Cannot reach an API hosted on Vercel from a HuggingFace Space

Hey

I have created a simple gradio app: RealFaviconGenerator MCP Server - a Hugging Face Space by MCP-1st-Birthday

This app is supposed to connect to RealFaviconGenerator API, hosted on Vercel, to analyze a favicon.

When I start this app locally with uv run app.py, I can issue an analysis from the “Favicon analysis” tab. However, in the app running on HuggingFace (see link above), it doesn’t work. Instead, I get a timeout.

I created two '“debug tools”, Ping website and Check domain, to investigate. Here are my findings:

• On my machine, everything works: I can access RealFaviconGenerator API, access any website such as Amazon’s and resolve any domain such as Google’s.
• On HuggingFace, everything works but HTTP access to RealFaviconGenerator: whenever I try to use RealFaviconGenerator API or access a page of RealFaviconGenerator, I get a timeout. The rest works: realfavicongenerator.net can be resolved as a domain, and I can access the homepages of Amazon, etc.

At this point, I know the issue is when HuggingFace and Vercel are involved. I’m able to reproduce the issue with another website hosted on Vercel, which reinforce this hypothesis.

The issue might be due to the WAF of Vercel. What I tried:

• Add a rule to Vercel WAF to prevent check on routes starting with /api/v2/
• Disable WAF entirely

To no avail: I still get the same timeouts.

I wanted to whitelist IPs from HuggingFace, but I couldn’t find them.

Although I’m confident the issue is due to the HF-Vercel interaction, I don’t know what’s wrong and I couldn’t find anything relevant online.

Any though?

I posted the same issue on Vercel forum at Cannot access an API hosted on Vercel from a HuggingFace Space - Help - Vercel Community

I set up a test space and did some quick verification, but the behavior differs from the typical blocking issues seen with HF. It’s probably more of a network problem leaning toward Vercel than HF.

Given everything you’ve observed and what’s documented about Vercel and Hugging Face, the remaining plausible causes rank roughly like this:

1) Vercel’s platform-level firewall / DDoS mitigation is blocking your Space’s egress IP(s)

Why it fits best:

• From the Space:

  • DNS: realfavicongenerator.net → 76.76.21.21 (correct Vercel apex IP). (Vercel)
  • GET https://www.google.com → HTTP 200 in ~57 ms (so outbound HTTPS in general is fine).
  • Any https://realfavicongenerator.net/... → TCP connect timeout to 76.76.21.21:443 (never reaches TLS or HTTP).

• From your laptop:

  • Same URLs to realfavicongenerator.net work normally.

Vercel’s architecture matches this pattern:

• They run a platform-wide firewall + DDoS mitigation in front of all projects, before your own WAF rules. This layer can drop or throttle traffic it considers abusive or suspicious, especially from shared IPs or proxies.
• Their documentation explicitly warns that traffic coming from reverse proxies / shared egress IPs can be misclassified and blocked at this system layer, and they provide “bypass” mechanisms for trusted IP ranges. (Reddit)

Your Hugging Face Space is exactly such a shared-egress environment: many users’ apps share a small pool of outbound IPs. If one or more of those IPs got flagged by Vercel’s DDoS system, connections from those IPs to 76.76.21.21:443 would be dropped, producing exactly the ConnectTimeout you’re seeing.

This also explains why:

• Changing or disabling your project WAF rules has no effect: those rules run after the platform firewall, so traffic blocked by system-level mitigations never reaches them.

So, top hypothesis: Vercel’s system firewall/DDoS has (temporarily or permanently) blocked one or more Hugging Face egress IPs.

2) Hugging Face Spaces outbound filtering / firewall is blocking connections to 76.76.21.21 (or a Vercel range)

Why it’s also quite plausible:

• Hugging Face has confirmed that Spaces can make outbound HTTP(S) requests, but some external URLs/domains are intentionally blocked “to prevent abuse”, even though others work.

• There are multiple forum threads where:

  • The same code works locally.
  • The same host fails only from Spaces, often with DNS errors (ENOTFOUND, NameResolutionError) or connection errors, for specific APIs (e.g. Telegram, WIT.ai, some custom APIs), while other internet hosts work from the same Space.

Your case is a bit different (DNS succeeds, TCP connect times out), but it is still fully consistent with an HF-side egress firewall or routing ACL that silently drops packets to 76.76.21.21 (or a broader Vercel address range) while allowing other destinations.

Reasons this is slightly less likely than (1):

• HF’s published/observed blocking usually manifests as DNS failures or explicit errors for specific domains, rather than blackholing a major anycast IP like 76.76.21.21, which would affect many Vercel sites at once.
• Blocking all traffic to the main Vercel apex IP would be a pretty coarse rule; not impossible, but heavy-handed.

Still, it remains a strong candidate until either HF or Vercel confirms what they see on their side.

3) A routing / peering issue between Hugging Face’s hosting provider and Vercel for 76.76.21.21

Why it’s possible but less likely than (1)/(2):

• Conceptually, you could have a broken route or peering problem between HF’s data center and the anycast network behind 76.76.21.21:

  • DNS resolves correctly.
  • SYN packets leave the Space’s network but hit a black hole somewhere between HF and Vercel.

• This would also produce pure connect timeouts exactly like you see.

However:

• 76.76.21.21 is a widely used Vercel anycast IP. A generic routing issue affecting that IP would likely impact other customers / regions and would probably surface quickly in Vercel’s own monitoring and status channels. (Vercel)
• Such peering issues usually affect specific paths/regions temporarily and are often transient; your behavior seems stable and reproducible.

So this is a plausible third-place candidate: a specific path problem between HF’s network and Vercel’s anycast edge, but not the first thing to bet on.

4) Misconfigured Vercel project-level WAF / app or TLS-level issue

Why it’s now low-probability:

• Your stack traces show the failure at TCP connect (sock.connect), before TLS, so it is not:

  • A TLS handshake failure.
  • An HTTP redirect loop.
  • A 4xx/5xx from your app.

• You already:

  • Added a WAF rule to exclude /api/v2/*.
  • Disabled the WAF entirely.
  • Confirmed your API responds normally from your laptop / normal networks.

Because of the order of operations (platform firewall/DDoS first, then WAF, then your app), anything misconfigured at the WAF or app level would still require the TCP connection to succeed first, which it doesn’t.

So while you might have minor WAF tweaks to make later, they clearly aren’t the root cause of the current connect timeout behavior.

5) Exotic or transient causes (IPv6 quirk, temporary outage, etc.)

Things like:

• IPv6 vs IPv4 anomalies specific to that environment.
• A transient regional outage on Vercel’s anycast edge.
• A one-off kernel or sysctl misconfiguration on the host that runs your Space.

These can’t be completely ruled out, but:

• The issue is reproducible.
• It affects at least one other Vercel site you tested.
• Other HTTPS targets (like Google) work fine.

So these are background noise compared to (1)–(3).

Net summary

In short, based on your Space’s behavior and public docs:

1. Most likely: Vercel’s system-level firewall/DDoS mitigation is blocking one or more Hugging Face Spaces egress IPs from connecting to 76.76.21.21:443.
2. Second: Hugging Face Spaces’ outbound firewall/ACL is dropping packets to 76.76.21.21 (or a Vercel range) while allowing general internet access.
3. Third: A specific routing/peering black hole between HF’s network and Vercel’s anycast edge for that IP.
4. Low: Misconfigured project-WAF/app/TLS on your Vercel project.
5. Very low: Misc. transient or exotic networking bugs.

The only way to distinguish (1) vs (2) vs (3) is what you’re doing now: give both providers the minimal, precise reproduction and ask each what they see in their logs for connection attempts from your Space to 76.76.21.21:443.

Thank you John for your answer! The main takeaway is the upfront platform-wide firewall/anti-DDoS Vercel runs in front of all projets. It’s a likely root cause. I have contacted Vercel’s support.