Network requirements

Workbrew devices need outbound HTTPS access (port 443) to a set of domains for agent communication, Homebrew metadata, and package downloads.

Required domains#

Domain	Purpose
console.workbrew.com	Agent check-ins, commands, and agent updates
formulae.brew.sh	Homebrew formula and cask metadata API
ghcr.io	Bottle (pre-built binary) downloads from GitHub Container Registry
github.com	Tap repository clones and updates
*.githubusercontent.com	Cask downloads hosted on GitHub Releases

All communication uses HTTPS on port 443.

Cask download domains#

Cask downloads are fetched directly from each application vendor's servers. These vary by cask and cannot be predicted as a fixed list. For example:

• dl.google.com for Google Chrome
• download.mozilla.org for Firefox
• github.com or *.githubusercontent.com for GitHub-hosted releases

If your firewall restricts outbound traffic, you will need to allowlist vendor domains on a per-cask basis depending on which casks your fleet uses. See Configure your firewall for Workbrew for step-by-step setup instructions.

IP addresses#

We recommend allowlisting by FQDN (for example console.workbrew.com) rather than by IP address. The IPs behind console.workbrew.com are Cloudflare anycast addresses managed by our hosting provider and can change without notice. See Why we recommend FQDN-based allowlisting for details.

Homebrew environment variables#

Homebrew supports environment variables to redirect traffic through internal mirrors or proxies:

Variable	Purpose
HOMEBREW_BOTTLE_DOMAIN	Override where bottles are downloaded from (default: https://ghcr.io/v2/homebrew/core)
HOMEBREW_API_DOMAIN	Override the API metadata source (default: https://formulae.brew.sh/api)
HOMEBREW_ARTIFACT_DOMAIN	Prefix all download URLs, useful for routing through a caching proxy
HOMEBREW_BREW_GIT_REMOTE	Point Homebrew's own repository updates at an internal Git mirror
HOMEBREW_CORE_GIT_REMOTE	Point homebrew-core tap updates at an internal Git mirror