Networking Requirements
AI Guard requires specific network connectivity for SDK communication, token validation, metrics publishing, and classification profile retrieval.
Network Architecture
ββββββββββββββββββββββββ ββββββββββββββββββββββββββββββββββββββββββββ
β Customer Network β β Workernode Kubernetes Cluster β
β β β β
β ββββββββββββββββββ β HTTPS β ββββββββββββββββ βββββββββββββββββ β
β β AI App + SDK ββββΌβββββββββΊβ β AI Guard βββββΊβ scan-job-mgr β β
β ββββββββββββββββββ β :4443 β β Service β βββββββββββββββββ β
β β β ββββββββ¬ββββββββ β
ββββββββββββββββββββββββ β β βββββββββββββββββ β
β ββββββββββββΊβ onprem-agent β β
β βββββββββββββββββ β
ββββββββββββββββββββββββ¬βββββββββββββββββββ
β
βββββββββββΌβββββββββββ
β OneTrust Cloud β
β (Token Validation)β
ββββββββββββββββββββββRequired Connectivity
Inbound β SDK Traffic
| Parameter | Value |
|---|---|
| Source | Customer application network (where the SDK runs) |
| Destination | AI Guard service pod |
| Port | 4443 (default, configurable) |
| Protocol | HTTPS (TLS) |
| Direction | Inbound to Workernode cluster |
The AI Guard service must be reachable from your application network. If the SDK runs on a different network than the Workernode host network, configure network bridging:
| Method | Description |
|---|---|
| NodePort | Expose the service on a static port on each cluster node |
| LoadBalancer | Provision an external load balancer (cloud environments) |
| Ingress | Route through an Ingress controller with TLS termination |
Outbound β Token Validation
| Parameter | Value |
|---|---|
| Source | AI Guard service pod |
| Destination | Customer's OneTrust tenant URL |
| Port | 443 (HTTPS) |
| Protocol | HTTPS |
| Direction | Outbound from Workernode cluster |
| Config | service.authorization.validation-endpoint / OT_SERVICE_BASE_URL |
The service must reach the customer's OneTrust tenant to validate API tokens. This requires outbound internet access or at minimum connectivity to the tenant URL.
Internal β Metrics Publishing
| Parameter | Value |
|---|---|
| Source | AI Guard service pod |
| Destination | datadiscovery-onprem-agent |
| Port | 8080 |
| Protocol | HTTP |
| Direction | Internal (Kubernetes network only) |
| Config | metrics.exporter.collector-endpoint / DATADISCOVERY_ONPREM_AGENT_URI |
Metrics are pushed to the on-prem agent over the internal Kubernetes network. No external network access is needed.
Internal β Classification Profiles
| Parameter | Value |
|---|---|
| Source | AI Guard service pod |
| Destination | scan-job-manager |
| Port | 8080 |
| Protocol | HTTP |
| Direction | Internal (Kubernetes network only) |
| Config | classification.client.classifier-base-url / JOB_EXECUTOR_BASE_URL |
Classification profiles are fetched from the scan job manager over the internal Kubernetes network. No external network access is needed.
Summary
| Connection | Direction | Port | Network | Required |
|---|---|---|---|---|
| SDK β AI Guard | Inbound | 4443 | External | Yes |
| AI Guard β OneTrust Tenant | Outbound | 443 | Internet | Yes |
| AI Guard β onprem-agent | Internal | 8080 | Kubernetes | For metrics |
| AI Guard β scan-job-manager | Internal | 8080 | Kubernetes | For classification |
Firewall Rules
Ensure the following firewall rules are configured:
# Inbound: Allow SDK traffic to AI Guard
ALLOW TCP dst-port 4443 from <application-network-cidr> to <workernode-cidr>
# Outbound: Allow AI Guard to reach OneTrust tenant
ALLOW TCP dst-port 443 from <workernode-cidr> to <onetrust-tenant-ip>Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
| SDK: connection timeout | Firewall blocking port 4443 | Open inbound rule for port 4443 |
| SDK: connection refused | Service not running or wrong port | Check pod status and service port |
| 401 Unauthorized on all requests | Token validation endpoint unreachable | Verify outbound access to OneTrust tenant |
| Metrics not appearing in AI Governance | onprem-agent not reachable | Check internal K8s DNS and connectivity |
| Classification returns empty results | scan-job-manager not reachable | Check internal K8s DNS and connectivity |
What's Next?
- Docker Deployment β Run AI Guard as a Docker container
- Kubernetes Deployment β Full Kubernetes deployment guide
- Troubleshooting β Common issues and solutions
Updated about 4 hours ago