Networking Requirements
AI Guard requires specific network connectivity for SDK communication, token validation, metrics publishing, and classification profile retrieval.
Network Architecture
┌──────────────────────┐ ┌──────────────────────────────────────────┐
│ Customer Network │ │ Workernode Kubernetes Cluster │
│ │ │ │
│ ┌────────────────┐ │ HTTPS │ ┌──────────────┐ ┌───────────────┐ │
│ │ AI App + SDK │──┼────────►│ │ AI Guard │───►│ scan-job-mgr │ │
│ └────────────────┘ │ :4443 │ │ Service │ └───────────────┘ │
│ │ │ └──────┬───────┘ │
└──────────────────────┘ │ │ ┌───────────────┐ │
│ └──────────►│ onprem-agent │ │
│ └───────────────┘ │
└──────────────────────┬──────────────────┘
│
┌─────────▼──────────┐
│ OneTrust Cloud │
│ (Token Validation)│
└────────────────────┘Required Connectivity
Inbound — SDK Traffic
| Parameter | Value |
|---|---|
| Source | Customer application network (where the SDK runs) |
| Destination | AI Guard service pod |
| Port | 4443 (default, configurable) |
| Protocol | HTTPS (TLS) |
| Direction | Inbound to Workernode cluster |
The AI Guard service must be reachable from your application network. If the SDK runs on a different network than the Workernode host network, configure network bridging:
| Method | Description |
|---|---|
| NodePort | Expose the service on a static port on each cluster node |
| LoadBalancer | Provision an external load balancer (cloud environments) |
| Ingress | Route through an Ingress controller with TLS termination |
Outbound — Token Validation
| Parameter | Value |
|---|---|
| Source | AI Guard service pod |
| Destination | Customer's OneTrust tenant URL |
| Port | 443 (HTTPS) |
| Protocol | HTTPS |
| Direction | Outbound from Workernode cluster |
| Config | service.authorization.validation-endpoint / OT_SERVICE_BASE_URL |
The service must reach the customer's OneTrust tenant to validate API tokens. This requires outbound internet access or at minimum connectivity to the tenant URL.
Internal — Metrics Publishing
| Parameter | Value |
|---|---|
| Source | AI Guard service pod |
| Destination | datadiscovery-onprem-agent |
| Port | 8080 |
| Protocol | HTTP |
| Direction | Internal (Kubernetes network only) |
| Config | metrics.exporter.collector-endpoint / DATADISCOVERY_ONPREM_AGENT_URI |
Metrics are pushed to the on-prem agent over the internal Kubernetes network. No external network access is needed.
Internal — Classification Profiles
| Parameter | Value |
|---|---|
| Source | AI Guard service pod |
| Destination | scan-job-manager |
| Port | 8080 |
| Protocol | HTTP |
| Direction | Internal (Kubernetes network only) |
| Config | classification.client.classifier-base-url / JOB_EXECUTOR_BASE_URL |
Classification profiles are fetched from the scan job manager over the internal Kubernetes network. No external network access is needed.
Summary
| Connection | Direction | Port | Network | Required |
|---|---|---|---|---|
| SDK → AI Guard | Inbound | 4443 | External | Yes |
| AI Guard → OneTrust Tenant | Outbound | 443 | Internet | Yes |
| AI Guard → onprem-agent | Internal | 8080 | Kubernetes | For metrics |
| AI Guard → scan-job-manager | Internal | 8080 | Kubernetes | For classification |
Firewall Rules
Ensure the following firewall rules are configured:
# Inbound: Allow SDK traffic to AI Guard
ALLOW TCP dst-port 4443 from <application-network-cidr> to <workernode-cidr>
# Outbound: Allow AI Guard to reach OneTrust tenant
ALLOW TCP dst-port 443 from <workernode-cidr> to <onetrust-tenant-ip>Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
| SDK: connection timeout | Firewall blocking port 4443 | Open inbound rule for port 4443 |
| SDK: connection refused | Service not running or wrong port | Check pod status and service port |
| 401 Unauthorized on all requests | Token validation endpoint unreachable | Verify outbound access to OneTrust tenant |
| Metrics not appearing in AI Governance | onprem-agent not reachable | Check internal K8s DNS and connectivity |
| Classification returns empty results | scan-job-manager not reachable | Check internal K8s DNS and connectivity |
What's Next?
- Docker Deployment — Run AI Guard as a Docker container
- Kubernetes Deployment — Full Kubernetes deployment guide
- Troubleshooting — Common issues and solutions
Updated 15 days ago