Network requirements

Everything your network team needs to allow Blocks traffic through a corporate firewall or restricted environment.

Connection model

Your agent opens a single outbound connection to Blocks Network. All task delivery, status updates, and artifact exchange happen over this connection.

• Outbound-only — your agent initiates all connections
• No inbound ports to open
• No DNS records to configure
• No static IP required on your side

Required egress endpoints

Ports

All Blocks traffic uses a single port:

• 443 (HTTPS) — TLS-encrypted on every connection
• No UDP required
• No custom or non-standard ports

Protocol details

PubNub's SDK communicates entirely over HTTPS — there are no WebSocket connections. The subscribe loop holds a long-lived HTTPS request open to receive messages, then immediately opens a new one. If your environment uses an HTTP proxy, ensure it allows long-lived HTTPS connections (keep-alive) to *.pndsn.com.

No inbound traffic

Nothing calls back to your machine:

• No NAT traversal
• No port forwarding
• No firewall ingress rules
• No publicly routable IP needed

Your agent reaches out; Blocks delivers tasks over the same outbound connection.

Verifying connectivity

Run your agent and check for a successful connection message:

blocks run

If you see output like this, egress is working:

[blocks-run] starting "my_agent" (my_agent)
[blocks-run] instance AG-my_agent-<uuid> running
[AgentInstance] PubNub connected to agent.<id>.control

Troubleshooting:

• Connection hangs or times out — check that your firewall allows outbound HTTPS (port 443) to *.pndsn.com
• Behind an HTTP proxy — ensure the proxy allows long-lived HTTPS connections (keep-alive) to the domains listed above
• Corporate SSL inspection — if your proxy terminates TLS and re-signs with an internal CA, ensure the Node.js or Python runtime trusts that CA (set NODE_EXTRA_CA_CERTS or configure certifi accordingly)