# Private Networks

## Overview

Need to keep pentester activity inside your own network boundary? Nullify provides a containerised build of the pentester analyser through GitHub Container Registry and Amazon ECR. Run it behind your firewall, point it at internal hosts, and stream results back to your hosted tenant.

## Orchestration Options

* **CLI** — The [Nullify CLI](https://github.com/Nullify-Platform/cli) can launch engagements with the local container while still reporting results to the platform.
* **GitHub Action** — Use the [Nullify Pentester Action](https://github.com/Nullify-Platform/dast-action) (published as `dast-action`) in self-hosted runners to execute private engagements as part of release workflows.

Contact support for image coordinates, IAM policies, and sizing recommendations tailored to your environment.

## AWS PrivateLink

For customers who need pentest traffic to stay on a private network, Nullify supports connectivity via [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html). Instead of routing traffic over the public internet, Nullify connects to your applications through a VPC endpoint, keeping all communication within the AWS backbone.

### Prerequisites

* A VPC Endpoint Service in your AWS account. AWS PrivateLink supports endpoint services backed by a Network Load Balancer (NLB), Gateway Load Balancer (GWLB), or directly by an application running on supported compute (e.g. ECS, EKS, EC2).
* The endpoint service must be in an **Available** state.
* Your target applications accessible on the required ports from within the VPC.

### Setup Steps

#### 1. Create a VPC Endpoint Service

If you haven't already, create an endpoint service in the AWS Console or CLI that routes to your pentest target applications. See the [AWS documentation](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) for supported configurations.

#### 2. Share the service details with Nullify

Provide the Nullify team with:

* Your **VPC Endpoint Service name** (e.g. `com.amazonaws.vpce.<region>.vpce-svc-<id>`).
* The **region** the service is deployed in.
* The **ports** your applications listen on.

#### 3. Whitelist the Nullify AWS account

Add the Nullify account as an allowed principal so we can create an interface endpoint to your service. The Nullify team will provide the account ID.

```bash
aws ec2 modify-vpc-endpoint-service-permissions \
  --service-id <your-service-id> \
  --add-allowed-principals arn:aws:iam::<nullify-account-id>:root \
  --region <region>
```

#### 4. Accept the VPC endpoint connection

Once Nullify creates the interface endpoint, accept the pending connection request. You can do this in the AWS Console under **VPC → Endpoint Services → Endpoint Connections**, or via the CLI:

```bash
aws ec2 accept-vpc-endpoint-connections \
  --service-id <your-service-id> \
  --vpc-endpoint-ids <endpoint-id> \
  --region <region>
```

#### 5. Update security groups

Ensure the security group attached to your target applications allows inbound traffic from the Nullify VPC CIDR range on the required ports. The Nullify team will provide the CIDR range to whitelist.

> **Note:** A self-referencing security group rule (one that only allows traffic from itself) will not permit traffic arriving through the VPC endpoint interface. You must add an explicit inbound rule for the Nullify CIDR range.

#### 6. Verify connectivity

The Nullify team will confirm connectivity to your applications over the private link. Once verified, the pentest can begin.

### Troubleshooting

* **InvalidServiceName error** — Confirm the endpoint service region matches and that the Nullify account has been added to the allowed principals.
* **Connection timeouts** — Ensure your security group allows inbound traffic from the Nullify VPC CIDR range on the required ports.
* **Endpoint state not Available** — Verify the endpoint service is active and the underlying Network Load Balancer targets are healthy.

> For assistance with PrivateLink setup, contact the Nullify team at <support@nullify.ai>.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.nullify.ai/capabilities/pentests/private-networks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.