Skip to main content

Outbound network access

The hosts and ports CertAutoPilot reaches from your network. Use this page to scope egress firewall rules. Only the services you actually configure need to be reachable — start with the always-on group, then open the rest as you turn features on.

Legend

Always — required for the product to run. On use — only required when you enable that feature or configure that provider. Customer-defined — host is whatever you point it at; listed here so the category isn't forgotten.

Always

ServiceHostPort
Licenselicense-api.cloudnativeworks.com443 / HTTPS

Public certificate authorities

Open only the CAs you plan to issue from.

ServiceHostPort
Let's Encrypt (production)acme-v02.api.letsencrypt.org443 / HTTPS
Let's Encrypt (staging)acme-staging-v02.api.letsencrypt.org443 / HTTPS
Google Trust Services (production)dv.acme-v02.api.pki.goog443 / HTTPS
Google Trust Services (staging)dv.acme-v02.test-api.pki.goog443 / HTTPS
Sectigoacme.sectigo.com443 / HTTPS
GlobalSign Atlasemea.acme.atlas.globalsign.com443 / HTTPS
DigiCertone.digicert.com443 / HTTPS
SSL.comacme.ssl.com443 / HTTPS
ZeroSSLacme.zerossl.com443 / HTTPS
Actalisacme-api.actalis.com443 / HTTPS
GoDaddy ACMEacme.godaddy.com443 / HTTPS

Revocation checks

Hosts come from the OCSP / CRL extensions inside each CA's certificate chain. They are not fixed up front. The list below is what most public CAs use today; treat it as guidance, not as a closed set.

ServiceHost (typical)Port
OCSP respondersocsp.* hosts of the issuing CA80 / HTTP
CRL distribution pointscrl.* hosts of the issuing CA80 / HTTP (sometimes 443)

DNS providers

Open only the providers you store credentials for.

ServiceHostPort
Cloudflareapi.cloudflare.com443 / HTTPS
AWS Route 53route53.amazonaws.com443 / HTTPS
AWS Lightsaillightsail.*.amazonaws.com (regional)443 / HTTPS
Google Cloud DNSdns.googleapis.com443 / HTTPS
Azure DNSmanagement.azure.com443 / HTTPS
DigitalOceanapi.digitalocean.com443 / HTTPS
GoDaddyapi.godaddy.com443 / HTTPS
UltraDNSapi.ultradns.com443 / HTTPS
Akamai Edge DNS*.akamaiapis.net443 / HTTPS
Hetznerdns.hetzner.com443 / HTTPS
OVH*.api.ovh.com (regional)443 / HTTPS
Namecheapapi.namecheap.com, api.sandbox.namecheap.com443 / HTTPS

Discovery and domain tracking

On use — these turn on with the matching feature.

ServiceHostPort
Certificate Transparency searchcrt.sh443 / HTTPS
WHOIS / domain expirationRegistry-specific (e.g. whois.verisign-grs.com)43 / TCP
TLS scannerCustomer-defined targets443 / TLS (or custom)

Notifications

ServiceHostPort
Slack incoming webhookshooks.slack.com443 / HTTPS
Microsoft Teams webhooks*.webhook.office.com, outlook.office.com443 / HTTPS
SMTP relay (notification)Customer-defined25 / 465 / 587

Distribution targets

Customer-defined hosts. Listed by module so the firewall request covers them.

ModuleHostPort (default)
SSHCustomer-defined22 / SSH
WinRM (generic)Customer-defined5985 / 5986
Microsoft IISCustomer-defined5985 / 5986 (WinRM)
Kubernetes APICustomer-defined443 / 6443
F5 BIG-IPCustomer-defined443 / HTTPS
Citrix NetScalerCustomer-defined443 / HTTPS
HashiCorp VaultCustomer-defined8200 / HTTPS
WebhookCustomer-defined443 / HTTPS
SMTP deliveryCustomer-defined25 / 465 / 587
Huawei Cloud (ELB / CDN / WAF)*.myhuaweicloud.com (regional)443 / HTTPS
Microsoft AD CS (CES / CEP)Customer-defined443 / HTTPS

Post-distribution validation

ServiceHostPort
TLS fingerprint checkCustomer-defined endpoints443 / TLS (or custom)

Telemetry (optional)

Disabled by default. Only outbound when an OTLP endpoint is configured.

ServiceHostPort
OpenTelemetry collector (gRPC)Customer-defined4317 / gRPC
OpenTelemetry collector (HTTP)Customer-defined4318 / HTTPS

Air-gapped notes

  • The license host is the only always-on egress. Talk to support for offline license activation.
  • Public ACME CAs are not reachable in an isolated network — issue from Microsoft AD CS or another internal CA instead.
  • OCSP / CRL fetches can be disabled in revocation settings, or routed through an HTTP proxy.
  • WHOIS (port 43) is frequently blocked on enterprise networks; turn off domain expiration tracking if it is.

See also