Firewall Configuration
Introduction
If your environment uses a firewall or proxy that restricts outbound traffic, you must allow access to the external services listed below. These services are required for installation, runtime operations, and vulnerability data updates.
The specific configuration steps will vary depending on your firewall solution. Work with your network administrator to ensure the domains listed below are accessible over HTTPS (TCP 443) from your Manifest deployment.
Required External Services
Container Registries
These registries are required during installation and upgrades to pull container images.
| Domain | Purpose |
|---|---|
623542229617.dkr.ecr.us-east-1.amazonaws.com | Manifest container images |
quay.io | Third-party container images |
docker.io | Third-party container images |
registry.k8s.io | Kubernetes container images |
Installation Tools
Required during initial installation and upgrades.
| Domain | Purpose |
|---|---|
get.helm.sh | Helm package manager |
Vulnerability Data Sources
These services are accessed at runtime to retrieve and update vulnerability data. If these are blocked, vulnerability information will not be updated automatically.
| Domain | Purpose |
|---|---|
nvd.nist.gov | NVD vulnerability database |
services.nvd.nist.gov | NVD API endpoint |
osv-vulnerabilities.storage.googleapis.com | OSV vulnerability data |
www.cisa.gov | CISA Known Exploited Vulnerabilities (KEV) |
epss.cyentia.com | EPSS exploit prediction scores |
epss.empiricalsecurity.com | EPSS exploit prediction scores |
ecosyste.ms | Open source package metadata |
Optional Services
AI Risk Product
If your organization is subscribed to the AI Risk product, the following additional services must be accessible.
| Domain | Purpose |
|---|---|
huggingface.co | Hugging Face API |
api.openai.com | OpenAI API |
export.arxiv.org | ArXiv Paper Archive |
Updated 4 days ago