Network Requirements
Firewall allowlist and network configuration for Vrex
Vrex is a cloud-connected desktop application. Corporate firewalls, VPNs, and proxies can block it if the destinations below are not permitted.
Allowlist table
All entries use the client network as the source. Copy this table directly into your firewall policy.
| Destination | Port / Protocol | Purpose |
|---|---|---|
app.vrex.no | TCP 443 | Account administration |
api.vrex.no | TCP 443 | Device authentication; Issues |
eu1.com.vrex.vixel.no (IP: 18.194.34.130) | UDP 5055, UDP 5056 | Audio and real-time visual sync |
cognito-idp.eu-central-1.amazonaws.com | TCP 443 | User authentication (AWS Cognito) |
2uhv8tme94.execute-api.eu-central-1.amazonaws.com | TCP 443 | API — Vrex content |
5n4hoaxzr1.execute-api.eu-central-1.amazonaws.com | TCP 443 | API — User preferences |
8uslevf82e.execute-api.eu-central-1.amazonaws.com | TCP 443 | API — Web sockets (notifications / status) |
szpdew7g70.execute-api.eu-central-1.amazonaws.com | TCP 443 | API — Analytics |
qcymfi5l22.execute-api.eu-central-1.amazonaws.com | TCP 443 | API — Integrations (Issues / models) |
uvn1nqbtvh.execute-api.eu-central-1.amazonaws.com | TCP 443 | API — Google Speech to Text relay |
speech.googleapis.com | TCP 443 | Speech to text (optional feature) |
vrex-projects-production.s3.eu-central-1.amazonaws.com | TCP 443 | 3D data buffer during sessions |
vrex-projects-release.s3.eu-central-1.amazonaws.com | TCP 443 | Application version check and update download |
Tip: If your policy supports wildcards, *.vrex.no covers the three Vrex-owned domains.
What can block Vrex
- Firewall — outbound TCP 443 and UDP 5055/5056 must be permitted to the destinations above
- VPN — split-tunnel configurations may drop UDP traffic; ensure the Vrex destinations are excluded from inspection or routed correctly
- Proxy — HTTPS proxies that perform SSL inspection can break Vrex authentication; add the Vrex domains to SSL/TLS scan exceptions
Security note
No original CAD files are distributed to meeting participants. Vrex streams model geometry from cloud storage (AWS S3, eu-central-1). Authentication is handled via AWS Cognito. Vrex does not require inbound connections from the internet.
Streaming (CloudXR / VR devices)
If your deployment includes VR headsets using cloud streaming, additional ports are required. Destination IPs are dynamic and drawn from Azure, AWS, and Google cloud ranges. Fixed IPs are available on request.
| Description | Direction | Protocol | Port(s) |
|---|---|---|---|
| CloudXR Control | Outbound | UDP | 47999 |
| CloudXR Audio | Outbound | UDP | 48000 |
| CloudXR Video | Outbound | UDP | 47998, 48005 |
| CloudXR Microphone | Outbound | UDP | 48002 |
| CloudXR RTSP | Inbound | UDP | 48010 |
| CloudXR Audio | Inbound | UDP | 49006, 49003 |
| CloudXR Microphone | Inbound | UDP | 49005, 50000–55000 |
| CloudXR RTSP | Inbound | TCP | 49004 |
| Interactive Spectator | Outbound | UDP | 48020–48119 |
| WebRTC STUN/TURN | Outbound | UDP, TCP | 3478, 80 (IPs: 162.55.53.5, 157.90.22.86) |
Dynamic IP ranges: Azure · AWS · Google
Test your connection
After applying allowlist changes:
- Open Vrex Launcher and click Launch Vrex
- Log in — a successful login confirms authentication endpoints are reachable
- Open a project — models loading confirms S3 access is permitted
- Join or start a session with another user — audio working confirms UDP 5055/5056 is open
- If any step fails, check your firewall logs for blocked connections to the destinations above
Still blocked?
See Troubleshooting or email support@vixel.no