT_CA_FILE_PATH" => "#{certs_dir}/loggregator_ca.crt",
        "AGENT_CERT_FILE_PATH" => "#{certs_dir}/forwarder.crt",
diff --git a/jobs/loggr-forwarder-agent-windows/spec b/jobs/loggr-forwarder-agent-windows/spec
index 770270fd1..e85d3adc1 100644
--- a/jobs/loggr-forwarder-agent-windows/spec
+++ b/jobs/loggr-forwarder-agent-windows/spec
@@ -15,6 +15,9 @@ packages:
 - forwarder-agent-windows
 
 properties:
+  host:
+    description: "Host the agent is serving gRPC via mTLS"
+    default: "127.0.0.1"
   port:
     description: "Port the agent is serving gRPC via mTLS"
     default: 3458
diff --git a/jobs/loggr-forwarder-agent/spec b/jobs/loggr-forwarder-agent/spec
index 88c827ff0..fadee9e24 100644
--- a/jobs/loggr-forwarder-agent/spec
+++ b/jobs/loggr-forwarder-agent/spec
@@ -15,6 +15,9 @@ packages:
 - forwarder-agent
 
 properties:
+  host:
+    description: "Host the agent is serving gRPC via mTLS"
+    default: "127.0.0.1"
   port:
     description: "Port the agent is serving gRPC via mTLS"
     default: 3458
diff --git a/jobs/loggr-forwarder-agent/templates/bpm.yml.erb b/jobs/loggr-forwarder-agent/templates/bpm.yml.erb
index 1924ba61a..7e8f502f9 100644
--- a/jobs/loggr-forwarder-agent/templates/bpm.yml.erb
+++ b/jobs/loggr-forwarder-agent/templates/bpm.yml.erb
@@ -21,6 +21,7 @@
       ],
     },
     "env" => {
+      "AGENT_HOST" => "#{p("host")}",
       "AGENT_PORT" => "#{p("port")}",
       "AGENT_CA_FILE_PATH" => "#{certs_dir}/loggregator_ca.crt",
       "AGENT_CERT_FILE_PATH" => "#{certs_dir}/forwarder.crt",
diff --git a/jobs/loggr-syslog-agent-windows/monit b/jobs/loggr-syslog-agent-windows/monit
index 63b1c47cd..588f2e4dc 100644
--- a/jobs/loggr-syslog-agent-windows/monit
+++ b/jobs/loggr-syslog-agent-windows/monit
@@ -32,6 +32,7 @@
       "AGENT_CERT_FILE_PATH" => "#{certs_dir}/syslog_agent.crt",
       "AGENT_KEY_FILE_PATH" => "#{certs_dir}/syslog_agent.key",
       "AGENT_CIPHER_SUITES" => p("tls.cipher_suites").split(":").join(","),
+      "AGENT_HOST" => "#{p("host")}",
       "AGENT_PORT" => "#{p("port")}",
 
       "DRAIN_SKIP_CERT_VERIFY" => "#{p("drain_skip_cert_verify")}",
diff --git a/jobs/loggr-syslog-agent-windows/spec b/jobs/loggr-syslog-agent-windows/spec
index 9187e12a5..0c9ad6a38 100644
--- a/jobs/loggr-syslog-agent-windows/spec
+++ b/jobs/loggr-syslog-agent-windows/spec
@@ -35,6 +35,9 @@ properties:
     description: Whether metadata is included in structured data by default
     default: true
 
+  host:
+    description: "Host the agent is serving gRPC via mTLS"
+    default: "127.0.0.1"
   port:
     description: "Port the agent is serving gRPC via mTLS"
     default: 3458
diff --git a/jobs/loggr-syslog-agent/spec b/jobs/loggr-syslog-agent/spec
index e08139b2c..2cdaf3169 100644
--- a/jobs/loggr-syslog-agent/spec
+++ b/jobs/loggr-syslog-agent/spec
@@ -32,6 +32,9 @@ properties:
   binding_cache_override_url:
     description: URL to use if required to override the default bosh-dns binding cache address
 
+  host:
+    description: "Host the agent is serving gRPC via mTLS"
+    default: "127.0.0.1"
   port:
     description: "Port the agent is serving gRPC via mTLS"
     default: 3458
diff --git a/jobs/loggr-syslog-agent/templates/bpm.yml.erb b/jobs/loggr-syslog-agent/templates/bpm.yml.erb
index e56828fe6..6dcb93d15 100644
--- a/jobs/loggr-syslog-agent/templates/bpm.yml.erb
+++ b/jobs/loggr-syslog-agent/templates/bpm.yml.erb
@@ -23,6 +23,7 @@
       "AGENT_CERT_FILE_PATH" => "#{certs_dir}/syslog_agent.crt",
       "AGENT_KEY_FILE_PATH" => "#{certs_dir}/syslog_agent.key",
       "AGENT_CIPHER_SUITES" => "#{p("tls.cipher_suites").split(":").join(",")}",
+      "AGENT_HOST" => "#{p("host")}",
       "AGENT_PORT" => "#{p("port")}",
       "DRAIN_SKIP_CERT_VERIFY" => "#{p("drain_skip_cert_verify")}",
       "DEFAULT_DRAIN_METADATA" => "#{p("default_drain_metadata")}",
diff --git a/jobs/loggr-udp-forwarder/spec b/jobs/loggr-udp-forwarder/spec
index 9a12aa97e..4c81c28a2 100644
--- a/jobs/loggr-udp-forwarder/spec
+++ b/jobs/loggr-udp-forwarder/spec
@@ -33,6 +33,9 @@ properties:
     description: |
       The gRPC port to forward the converted v2 envelopes to.
     default: 3458
+  host:
+    description: "Host the agent uses to listen for incoming v1 (dropsonde) envelopes via UDP"
+    default: "127.0.0.1"
   udp_port:
     description: |
       The port to listen for incoming v1 (dropsonde) envelopes via UDP.
diff --git a/jobs/loggr-udp-forwarder/templates/bpm.yml.erb b/jobs/loggr-udp-forwarder/templates/bpm.yml.erb
index 73442fe3d..d79a96c63 100644
--- a/jobs/loggr-udp-forwarder/templates/bpm.yml.erb
+++ b/jobs/loggr-udp-forwarder/templates/bpm.yml.erb
@@ -13,6 +13,7 @@
         "LOGGREGATOR_AGENT_CERT_FILE_PATH" => "#{certs_dir}/loggregator_agent.crt",
         "LOGGREGATOR_AGENT_KEY_FILE_PATH" => "#{certs_dir}/loggregator_agent.key",
         "LOGGREGATOR_AGENT_ADDR" => "localhost:#{p('loggregator.ingress_port')}",
+        "AGENT_HOST" => "#{p('host')}",
         "UDP_PORT" => "#{p('udp_port')}",
         "DEPLOYMENT" => "#{deployment}",
         "JOB" => "#{job_name}",
diff --git a/jobs/loggregator_agent/spec b/jobs/loggregator_agent/spec
index f04e3c675..cf0ef45b8 100644
--- a/jobs/loggregator_agent/spec
+++ b/jobs/loggregator_agent/spec
@@ -44,6 +44,9 @@ properties:
   grpc_port:
     description: "Port the agent is listening on to receive gRPC log envelopes"
     default: 3458
+  host:
+    description: "Host the agent is listening on to receive gRPC log envelopes"
+    default: "127.0.0.1"
   zone:
     description: "Availability zone where this agent is running"
     default: ""
diff --git a/jobs/loggregator_agent/templates/bpm.yml.erb b/jobs/loggregator_agent/templates/bpm.yml.erb
index ae66629c6..b7eda883d 100644
--- a/jobs/loggregator_agent/templates/bpm.yml.erb
+++ b/jobs/loggregator_agent/templates/bpm.yml.erb
@@ -44,6 +44,7 @@ has_doppler = false
       "name" => "loggregator_agent",
       "executable" => "/var/vcap/packages/loggregator_agent/loggregator-agent",
       "env" => {
+        "AGENT_HOST" => "#{p("host")}",
         "AGENT_PORT" => "#{p("grpc_port")}",
         "AGENT_CA_FILE" => "#{certs_dir}/loggregator_ca.crt",
         "AGENT_CERT_FILE" => "#{certs_dir}/loggregator_agent.crt",
diff --git a/jobs/loggregator_agent_windows/monit b/jobs/loggregator_agent_windows/monit
index 0bed054f5..3613d5b4a 100644
--- a/jobs/loggregator_agent_windows/monit
+++ b/jobs/loggregator_agent_windows/monit
@@ -44,6 +44,7 @@ end
              "__PIPE_SYSLOG_HOST" => p('syslog_daemon_config.address'),
              "__PIPE_SYSLOG_PORT" => p('syslog_daemon_config.port'),
              "__PIPE_SYSLOG_TRANSPORT" => p('syslog_daemon_config.transport'),
+             "AGENT_HOST" => "#{p("host")}",
              "AGENT_PORT" => "#{p("grpc_port")}",
              "AGENT_CA_FILE" => "#{certs_dir}/loggregator_ca.crt",
              "AGENT_CERT_FILE" => "#{certs_dir}/loggregator_agent.crt",
diff --git a/jobs/loggregator_agent_windows/spec b/jobs/loggregator_agent_windows/spec
index 0815d0b1c..136fb7ada 100644
--- a/jobs/loggregator_agent_windows/spec
+++ b/jobs/loggregator_agent_windows/spec
@@ -66,6 +66,9 @@ properties:
   grpc_port:
     description: "Port the agent is listening on to receive gRPC log envelopes"
     default: 3458
+  host:
+    description: "Host the agent is listening on to receive gRPC log envelopes"
+    default: "127.0.0.1"
   zone:
     description: "Availability zone where this agent is running"
     default: ""
diff --git a/src/cmd/forwarder-agent/app/config.go b/src/cmd/forwarder-agent/app/config.go
index 5fe565de5..022e27bd4 100644
--- a/src/cmd/forwarder-agent/app/config.go
+++ b/src/cmd/forwarder-agent/app/config.go
@@ -11,6 +11,7 @@ import (
 // GRPC stores the configuration for the router as a server using a PORT
 // with mTLS certs and as a client.
 type GRPC struct {
+	Host         string   `env:"AGENT_HOST, report"`
 	Port         uint16   `env:"AGENT_PORT, report"`
 	CAFile       string   `env:"AGENT_CA_FILE_PATH, required, report"`
 	CertFile     string   `env:"AGENT_CERT_FILE_PATH, required, report"`
@@ -40,6 +41,7 @@ type Config struct {
 func LoadConfig() Config {
 	cfg := Config{
 		GRPC: GRPC{
+			Host: "127.0.0.1",
 			Port: 3458,
 		},
 	}
diff --git a/src/cmd/forwarder-agent/app/forwarder_agent.go b/src/cmd/forwarder-agent/app/forwarder_agent.go
index 2f4fc51d9..0cf889b80 100644
--- a/src/cmd/forwarder-agent/app/forwarder_agent.go
+++ b/src/cmd/forwarder-agent/app/forwarder_agent.go
@@ -139,7 +139,7 @@ func (s *ForwarderAgent) Run() {
 	rx := v2.NewReceiver(diode, im, omm)
 
 	s.v2srv = v2.NewServer(
-		fmt.Sprintf("127.0.0.1:%d", s.grpc.Port),
+		fmt.Sprintf("%s:%d", s.grpc.Host, s.grpc.Port),
 		rx,
 		grpc.Creds(serverCreds),
 		grpc.MaxRecvMsgSize(10*1024*1024),
diff --git a/src/cmd/loggregator-agent/app/app_v2.go b/src/cmd/loggregator-agent/app/app_v2.go
index 27a3f9a82..83c47260e 100644
--- a/src/cmd/loggregator-agent/app/app_v2.go
+++ b/src/cmd/loggregator-agent/app/app_v2.go
@@ -130,7 +130,7 @@ func (a *AppV2) Start() {
 	)
 	go tx.Start()
 
-	agentAddress := fmt.Sprintf("127.0.0.1:%d", a.config.GRPC.Port)
+	agentAddress := fmt.Sprintf("%s:%d", a.config.GRPC.Host, a.config.GRPC.Port)
 	log.Printf("agent v2 API started on addr %s", agentAddress)
 
 	var es envelopeSetter
diff --git a/src/cmd/loggregator-agent/app/config.go b/src/cmd/loggregator-agent/app/config.go
index e13e1173e..d961f8827 100644
--- a/src/cmd/loggregator-agent/app/config.go
+++ b/src/cmd/loggregator-agent/app/config.go
@@ -13,6 +13,7 @@ import (
 // GRPC stores the configuration for the router as a server using a PORT
 // with mTLS certs and as a client.
 type GRPC struct {
+	Host         string   `env:"AGENT_HOST"`
 	Port         uint16   `env:"AGENT_PORT"`
 	CAFile       string   `env:"AGENT_CA_FILE"`
 	CertFile     string   `env:"AGENT_CERT_FILE"`
@@ -50,6 +51,7 @@ func LoadConfig() (*Config, error) {
 			Port: 14824,
 		},
 		GRPC: GRPC{
+			Host: "127.0.0.1",
 			Port: 3458,
 		},
 	}
diff --git a/src/cmd/syslog-agent/app/config.go b/src/cmd/syslog-agent/app/config.go
index 47231d3ea..4137d309f 100644
--- a/src/cmd/syslog-agent/app/config.go
+++ b/src/cmd/syslog-agent/app/config.go
@@ -14,6 +14,7 @@ import (
 // GRPC stores the configuration for the router as a server using a PORT
 // with mTLS certs and as a client.
 type GRPC struct {
+	Host         string   `env:"AGENT_HOST,                     report"`
 	Port         int      `env:"AGENT_PORT,                     report"`
 	CAFile       string   `env:"AGENT_CA_FILE_PATH,   required, report"`
 	CertFile     string   `env:"AGENT_CERT_FILE_PATH, required, report"`
@@ -63,6 +64,7 @@ func LoadConfig() Config {
 		},
 		GRPC: GRPC{
 			Port: 3458,
+			Host: "127.0.0.1",
 		},
 		AggregateConnectionRefreshInterval: 1 * time.Minute,
 		DefaultDrainMetadata:               true,
diff --git a/src/cmd/syslog-agent/app/syslog_agent.go b/src/cmd/syslog-agent/app/syslog_agent.go
index 277bbdeb1..2a47e7969 100644
--- a/src/cmd/syslog-agent/app/syslog_agent.go
+++ b/src/cmd/syslog-agent/app/syslog_agent.go
@@ -263,7 +263,7 @@ func (s *SyslogAgent) Run() {
 
 	rx := v2.NewReceiver(diode, im, omm)
 	s.v2Srv = v2.NewServer(
-		fmt.Sprintf("127.0.0.1:%d", s.grpc.Port),
+		fmt.Sprintf("%s:%d", s.grpc.Host, s.grpc.Port),
 		rx,
 		grpc.Creds(serverCreds),
 		grpc.MaxRecvMsgSize(10*1024*1024),
diff --git a/src/cmd/udp-forwarder/app/config.go b/src/cmd/udp-forwarder/app/config.go
index 41bfcf832..87df3592f 100644
--- a/src/cmd/udp-forwarder/app/config.go
+++ b/src/cmd/udp-forwarder/app/config.go
@@ -19,8 +19,9 @@ type GRPC struct {
 
 // Config holds the configuration for the UDP agent
 type Config struct {
-	UseRFC3339           bool `env:"USE_RFC3339"`
-	UDPPort              int  `env:"UDP_PORT, report"`
+	UseRFC3339           bool   `env:"USE_RFC3339"`
+	Host                 string `env:"AGENT_HOST, report"`
+	UDPPort              int    `env:"UDP_PORT, report"`
 	LoggregatorAgentGRPC GRPC
 	Deployment           string `env:"DEPLOYMENT, report"`
 	Job                  string `env:"JOB, report"`
@@ -33,6 +34,7 @@ type Config struct {
 // LoadConfig reads from the environment to create a Config.
 func LoadConfig(log *log.Logger) Config {
 	cfg := Config{
+		Host:    "127.0.0.1",
 		UDPPort: 3457,
 		LoggregatorAgentGRPC: GRPC{
 			Addr: "127.0.0.1:3458",
diff --git a/src/cmd/udp-forwarder/app/udp_forwarder.go b/src/cmd/udp-forwarder/app/udp_forwarder.go
index e07bc3a62..177139d01 100644
--- a/src/cmd/udp-forwarder/app/udp_forwarder.go
+++ b/src/cmd/udp-forwarder/app/udp_forwarder.go
@@ -25,6 +25,7 @@ type Metrics interface {
 
 type UDPForwarder struct {
 	grpc         GRPC
+	host         string
 	udpPort      int
 	pprofServer  *http.Server
 	pprofPort    uint16
@@ -44,6 +45,7 @@ type UDPForwarder struct {
 func NewUDPForwarder(cfg Config, l *log.Logger, m Metrics) *UDPForwarder {
 	return &UDPForwarder{
 		grpc:         cfg.LoggregatorAgentGRPC,
+		host:         cfg.Host,
 		udpPort:      cfg.UDPPort,
 		pprofPort:    cfg.MetricsServer.PprofPort,
 		debugMetrics: cfg.MetricsServer.DebugMetrics,
@@ -97,13 +99,13 @@ func (u *UDPForwarder) Run() {
 	dropsondeUnmarshaller := ingress.NewUnMarshaller(w)
 	u.mu.Lock()
 	u.nr, err = ingress.NewNetworkReader(
-		fmt.Sprintf("127.0.0.1:%d", u.udpPort),
+		fmt.Sprintf("%s:%d", u.host, u.udpPort),
 		dropsondeUnmarshaller,
 		u.metrics,
 	)
 	u.mu.Unlock()
 	if err != nil {
-		u.log.Fatalf("Failed to listen on 127.0.0.1:%d: %s", u.udpPort, err)
+		u.log.Fatalf("Failed to listen on %s:%d: %s", u.host, u.udpPort, err)
 	}
 
 	go u.nr.StartReading()