> ## Documentation Index > Fetch the complete documentation index at: https://developer.onetrust.com/llms.txt > Use this file to discover all available pages before exploring further. # Networking Requirements AI Guard requires specific network connectivity for SDK communication, token validation, metrics publishing, and classification profile retrieval. ## Network Architecture ``` ┌──────────────────────┐ ┌──────────────────────────────────────────┐ │ Customer Network │ │ Workernode Kubernetes Cluster │ │ │ │ │ │ ┌────────────────┐ │ HTTPS │ ┌──────────────┐ ┌───────────────┐ │ │ │ AI App + SDK │──┼────────►│ │ AI Guard │───►│ scan-job-mgr │ │ │ └────────────────┘ │ :4443 │ │ Service │ └───────────────┘ │ │ │ │ └──────┬───────┘ │ └──────────────────────┘ │ │ ┌───────────────┐ │ │ └──────────►│ onprem-agent │ │ │ └───────────────┘ │ └──────────────────────┬──────────────────┘ │ ┌─────────▼──────────┐ │ OneTrust Cloud │ │ (Token Validation)│ └────────────────────┘ ``` ## Required Connectivity ### Inbound — SDK Traffic | Parameter | Value | | --------------- | ------------------------------------------------- | | **Source** | Customer application network (where the SDK runs) | | **Destination** | AI Guard service pod | | **Port** | `4443` (default, configurable) | | **Protocol** | HTTPS (TLS) | | **Direction** | Inbound to Workernode cluster | The AI Guard service must be reachable from your application network. If the SDK runs on a different network than the Workernode host network, configure network bridging: | Method | Description | | ---------------- | -------------------------------------------------------- | | **NodePort** | Expose the service on a static port on each cluster node | | **LoadBalancer** | Provision an external load balancer (cloud environments) | | **Ingress** | Route through an Ingress controller with TLS termination | ### Outbound — Token Validation | Parameter | Value | | --------------- | ------------------------------------------------------------------- | | **Source** | AI Guard service pod | | **Destination** | Customer's OneTrust tenant URL | | **Port** | `443` (HTTPS) | | **Protocol** | HTTPS | | **Direction** | Outbound from Workernode cluster | | **Config** | `service.authorization.validation-endpoint` / `OT_SERVICE_BASE_URL` | The service must reach the customer's OneTrust tenant to validate API tokens. This requires outbound internet access or at minimum connectivity to the tenant URL. ### Internal — Metrics Publishing | Parameter | Value | | --------------- | ------------------------------------------------------------------------ | | **Source** | AI Guard service pod | | **Destination** | `datadiscovery-onprem-agent` | | **Port** | `8080` | | **Protocol** | HTTP | | **Direction** | Internal (Kubernetes network only) | | **Config** | `metrics.exporter.collector-endpoint` / `DATADISCOVERY_ONPREM_AGENT_URI` | Metrics are pushed to the on-prem agent over the internal Kubernetes network. No external network access is needed. ### Internal — Classification Profiles | Parameter | Value | | --------------- | --------------------------------------------------------------------- | | **Source** | AI Guard service pod | | **Destination** | `scan-job-manager` | | **Port** | `8080` | | **Protocol** | HTTP | | **Direction** | Internal (Kubernetes network only) | | **Config** | `classification.client.classifier-base-url` / `JOB_EXECUTOR_BASE_URL` | Classification profiles are fetched from the scan job manager over the internal Kubernetes network. No external network access is needed. ## Summary | Connection | Direction | Port | Network | Required | | --------------------------- | --------- | ---- | ---------- | ------------------ | | SDK → AI Guard | Inbound | 4443 | External | Yes | | AI Guard → OneTrust Tenant | Outbound | 443 | Internet | Yes | | AI Guard → onprem-agent | Internal | 8080 | Kubernetes | For metrics | | AI Guard → scan-job-manager | Internal | 8080 | Kubernetes | For classification | ## Firewall Rules Ensure the following firewall rules are configured: ``` # Inbound: Allow SDK traffic to AI Guard ALLOW TCP dst-port 4443 from to # Outbound: Allow AI Guard to reach OneTrust tenant ALLOW TCP dst-port 443 from to ``` ## Troubleshooting | Symptom | Likely Cause | Resolution | | -------------------------------------- | ------------------------------------- | ----------------------------------------- | | SDK: connection timeout | Firewall blocking port 4443 | Open inbound rule for port 4443 | | SDK: connection refused | Service not running or wrong port | Check pod status and service port | | 401 Unauthorized on all requests | Token validation endpoint unreachable | Verify outbound access to OneTrust tenant | | Metrics not appearing in AI Governance | onprem-agent not reachable | Check internal K8s DNS and connectivity | | Classification returns empty results | scan-job-manager not reachable | Check internal K8s DNS and connectivity | ## What's Next? * [Docker Deployment](https://developer.onetrust.com/onetrust/docs/ai-guard-docker) — Run AI Guard as a Docker container * [Kubernetes Deployment](https://developer.onetrust.com/onetrust/docs/ai-guard-kubernetes) — Full Kubernetes deployment guide * [Troubleshooting](https://developer.onetrust.com/onetrust/docs/ai-guard-troubleshooting) — Common issues and solutions