Skip to content

NodeZero Host Network Requirements

For NodeZero to deploy and communicate with the SaaS environment from which it comes there needs to be a few lanes of communication opened. Below outlines those outbound and inbound points that are needed to run NodeZero successfully.

Using the OVA?

If using the OVA follow the steps here to Setup and Configure OVA

Need a Proxy?

If your environment connects to the internet via a proxy, this will affect NodeZero's ability to communicate out. Directions to configure NodeZero for use with a proxy can be found here.

Network access requirements are based on what portal instance generates the test, and not where the NodeZero host is being run. Uninterrupted network access is required during the entire operation to the following endpoints:

US Network (portal.horizon3ai.com)

  • HTTPS - 443/tcp 

    api.horizon3ai.com
cognito-identity.us-east-2.amazonaws.com
cognito-idp.us-east-2.amazonaws.com
downloads.horizon3ai.com
sqs.us-east-2.amazonaws.com
*.docker.com
*.docker.io
*.ecr.us-east-2.amazonaws.com
*.queue.amazonaws.com
*.s3.amazonaws.com
*.s3.us-east-2.amazonaws.com
*.s3-w.us-east-2.amazonaws.com
raw.githubusercontent.com
github.com
*.ubuntu.com
downloads.horizon3ai.com

  • HTTP - 80/tcp 

    *.interacth3.io

EU Network (portal.horizon3ai.eu)

  • HTTPS - 443/tcp 

    api.horizon3ai.eu
cognito-identity.eu-central-1.amazonaws.com
cognito-idp.eu-central-1.amazonaws.com
downloads.horizon3ai.com
sqs.eu-central-1.amazonaws.com
*.docker.com
*.docker.io
*.ecr.eu-central-1.amazonaws.com
*.queue.amazonaws.com
*.s3.amazonaws.com
*.s3.eu-central-1.amazonaws.com
*.s3-w.eu-central-1.amazonaws.com
*.execute-api.eu-central-1.amazonaws.com
*.elb.eu-central-1.amazonaws.com
*.s3-r-w.eu-central-1.amazonaws.com
raw.githubusercontent.com
github.com
*.ubuntu.com
downloads.horizon3ai.com

  • HTTP - 80/tcp 

    *.interacth3.eu

For NodeZero Runner EU and US based

  • HTTPS - 443/tcp 
    api.horizon3ai.com            # For US Portal
api.horizon3ai.eu             # For EU Portal
raw.githubusercontent.com
github.com

OVA requirements

If using the OVA, it requires a opening additional connections to support the OS, h3-cli and n0 utility. Make sure the host is able to communicate to these endpoints.

  • HTTPS - 443/tcp 
    *.ubuntu.com
downloads.horizon3ai.com
github.com

Inbound Network Access

Not applicable to the OVA

The following ports should be opened on the NodeZero host/VM to allow traffic in:

  • TCP 21, 23, 25, 53, 80, 88, 110, 135, 139, 143, 389, 443, 445, 587, 1433, 3306, 3389, 5900, 5985, 8080, 8443, 8888, 28069, 45000-49999
  • UDP 69

The above network settings are required for the NodeZero Host and not nessicarily for the perimeter firewalls.

DO NOT Make Additional Network Changes

It is crucial to not make additional changes to the network environment beyond the day-to-day while running NodeZero. NodeZero represents an attacker and does not require additional paths opened for it to perform an assessment. For example, if your firewall is set to block the marketing VLAN from accessing the finance VLAN, leave it as is. NodeZero will verify that this configuration is in place.

BETA: Consolidated Endpoint

Beta

This feature will need to be enabled for your account. Please contact your CS rep.
User experience is subject to change.

If you are operating the NodeZero host within a restricted network environment, the consolidated endpoint feature can simplify networking requirements. Instead of opening outbound network traffic to all the AWS services listed above, you will only need to allow traffic for the two static IP addresses associated with these domains:

US-Based

  • Domains 

    gateway.horizon3ai.com
interact.gateway.horizon3ai.com

  • IPs 

    15.197.206.82
3.33.191.122

  • Port 

      HTTPS - 443/TCP

EU-Based

  • Domains 

    gateway.horizon3ai.eu
interact.gateway.horizon3ai.eu

  • IPs 

    52.223.20.205
99.83.187.197

  • Ports 

      HTTPS - 443/TCP
  HTTP - 80/TCP
  DNS - 53/UDP