Network Requirements
To enable communication between a NodeZero host and the Horizon3.ai SaaS platform, you must configure specific network settings. This section details the required outbound and inbound connections, ensuring the host can download, execute, and report on NodeZero pentests effectively. Requirements vary based on the Portal instance (US or EU) that is generating the test, and not on the host’s location. Your network must maintain uninterrupted network access to all listed endpoints during the entire pentest operation.
Restricted network environments
For users with restricted environments that need to make exceptions in their firewall for NodeZero to reach it's SaaS infrastructure. There is the option to use the NodeZero Gateway, which reduces the number of firewall exceptions needed. To enable the NodeZero Gateway on an account contact your Sales or Customer Success representative.
Are you using a proxy?
If your environment uses a proxy for internet access, configure the NodeZero host accordingly to ensure proper communication. See the Proxy setup guide.
Outbound traffic
Your Portal region:
Outbound network access depends on the portal-instance generating the test rather than the location of the NodeZero host. Requirements are grouped by Portal region. Choose a region to view requirements:
US-based Portal
portal.horizon3ai.com
Ensure uninterrupted outbound access to these endpoints during NodeZero operations.
| Port/Protocol | Endpoints | Purpose |
|---|---|---|
| HTTPS - 443/TCP | gateway.horizon3ai.com interact.gateway.horizon3ai.com api.gateway.horizon3ai.com registry.gateway.horizon3ai.com api.horizon3ai.com cognito-identity.us-east-2.amazonaws.com cognito-idp.us-east-2.amazonaws.com downloads.horizon3ai.com sqs.us-east-2.amazonaws.com *.ecr.us-east-2.amazonaws.com *.queue.amazonaws.com *.s3.amazonaws.com *.s3.us-east-2.amazonaws.com *.s3-w.us-east-2.amazonaws.com raw.githubusercontent.com github.com *.ubuntu.com *.canonical.com *.interacth3.io (Deprecated) *.docker.com (Deprecated) *.docker.io (Deprecated) docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com |
API access, authentication, storage, updates, and container registry |
| HTTP - 80/TCP | *.interacth3.io |
Interactive test communication |
EU-based Portal
portal.horizon3ai.eu
Ensure uninterrupted outbound access to these endpoints during NodeZero operations.
| Port/Protocol | Endpoints | Purpose |
|---|---|---|
| HTTPS - 443/TCP | gateway.horizon3ai.eu interact.gateway.horizon3ai.eu api.gateway.horizon3ai.eu registry.gateway.horizon3ai.eu api.horizon3ai.eu cognito-identity.eu-central-1.amazonaws.com cognito-idp.eu-central-1.amazonaws.com downloads.horizon3ai.com sqs.eu-central-1.amazonaws.com *.ecr.eu-central-1.amazonaws.com *.queue.amazonaws.com *.s3.amazonaws.com *.s3.eu-central-1.amazonaws.com *.s3-w.eu-central-1.amazonaws.com *.execute-api.eu-central-1.amazonaws.com *.elb.eu-central-1.amazonaws.com *.s3-r-w.eu-central-1.amazonaws.com raw.githubusercontent.com github.com *.ubuntu.com *.canonical.com *.interacth3.eu (Deprecated) *.docker.com (Deprecated) *.docker.io (Deprecated) docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com |
API access, authentication, storage, updates, and load balancing |
| HTTP - 80/TCP | *.interacth3.eu |
Interactive test communication |
HTTPS/SSL/TLS Inspections
SSL/TLS packet inspection may cause cURL commands to fail due to certificate mismatches - To avoid this, consider making an exception or disabling packet inspection for the Nodezero host.
NodeZero OVA Outbound Networking Requirements
For hosts setup using the OVA some additional endpoints are required:
| Port/Protocol | Endpoints | Purpose |
|---|---|---|
| HTTPS - 443/TCP | *.ubuntu.com *.canonical.com downloads.horizon3ai.com github.com (optional for h3-cli updates) |
API access, authentication, storage, updates, and container registry |
These are needed for receiving OS and CLI updates
Inbound traffic
TCP and UDP Ports
OVA is pre-configured
OVA users can skip setting up the inbound settings. The OVA is pre-configured with the necessary inbound ports already open
To simulate internal attacks, the NodeZero Host must allow inbound traffic on specific ports. These settings apply to the host itself, and not on perimeter firewalls.
| Protocol | Ports |
|---|---|
| TCP | 21, 23, 25, 53, 80, 88, 110, 135, 139, 143, 389, 443, 445, 587, 1433, 3306, 3389, 5900, 5985, 8080, 8443, 8888, 28069, 45000-49999 |
| UDP | 69 |
Do not punch extra holes
Do not alter your network beyond normal operations during a pentest. NodeZero simulates an attacker and does not require extra paths. For example, if your firewall blocks the marketing VLAN from the finance VLAN, keep it that way—NodeZero will validate this restriction.
NodeZero Gateway
Enable NodeZero Gateway
NodeZero Gateway is available exclusively to paid customers. To enable the NodeZero Gateway for your account, please contact your Sales or Customer Success representative.
For networks with restricted access, The NodeZero Gateway streamlines outbound traffic by routing through static IPs.
When to use
NodeZero Gateways are ideal for networks with strict security policies or outbound traffic restrictions. By routing traffic through static IPs, this feature simplifies network configuration, ensuring consistent and secure connectivity. It is especially beneficial for organizations that need to comply with strict firewall or proxy settings.
NodeZero Gateways are region-specific. Choose a region to view endpoints:
US-based NodeZero Gateway
| Domains | Static IPs | Port/Protocol |
|---|---|---|
gateway.horizon3ai.com interact.gateway.horizon3ai.com api.gateway.horizon3ai.com registry.gateway.horizon3ai.com |
15.197.206.82 3.33.191.122 |
HTTPS - 443/TCP |
EU-based NodeZero Gateway
| Domains | Static IPs | Ports/Protocols |
|---|---|---|
gateway.horizon3ai.eu interact.gateway.horizon3ai.eu api.gateway.horizon3ai.eu registry.gateway.horizon3ai.eu |
52.223.20.205 99.83.187.197 |
HTTPS - 443/TCP |