Network requirements

This page covers network connectivity, firewall rules, and security requirements for production deployments.

External service connectivity

The Swiss AI Hub VM connects to external services depending on your configuration. All external connections use HTTPS (port 443).

Which providers you need depends on your deployment configuration.

AI service endpoints

Service	Endpoint	Port	Purpose
Swiss LLM Cloud	Configured via SWISS_LLM_CLOUD_API_BASE_URL	443	Text generation, embedding, reranking, whisper, OCR
Hugging Face	huggingface.co	443	Model downloads for self-hosted inference

GPU deployments running local vLLM do not require outbound connectivity to LLM providers.

Web search engines (SearXNG meta-search)

The platform's self-hosted SearXNG aggregator queries the search engines below on behalf of Open-WebUI when web search is enabled. The active engine set is configured in infra/configs/searxng/settings.yml; see Web search for the engine selection rationale and customisation guide.

Engine	Endpoint	Port	Purpose
Brave	search.brave.com	443	General web search (independent index)
DuckDuckGo	duckduckgo.com	443	General web search (no-tracking, proxies Bing)
Mojeek	www.mojeek.com	443	General web search (UK truly-independent crawler)
Qwant	www.qwant.com	443	General web search (French/EU, GDPR-native)
Startpage	www.startpage.com	443	Anonymized Google results (Dutch)
Wikidata	www.wikidata.org	443	Structured-data lookup
Wikipedia	*.wikipedia.org	443	Encyclopedia lookup

Disable web search in Open-WebUI to drop all of these requirements.

Agents and pipelines can call your existing enterprise systems.

Example customer integration endpoints

Service	Endpoint	Port	Protocol	Authentication
SharePoint	<tenant>.sharepoint.com	443	Graph API	OAuth2 (Azure AD App)
Confluence	<company>.atlassian.net	443	REST	API Token
Custom REST APIs	Customer-specific	443	REST	Various (API Key, OAuth2, mTLS)
SOAP Services	Customer-specific	443	SOAP	WS-Security, Basic Auth

Identity provider services

User authentication requires connectivity to your configured OIDC provider. The example below shows Microsoft Entra ID endpoints; substitute with your provider's endpoints as needed.

Service	Endpoint	Purpose
Microsoft Entra ID	login.microsoftonline.com	OAuth2/OIDC user authentication
Microsoft Graph	graph.microsoft.com	Only needed for SharePoint/OneDrive pipeline sources (not auth)

Inbound connections

Users and administrators connect to the Swiss AI Hub on these ports.

Source	Destination	Port	Purpose
User Browsers	VM Public IP	443	Web UI and chat interface
Administrators	VM Public IP	22	SSH administrative access

Firewall configuration

Production deployments expose three inbound ports. This minimizes the attack surface.

Inbound rules

Configure these rules in your network security group (NSG) or firewall:

Priority	Name	Port	Protocol	Purpose
100	AllowHTTPS	443	TCP	Primary access to Swiss AI Hub services
110	AllowHTTP	80	TCP	ACME/Let's Encrypt validation + HTTP→HTTPS redirect
120	AllowSSH	22	TCP	Administrative access (restrict source IPs)
65000	DenyAllInbound	*	*	Default deny all other inbound traffic

TIP

Restrict SSH access (port 22) to specific administrator IP addresses or VPN ranges instead of allowing from any source.

Outbound rules

The Swiss AI Hub needs outbound connectivity for external integrations and updates:

Priority	Name	Port	Protocol	Purpose
100	AllowHTTPS	443	TCP	API calls to LLM providers, external services
110	AllowHTTP	80	TCP	Let's Encrypt certificate validation
120	AllowDNS	53	UDP	DNS resolution

The platform reaches various external APIs based on your integrations. No additional outbound restrictions are needed.

Related documentation

• Deployment options - Architecture and hosting strategies
• Network security - Security architecture and defense-in-depth
• Authentication - Identity provider integration details
• Infrastructure layers - Infrastructure component overview