Networking | Lakera API documentation

Lakera Red makes outbound HTTPS calls to your target, so the target must be reachable from the public internet. “Target” here means whatever Red calls — your agent endpoint directly, or a wrapper in front of it.

How Red reaches your target

Red is a SaaS hosted on Convex. During a scan, Red’s backend makes outbound HTTPS calls to the target URL you configured.

Red backend (Convex, AWS us-east-1)
        │   outbound HTTPS
        ▼
Your target endpoint

Red does not currently support native PrivateLink, VPC peering, or running inside your VPC.

Exposing a private target

If your AI workload runs in a private network (for example, EKS inside a private VPC), common patterns include:

Public hostname on your existing ingress. Add an ALB or NLB plus a DNS record (e.g. https://redteam-ai.customer.com) pointing at the Service or Ingress for the agent you want to test. Scope this hostname to the agent under test so you’re not exposing broader control-plane infrastructure.
Mirrored staging environment. Deploy a copy of the workload in a separate VPC or account with its own public ingress.
Reverse proxy in a DMZ. Run a small public-facing service — a Fargate task, EC2 instance, or pod behind a public ALB — that forwards requests from Red to your private endpoint. Also the right pattern if you need to control the egress IP yourself.

IP allowlisting

If your firewall or WAF only accepts traffic from specific sources, allow these ranges:

Protocol	Addresses
IPv4	`216.235.222.0/24`
IPv6	`2600:1f18:77e:2300::/56`, `2600:1f10:4a09:7c00::/56`

The source of truth is the Convex networking documentation.

IP allowlisting is not authentication. These ranges are shared across all Convex tenants in the region, not just Lakera’s.

Scan load

A full scan sends thousands of prompts, often in parallel.

Point Red at a non-production or red-team environment if at all possible.
Check that any WAF, rate limiter, or upstream LLM provider quota in front of the endpoint can absorb the traffic.
If the target is resource-constrained, lower Max Concurrent Requests in the target’s Advanced settings so Red throttles from its side.

Next steps

Agent Overview for supported contracts and auth.
Creating a wrapper if your API doesn’t match Red’s contracts.