Private Networks

Overview

Need to keep pentester activity inside your own network boundary? Nullify provides a containerised build of the pentester analyser through GitHub Container Registry and Amazon ECR. Run it behind your firewall, point it at internal hosts, and stream results back to your hosted tenant.

Orchestration Options

• CLI — The Nullify CLI can launch engagements with the local container while still reporting results to the platform.

• GitHub Action — Use the Nullify Pentester Action (published as dast-action) in self-hosted runners to execute private engagements as part of release workflows.

Contact support for image coordinates, IAM policies, and sizing recommendations tailored to your environment.

AWS PrivateLink

For customers who need pentest traffic to stay on a private network, Nullify supports connectivity via AWS PrivateLink. Instead of routing traffic over the public internet, Nullify connects to your applications through a VPC endpoint, keeping all communication within the AWS backbone.

Prerequisites

• A VPC Endpoint Service in your AWS account. AWS PrivateLink supports endpoint services backed by a Network Load Balancer (NLB), Gateway Load Balancer (GWLB), or directly by an application running on supported compute (e.g. ECS, EKS, EC2).

• The endpoint service must be in an Available state.

• Your target applications accessible on the required ports from within the VPC.

Setup Steps

1. Create a VPC Endpoint Service

If you haven't already, create an endpoint service in the AWS Console or CLI that routes to your pentest target applications. See the AWS documentation for supported configurations.

2. Share the service details with Nullify

Provide the Nullify team with:

• Your VPC Endpoint Service name (e.g. com.amazonaws.vpce.<region>.vpce-svc-<id>).

• The region the service is deployed in.

• The ports your applications listen on.

3. Whitelist the Nullify AWS account

Add the Nullify account as an allowed principal so we can create an interface endpoint to your service. The Nullify team will provide the account ID.

4. Accept the VPC endpoint connection

Once Nullify creates the interface endpoint, accept the pending connection request. You can do this in the AWS Console under VPC → Endpoint Services → Endpoint Connections, or via the CLI:

5. Update security groups

Ensure the security group attached to your target applications allows inbound traffic from the Nullify VPC CIDR range on the required ports. The Nullify team will provide the CIDR range to whitelist.

Note: A self-referencing security group rule (one that only allows traffic from itself) will not permit traffic arriving through the VPC endpoint interface. You must add an explicit inbound rule for the Nullify CIDR range.

6. Verify connectivity

The Nullify team will confirm connectivity to your applications over the private link. Once verified, the pentest can begin.

Troubleshooting

• InvalidServiceName error — Confirm the endpoint service region matches and that the Nullify account has been added to the allowed principals.

• Connection timeouts — Ensure your security group allows inbound traffic from the Nullify VPC CIDR range on the required ports.

• Endpoint state not Available — Verify the endpoint service is active and the underlying Network Load Balancer targets are healthy.

For assistance with PrivateLink setup, contact the Nullify team at [email protected].