Permitting access for the agent (allowlist)
When performing security assessments, it is commonly recommended to make a few adjustments to the firewall's allowlist configuration to ensure accurate results and reduce interruptions during assessments. These allowlist configurations can help testing procedures operate without being blocked by security controls such as IDS, IPS, WAF, and so forth.
NOTE If the client does not wish to allowlist the source IP addresses, testing activities may be limited, and therefore, the results may not be as detailed.
External network pentests
These specifications apply only to external security assessments. Please use the correct region's IP addresses.
In some situations, you may want to allowlist Vonahi's public IP addresses used during pentesting to simulate conditions where security controls are bypassed or not enforced. An external agent is deployed when an external network pentest is scheduled.
If you use the URL app.vpentest.io to log in to vPenTest, and you are using the US-East hosted version of vPenTest, the source IP addresses used during testing are as follows:
- 34.203.65.38
- 54.157.67.248
- 3.92.230.194
If you use the URL emea.app.vpentest.io to log in to vPenTest, and you are using the Germany hosted version of vPenTest, the source IP addresses used during testing are as follows:
- 18.198.198.250
- 63.176.190.78
- 63.177.210.107
If you use the URL apac.app.vpentest.io to log in to vPenTest, and you are using the Australia hosted version of vPenTest, the source IP addresses used during testing are as follows:
- 13.237.181.71
- 52.65.175.174
- 54.79.56.176
Internal network pentests
These specifications apply only to internal security assessments. Please use the correct region's endpoints.
In most cases, if your organization allows port 443/tcp (https), 80/tcp (http), and 123/udp (ntp) outbound traffic without restrictions to the destination domains, your internal agent should not experience any communication issues. However, if you want to explicitly allowlist the endpoints required for the internal agent to communicate with vPenTest, refer to the following sections.
NOTE For troubleshooting purposes, you may be asked to create an additional allowlist so that our development team can temporarily connect directly to your agent. The endpoint for this will vary and, therefore, has not been provided in this list.
United States region
Allowlist the following endpoints if you log in to the US instance of vPenTest at app.vpentest.io:
Allow outbound HTTPS (TCP 443) to the following endpoints:
- 708332864587.dkr.ecr.us-east-1.amazonaws.com
- 708332864587.dkr.ecr-fips.us-east-1.amazonaws.com
- api.ecr.us-east-1.amazonaws.com
- app.vpentest.io
- ec2messages.us-east-2.amazonaws.com
- ecr-fips.us-east-1.amazonaws.com
- ecr.us-east-1.amazonaws.com
- kms.us-east-2.amazonaws.com
- ssm-fips.us-east-2.amazonaws.com
- ssm.us-east-2.amazonaws.com
- ssmmessages.us-east-2.amazonaws.com
- sts.amazonaws.com
- snapcraft.io
- public.ecr.aws
- s3.amazonaws.com
Allow outbound HTTP (TCP 80) and HTTPS (TCP 443) to the following domains:
- *.ubuntu.com
- *.docker.com
- *.docker.io
- *.github.io
- *.rubygems.org
- *.canonical.com
- *.snapcraftcontent.com
- *.greenbone.net
Allow outbound NTP (UDP 123) to the following endpoint (NTP pool):
NOTE If you prefer to use an internal time server, you can add a host entry in your Ubuntu instance to DNS resolve pool.ntp.org to your local time server's IP address.
Germany region
Allowlist the following endpoints if you log in to the EMEA instance of vPenTest at emea.app.vpentest.io:
Allow outbound HTTPS (TCP 443) to the following endpoints:
- 708332864587.dkr.ecr.eu-central-1.amazonaws.com
- api.ecr.eu-central-1.amazonaws.com
- emea.app.vpentest.io
- ec2messages.eu-central-1.amazonaws.com
- ecr.eu-central-1.amazonaws.com
- kms.eu-central-1.amazonaws.com
- ssm.eu-central-1.amazonaws.com
- ssmmessages.eu-central-1.amazonaws.com
- sts.amazonaws.com
- snapcraft.io
- public.ecr.aws
- s3.amazonaws.com
- s3.eu-central-1.amazonaws.com
Allow outbound HTTP (TCP 80) and HTTPS (TCP 443) to the following domains:
- *.ubuntu.com
- *.docker.com
- *.github.io
- *.rubygems.org
- *.canonical.com
- *.snapcraftcontent.com
- *.greenbone.net
Allow outbound NTP (UDP 123) to the following endpoint (NTP pool):
NOTE If you prefer to use an internal time server, you can add a host entry in your Ubuntu instance to DNS resolve pool.ntp.org to your local time server's IP address.
Australia region
Allowlist the following endpoints if you log in to the APAC instance of vPenTest at apac.app.vpentest.io:
Allow outbound HTTPS (TCP 443) to the following endpoints:
- 708332864587.dkr.ecr.ap-southeast-2.amazonaws.com
- api.ecr.ap-southeast-2.amazonaws.com
- apac.app.vpentest.io
- ec2messages.ap-southeast-2.amazonaws.com
- ecr.ap-southeast-2.amazonaws.com
- kms.ap-southeast-2.amazonaws.com
- ssm.ap-southeast-2.amazonaws.com
- ssmmessages.ap-southeast-2.amazonaws.com
- sts.amazonaws.com
- snapcraft.io
- public.ecr.aws
- s3.amazonaws.com
Permitting exclusions
NOTE These exclusions are optional depending on whether you are testing the efficacy of your tools or want to bypass the tools to perform your assessments.
Modern and advanced security tools and features such as IPS/IDS, EDR, MDR, SOC, and XDR are all designed to analyze, detect, and take some sort of action against potential malicious activity. A pentest is ethical but follows the same methodology as a malicious attacker. As a result, activity may be detected by these tools. To avoid issues, business disruption, or false alarms, we recommend that you allowlist our external source IP addresses for external assessments and internal agent IP addresses for internal assessments.
Geoblocking exclusions
These specifications apply primarily to internal pentests. The deployed internal agent relies on the local network in order to reach various URLs to update, pull software, and/or feed updates. If you are encountering issues with the internal agent starting services or see error messages during installation, allow the following countries in your geoblocking configuration:
- United States
- United Kingdom
- Germany
