Skip to content

Network Requirements

To deploy a NodeZero Host and enable communication with the Horizon3.ai SaaS platform, you must configure specific network settings. This section details the required outbound and inbound connections, ensuring the host can download, execute, and report on NodeZero pentests effectively. Requirements vary based on the Portal instance (US or EU) that is generating the test, and not on the host’s location. Your network must maintain uninterrupted network access to all listed endpoints during the entire pentest operation.

Restricted network environments

For users with restricted environments that need to make exceptions in their firewall for NodeZero to reach it's SaaS infrastructure. There is the option to use the NodeZero Gateway, which reduces the number of firewall exceptions needed. To enable the NodeZero Gateway on an account contact your Sales or Customer Success representative.

Are you using a proxy?

If your environment uses a proxy for internet access, configure the NodeZero host accordingly to ensure proper communication. See the Proxy setup guide.

Outbound traffic

Your Portal region:

Outbound network access depends on the portal-instance generating the test rather than the location of the NodeZero host. Requirements are grouped by Portal region. Choose a region to view requirements:

🇺🇸 US-based Portal

portal.horizon3ai.com

Ensure uninterrupted outbound access to these endpoints during NodeZero operations.

Port/Protocol Endpoints Purpose
HTTPS - 443/TCP gateway.horizon3ai.com
interact.gateway.horizon3ai.com
api.gateway.horizon3ai.com
registry.gateway.horizon3ai.com
api.horizon3ai.com
cognito-identity.us-east-2.amazonaws.com
cognito-idp.us-east-2.amazonaws.com
downloads.horizon3ai.com
sqs.us-east-2.amazonaws.com
*.ecr.us-east-2.amazonaws.com
*.queue.amazonaws.com
*.s3.amazonaws.com
*.s3.us-east-2.amazonaws.com
*.s3-w.us-east-2.amazonaws.com
raw.githubusercontent.com
github.com
*.ubuntu.com
*.canonical.com
*.interacth3.io

(Deprecated) *.docker.com
(Deprecated) *.docker.io
(Deprecated) docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com
API access, authentication, storage, updates, and container registry
HTTP - 80/TCP *.interacth3.io Interactive test communication

🇪🇺 EU-based Portal

portal.horizon3ai.eu

Ensure uninterrupted outbound access to these endpoints during NodeZero operations.

Port/Protocol Endpoints Purpose
HTTPS - 443/TCP gateway.horizon3ai.eu
interact.gateway.horizon3ai.eu
api.gateway.horizon3ai.eu
registry.gateway.horizon3ai.eu
api.horizon3ai.eu
cognito-identity.eu-central-1.amazonaws.com
cognito-idp.eu-central-1.amazonaws.com
downloads.horizon3ai.com
sqs.eu-central-1.amazonaws.com
*.ecr.eu-central-1.amazonaws.com
*.queue.amazonaws.com
*.s3.amazonaws.com
*.s3.eu-central-1.amazonaws.com
*.s3-w.eu-central-1.amazonaws.com
*.execute-api.eu-central-1.amazonaws.com
*.elb.eu-central-1.amazonaws.com
*.s3-r-w.eu-central-1.amazonaws.com
raw.githubusercontent.com
github.com
*.ubuntu.com
*.canonical.com
*.interacth3.eu

(Deprecated) *.docker.com
(Deprecated) *.docker.io
(Deprecated) docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com
API access, authentication, storage, updates, and load balancing
HTTP - 80/TCP *.interacth3.eu Interactive test communication

HTTPS/SSL/TLS Inspections

SSL/TLS packet inspection may cause cURL commands to fail due to certificate mismatches - To avoid this, consider making an exception or disabling packet inspection for the Nodezero host.


NodeZero Runner (US and EU)

For hosts utilizing a NodeZero Runner, additional endpoints are required:

Port/Protocol Endpoints Purpose
HTTPS - 443/TCP api.horizon3ai.com (US)
api.horizon3ai.eu (EU)
raw.githubusercontent.com
github.com
Runner communication and setup

Inbound traffic

TCP and UDP Ports

OVA is pre-configured

OVA users can skip setting up the inbound settings. The OVA is pre-configured with the necessary inbound ports already open

To simulate internal attacks, the NodeZero Host must allow inbound traffic on specific ports. These settings apply to the host itself, and not on perimeter firewalls.

Protocol Ports
TCP 21, 23, 25, 53, 80, 88, 110, 135, 139, 143, 389, 443, 445, 587, 1433, 3306, 3389, 5900, 5985, 8080, 8443, 8888, 28069, 45000-49999
UDP 69

Tip

Do not alter your network beyond normal operations during a pentest. NodeZero simulates an attacker and does not require extra paths. For example, if your firewall blocks the marketing VLAN from the finance VLAN, keep it that way—NodeZero will validate this restriction.


NodeZero Gateway

For networks with restricted access, The NodeZero Gateway streamlines outbound traffic by routing through static IPs.

When to use

NodeZero Gateways are ideal for networks with strict security policies or outbound traffic restrictions. By routing traffic through static IPs, this feature simplifies network configuration, ensuring consistent and secure connectivity. It is especially beneficial for organizations that need to comply with strict firewall or proxy settings.

Enable NodeZero Gateway

NodeZero Gateway is available exclusively to paid customers. To enable the NodeZero Gateway for your account, please contact your Sales or Customer Success representative.

NodeZero Gateways are region-specific. Choose a region to view endpoints:

🇺🇸 US-based NodeZero Gateway

Domains Static IPs Port/Protocol
gateway.horizon3ai.com
interact.gateway.horizon3ai.com
api.gateway.horizon3ai.com
registry.gateway.horizon3ai.com
15.197.206.82
3.33.191.122
HTTPS - 443/TCP

🇪🇺 EU-based NodeZero Gateway

Domains Static IPs Ports/Protocols
gateway.horizon3ai.eu
interact.gateway.horizon3ai.eu
api.gateway.horizon3ai.eu
registry.gateway.horizon3ai.eu
52.223.20.205
99.83.187.197
HTTPS - 443/TCP

Next Step

looks_3 Setup NodeZero host chevron_right
Deploy a NodeZero host inside your network to perform internal security assessments.