Network Requirements
To deploy a NodeZero Host and enable communication with the Horizon3.ai SaaS platform, you must configure specific network settings. This section details the required outbound and inbound connections, ensuring the host can download, execute, and report on NodeZero pentests effectively. Requirements vary based on the Portal instance (US or EU) that is generating the test, and not on the host’s location. Your network must maintain uninterrupted network access to all listed endpoints during the entire pentest operation.
Restricted network environments
For users with restricted environments that need to make exceptions in their firewall for NodeZero to reach it's SaaS infrastructure. There is the option to use the NodeZero Gateway, which reduces the number of firewall exceptions needed. To enable the NodeZero Gateway on an account contact your Sales or Customer Success representative.
Are you using a proxy?
If your environment uses a proxy for internet access, configure the NodeZero host accordingly to ensure proper communication. See the Proxy setup guide.
Outbound traffic
Your Portal region:
Outbound network access depends on the portal-instance generating the test rather than the location of the NodeZero host. Requirements are grouped by Portal region. Choose a region to view requirements:
US-based Portal
portal.horizon3ai.com
Ensure uninterrupted outbound access to these endpoints during NodeZero operations.
| Port/Protocol | Endpoints | Purpose |
|---|---|---|
| HTTPS - 443/TCP | gateway.horizon3ai.com interact.gateway.horizon3ai.com api.gateway.horizon3ai.com registry.gateway.horizon3ai.com api.horizon3ai.com cognito-identity.us-east-2.amazonaws.com cognito-idp.us-east-2.amazonaws.com downloads.horizon3ai.com sqs.us-east-2.amazonaws.com *.ecr.us-east-2.amazonaws.com *.queue.amazonaws.com *.s3.amazonaws.com *.s3.us-east-2.amazonaws.com *.s3-w.us-east-2.amazonaws.com raw.githubusercontent.com github.com *.ubuntu.com *.canonical.com *.interacth3.io (Deprecated) *.docker.com (Deprecated) *.docker.io (Deprecated) docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com |
API access, authentication, storage, updates, and container registry |
| HTTP - 80/TCP | *.interacth3.io |
Interactive test communication |
EU-based Portal
portal.horizon3ai.eu
Ensure uninterrupted outbound access to these endpoints during NodeZero operations.
| Port/Protocol | Endpoints | Purpose |
|---|---|---|
| HTTPS - 443/TCP | gateway.horizon3ai.eu interact.gateway.horizon3ai.eu api.gateway.horizon3ai.eu registry.gateway.horizon3ai.eu api.horizon3ai.eu cognito-identity.eu-central-1.amazonaws.com cognito-idp.eu-central-1.amazonaws.com downloads.horizon3ai.com sqs.eu-central-1.amazonaws.com *.ecr.eu-central-1.amazonaws.com *.queue.amazonaws.com *.s3.amazonaws.com *.s3.eu-central-1.amazonaws.com *.s3-w.eu-central-1.amazonaws.com *.execute-api.eu-central-1.amazonaws.com *.elb.eu-central-1.amazonaws.com *.s3-r-w.eu-central-1.amazonaws.com raw.githubusercontent.com github.com *.ubuntu.com *.canonical.com *.interacth3.eu (Deprecated) *.docker.com (Deprecated) *.docker.io (Deprecated) docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com |
API access, authentication, storage, updates, and load balancing |
| HTTP - 80/TCP | *.interacth3.eu |
Interactive test communication |
HTTPS/SSL/TLS Inspections
SSL/TLS packet inspection may cause cURL commands to fail due to certificate mismatches - To avoid this, consider making an exception or disabling packet inspection for the Nodezero host.
NodeZero Runner (US and EU)
For hosts utilizing a NodeZero Runner, additional endpoints are required:
| Port/Protocol | Endpoints | Purpose |
|---|---|---|
| HTTPS - 443/TCP | api.horizon3ai.com (US) api.horizon3ai.eu (EU) raw.githubusercontent.com github.com |
Runner communication and setup |
Inbound traffic
TCP and UDP Ports
OVA is pre-configured
OVA users can skip setting up the inbound settings. The OVA is pre-configured with the necessary inbound ports already open
To simulate internal attacks, the NodeZero Host must allow inbound traffic on specific ports. These settings apply to the host itself, and not on perimeter firewalls.
| Protocol | Ports |
|---|---|
| TCP | 21, 23, 25, 53, 80, 88, 110, 135, 139, 143, 389, 443, 445, 587, 1433, 3306, 3389, 5900, 5985, 8080, 8443, 8888, 28069, 45000-49999 |
| UDP | 69 |
Tip
Do not alter your network beyond normal operations during a pentest. NodeZero simulates an attacker and does not require extra paths. For example, if your firewall blocks the marketing VLAN from the finance VLAN, keep it that way—NodeZero will validate this restriction.
NodeZero Gateway
For networks with restricted access, The NodeZero Gateway streamlines outbound traffic by routing through static IPs.
When to use
NodeZero Gateways are ideal for networks with strict security policies or outbound traffic restrictions. By routing traffic through static IPs, this feature simplifies network configuration, ensuring consistent and secure connectivity. It is especially beneficial for organizations that need to comply with strict firewall or proxy settings.
Enable NodeZero Gateway
NodeZero Gateway is available exclusively to paid customers. To enable the NodeZero Gateway for your account, please contact your Sales or Customer Success representative.
NodeZero Gateways are region-specific. Choose a region to view endpoints:
US-based NodeZero Gateway
| Domains | Static IPs | Port/Protocol |
|---|---|---|
gateway.horizon3ai.com interact.gateway.horizon3ai.com api.gateway.horizon3ai.com registry.gateway.horizon3ai.com |
15.197.206.82 3.33.191.122 |
HTTPS - 443/TCP |
EU-based NodeZero Gateway
| Domains | Static IPs | Ports/Protocols |
|---|---|---|
gateway.horizon3ai.eu interact.gateway.horizon3ai.eu api.gateway.horizon3ai.eu registry.gateway.horizon3ai.eu |
52.223.20.205 99.83.187.197 |
HTTPS - 443/TCP |