Skip to content

NodeZero Host Network Requirements

For NodeZero to deploy and communicate with the SaaS environment from which it comes there needs to be a few lanes of communication opened. Below outlines those outbound and inbound points that are needed to run NodeZero successfully.

Using the OVA?

If using the OVA follow the steps here to Setup and Configure OVA

Need a Proxy?

If your environment connects to the internet via a proxy, this will affect NodeZero's ability to communicate out. Directions to configure NodeZero for use with a proxy can be found here.

Network access requirements are based on what portal instance generates the test, and not where the NodeZero host is being run. Uninterrupted network access is required during the entire operation to the following endpoints:

US Network (portal.horizon3ai.com)

  • HTTPS - 443/tcp

    api.horizon3ai.com
    cognito-identity.us-east-2.amazonaws.com
    cognito-idp.us-east-2.amazonaws.com
    downloads.horizon3ai.com
    sqs.us-east-2.amazonaws.com
    *.docker.com
    *.docker.io
    *.ecr.us-east-2.amazonaws.com
    *.queue.amazonaws.com
    *.s3.amazonaws.com
    *.s3.us-east-2.amazonaws.com
    *.s3-w.us-east-2.amazonaws.com
    raw.githubusercontent.com
    github.com
    *.ubuntu.com
    *.canonical.com
    downloads.horizon3ai.com
    
  • HTTP - 80/tcp

    *.interacth3.io
    

EU Network (portal.horizon3ai.eu)

  • HTTPS - 443/tcp

    api.horizon3ai.eu
    cognito-identity.eu-central-1.amazonaws.com
    cognito-idp.eu-central-1.amazonaws.com
    downloads.horizon3ai.com
    sqs.eu-central-1.amazonaws.com
    *.docker.com
    *.docker.io
    *.ecr.eu-central-1.amazonaws.com
    *.queue.amazonaws.com
    *.s3.amazonaws.com
    *.s3.eu-central-1.amazonaws.com
    *.s3-w.eu-central-1.amazonaws.com
    *.execute-api.eu-central-1.amazonaws.com
    *.elb.eu-central-1.amazonaws.com
    *.s3-r-w.eu-central-1.amazonaws.com
    raw.githubusercontent.com
    github.com
    *.ubuntu.com
    *.canonical.com
    downloads.horizon3ai.com
    
  • HTTP - 80/tcp

    *.interacth3.eu
    

For NodeZero Runner EU and US based

  • HTTPS - 443/tcp
    api.horizon3ai.com            # For US Portal
    api.horizon3ai.eu             # For EU Portal
    raw.githubusercontent.com
    github.com
    

OVA requirements

If using the OVA, it requires a opening additional connections to support the OS, h3-cli and n0 utility. Make sure the host is able to communicate to these endpoints.

  • HTTPS - 443/tcp
    *.ubuntu.com
    *.canonical.com
    downloads.horizon3ai.com
    github.com
    

Inbound Network Access

Not applicable to the OVA

The following ports should be opened on the NodeZero host/VM to allow traffic in:

  • TCP 21, 23, 25, 53, 80, 88, 110, 135, 139, 143, 389, 443, 445, 587, 1433, 3306, 3389, 5900, 5985, 8080, 8443, 8888, 28069, 45000-49999
  • UDP 69

The above network settings are required for the NodeZero Host and not nessicarily for the perimeter firewalls.

DO NOT Make Additional Network Changes

It is crucial to not make additional changes to the network environment beyond the day-to-day while running NodeZero. NodeZero represents an attacker and does not require additional paths opened for it to perform an assessment. For example, if your firewall is set to block the marketing VLAN from accessing the finance VLAN, leave it as is. NodeZero will verify that this configuration is in place.

Consolidated Endpoints

This feature is currently only available for paid customers. Please contact your Sales or Customer Success rep to enable it for you.

If you are operating the NodeZero host within a restricted network environment, the consolidated endpoint feature can simplify networking requirements. Instead of opening outbound network traffic to all the AWS services listed above, you will only need to allow traffic for the two static IP addresses associated with these domains:

US-Based

  • Domains

    gateway.horizon3ai.com
    interact.gateway.horizon3ai.com
    api.gateway.horizon3ai.com
    registry.gateway.horizon3ai.com
    
  • IPs

    15.197.206.82
    3.33.191.122
    
  • Port

      HTTPS - 443/TCP
    

EU-Based

  • Domains

    gateway.horizon3ai.eu
    interact.gateway.horizon3ai.eu
    api.gateway.horizon3ai.eu
    registry.gateway.horizon3ai.eu
    
  • IPs

    52.223.20.205
    99.83.187.197
    
  • Ports

      HTTPS - 443/TCP
      HTTP - 80/TCP
      DNS - 53/UDP