From 2264efe269390b03dcc587a0c667bcae968ca090 Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Tue, 16 Jun 2026 14:24:10 +1000 Subject: [PATCH 01/14] add Network and Firewall Requirements page with list of domains --- docs/guides/operator-guide-aks-enclave.md | 4 ++ docs/guides/operator-guide-aws-marketplace.md | 2 +- docs/guides/operator-guide-azure-enclave.md | 2 +- ...operator-private-gcp-confidential-space.md | 2 + .../operator-private-network-requirements.md | 39 +++++++++++++++++++ sidebars.js | 1 + 6 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 docs/guides/operator-private-network-requirements.md diff --git a/docs/guides/operator-guide-aks-enclave.md b/docs/guides/operator-guide-aks-enclave.md index c44a7b9f7..6ac7cfb9a 100644 --- a/docs/guides/operator-guide-aks-enclave.md +++ b/docs/guides/operator-guide-aks-enclave.md @@ -254,6 +254,10 @@ az network vnet subnet update \ --nat-gateway ${NAT_GATEWAY_NAME} ``` +:::note +The NAT gateway provides the operator's outbound internet access. If your environment restricts outbound network traffic, you must allow the destinations listed in [Network and firewall requirements](operator-private-network-requirements.md). +::: + #### Get the AKS Subnet ID To create the AKS subnet ID, run the following command, using your own values as needed: diff --git a/docs/guides/operator-guide-aws-marketplace.md b/docs/guides/operator-guide-aws-marketplace.md index 739ac4123..a6a5b4764 100644 --- a/docs/guides/operator-guide-aws-marketplace.md +++ b/docs/guides/operator-guide-aws-marketplace.md @@ -154,7 +154,7 @@ To avoid passing certificates associated with your domain into the enclave, inbo | ----------- | --------- | -------- | ------ | | 80 | Inbound | HTTP | Serves all UID2 APIs, including the healthcheck endpoint `/ops/healthcheck`.
When everything is up and running, the endpoint returns HTTP 200 with a response body of `OK`. For details, see [Checking UID2 Operator status](#checking-uid2-operator-status). | | 9080 | Inbound | HTTP | Serves Prometheus metrics (`/metrics`). | -| 443 | Outbound | HTTPS | Calls the UID2 Core Service, AWS S3, to download files for opt-out data and key store. | +| 443 | Outbound | HTTPS | Calls the UID2 Core Service and AWS S3, to download files for opt-out data and key store. If your environment restricts outbound network traffic, you must allow the destinations listed in [Network and firewall requirements](operator-private-network-requirements.md). | ### VPC chart diff --git a/docs/guides/operator-guide-azure-enclave.md b/docs/guides/operator-guide-azure-enclave.md index 6e43ad28e..85d9a6cf7 100644 --- a/docs/guides/operator-guide-azure-enclave.md +++ b/docs/guides/operator-guide-azure-enclave.md @@ -330,7 +330,7 @@ The following table provides information about supported protocols. | ----------- | --------- | -------- | ------ | | 80 | Inbound | HTTP | Serves all UID2 APIs, including the health check endpoint `/ops/healthcheck`.
When everything is up and running, the endpoint returns HTTP 200 with a response body of `OK`. For details, see [Running the health check](#running-the-health-check). | | 9080 | Inbound | HTTP | Serves Prometheus metrics (`/metrics`). For details, see [Scraping metrics](#scraping-metrics). | -| 443 | Outbound | HTTPS | Calls the UID2 Core Service and Azure Blob Storage, to download files for opt-out data and key store. | +| 443 | Outbound | HTTPS | Calls the UID2 Core Service and AWS S3, to download files for opt-out data and key store. If your environment restricts outbound network traffic, you must allow the destinations listed in [Network and firewall requirements](operator-private-network-requirements.md). | ## Upgrading diff --git a/docs/guides/operator-private-gcp-confidential-space.md b/docs/guides/operator-private-gcp-confidential-space.md index 4981d9abb..4528bb9a0 100644 --- a/docs/guides/operator-private-gcp-confidential-space.md +++ b/docs/guides/operator-private-gcp-confidential-space.md @@ -90,6 +90,8 @@ Before choosing your deployment option, complete these Google Cloud setup steps: 1. Enable egress rule. If your VPC infrastructure only allows egress to known endpoints, you will need to enable an egress rule to allow the operator to retrieve the certificates required for attestation. To enable this, follow the details in this document from Google: [VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/supported-products#table_confidential_space). + You must also allow outbound access to the UID2 service and storage destinations that the operator depends on. For the full list, see [Network and firewall requirements](operator-private-network-requirements.md). + ### UID2 Operator account setup Ask your UID2 contact to register your organization as a UID2 Operator. If you're not sure who to ask, see [Contact info](../getting-started/gs-account-setup.md#contact-info). diff --git a/docs/guides/operator-private-network-requirements.md b/docs/guides/operator-private-network-requirements.md new file mode 100644 index 000000000..33aa59c47 --- /dev/null +++ b/docs/guides/operator-private-network-requirements.md @@ -0,0 +1,39 @@ +--- +title: Private Operator network and firewall requirements +sidebar_label: Network and firewall requirements +pagination_label: Private Operator network and firewall requirements +description: Outbound network destinations a Private Operator must reach, for configuring egress firewall allowlists. +hide_table_of_contents: false +sidebar_position: 16 +displayed_sidebar: docs +--- + +import Link from '@docusaurus/Link'; + +# Private Operator network and firewall requirements + +A Private Operator connects to the UID2 Core and Opt-Out services, and downloads data files directly from AWS S3 using URLs that the Core service provides. For details, see [Private Operator workflow](integration-options-private-operator.md#private-operator-workflow). + +If your environment restricts outbound network traffic, you must allow outbound HTTPS (port 443) to all of the destinations below, or the operator cannot start. + +## Integration + +| Hostname | Purpose | +| --- | --- | +| `core-integ.uidapi.com` | Core Service (attestation, keys, salts, configuration) | +| `optout-integ.uidapi.com` | Opt-Out Service | +| `uid2-core-integ-store.s3.us-east-2.amazonaws.com` | Core data storage | +| `uid2-optout-integ-store.s3.us-east-2.amazonaws.com` | Opt-out data storage | + +## Production + +| Hostname | Purpose | +| --- | --- | +| `core-prod.uidapi.com` | Core Service (attestation, keys, salts, configuration) | +| `optout-prod.uidapi.com` | Opt-Out Service | +| `uid2-core-prod-store.s3.us-east-2.amazonaws.com` | Core data storage | +| `uid2-core-prod-store-replica.s3.us-west-2.amazonaws.com` | Core data storage (failover replica) | +| `uid2-optout-prod-store.s3.us-east-2.amazonaws.com` | Opt-out data storage | +| `uid2-optout-prod-store-replica.s3.us-west-2.amazonaws.com` | Opt-out data storage (failover replica) | + +Allow these by hostname rather than by IP address, as the underlying addresses change. diff --git a/sidebars.js b/sidebars.js index d23c8b9d0..173fd157e 100644 --- a/sidebars.js +++ b/sidebars.js @@ -259,6 +259,7 @@ const fullSidebar = [ 'guides/operator-private-gcp-confidential-space', 'guides/operator-guide-azure-enclave', 'guides/operator-guide-aks-enclave', + 'guides/operator-private-network-requirements', ], }, ], From 2f12fc663393daa1f0f62a5daca5f3f3b05458b1 Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Tue, 16 Jun 2026 16:08:44 +1000 Subject: [PATCH 02/14] move to Note sections --- docs/guides/operator-guide-aks-enclave.md | 2 +- docs/guides/operator-guide-aws-marketplace.md | 6 +++++- docs/guides/operator-guide-azure-enclave.md | 6 +++++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/docs/guides/operator-guide-aks-enclave.md b/docs/guides/operator-guide-aks-enclave.md index 6ac7cfb9a..2a9a2419f 100644 --- a/docs/guides/operator-guide-aks-enclave.md +++ b/docs/guides/operator-guide-aks-enclave.md @@ -255,7 +255,7 @@ az network vnet subnet update \ ``` :::note -The NAT gateway provides the operator's outbound internet access. If your environment restricts outbound network traffic, you must allow the destinations listed in [Network and firewall requirements](operator-private-network-requirements.md). +If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Network and firewall requirements](operator-private-network-requirements.md). ::: #### Get the AKS Subnet ID diff --git a/docs/guides/operator-guide-aws-marketplace.md b/docs/guides/operator-guide-aws-marketplace.md index a6a5b4764..6f2bf51a3 100644 --- a/docs/guides/operator-guide-aws-marketplace.md +++ b/docs/guides/operator-guide-aws-marketplace.md @@ -154,7 +154,11 @@ To avoid passing certificates associated with your domain into the enclave, inbo | ----------- | --------- | -------- | ------ | | 80 | Inbound | HTTP | Serves all UID2 APIs, including the healthcheck endpoint `/ops/healthcheck`.
When everything is up and running, the endpoint returns HTTP 200 with a response body of `OK`. For details, see [Checking UID2 Operator status](#checking-uid2-operator-status). | | 9080 | Inbound | HTTP | Serves Prometheus metrics (`/metrics`). | -| 443 | Outbound | HTTPS | Calls the UID2 Core Service and AWS S3, to download files for opt-out data and key store. If your environment restricts outbound network traffic, you must allow the destinations listed in [Network and firewall requirements](operator-private-network-requirements.md). | +| 443 | Outbound | HTTPS | Calls the UID2 Core Service and AWS S3, to download files for opt-out data and key store. | + +:::note +If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Network and firewall requirements](operator-private-network-requirements.md). +::: ### VPC chart diff --git a/docs/guides/operator-guide-azure-enclave.md b/docs/guides/operator-guide-azure-enclave.md index 85d9a6cf7..9fb74dbfc 100644 --- a/docs/guides/operator-guide-azure-enclave.md +++ b/docs/guides/operator-guide-azure-enclave.md @@ -330,7 +330,11 @@ The following table provides information about supported protocols. | ----------- | --------- | -------- | ------ | | 80 | Inbound | HTTP | Serves all UID2 APIs, including the health check endpoint `/ops/healthcheck`.
When everything is up and running, the endpoint returns HTTP 200 with a response body of `OK`. For details, see [Running the health check](#running-the-health-check). | | 9080 | Inbound | HTTP | Serves Prometheus metrics (`/metrics`). For details, see [Scraping metrics](#scraping-metrics). | -| 443 | Outbound | HTTPS | Calls the UID2 Core Service and AWS S3, to download files for opt-out data and key store. If your environment restricts outbound network traffic, you must allow the destinations listed in [Network and firewall requirements](operator-private-network-requirements.md). | +| 443 | Outbound | HTTPS | Calls the UID2 Core Service and AWS S3, to download files for opt-out data and key store. | + +:::note +If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Network and firewall requirements](operator-private-network-requirements.md). +::: ## Upgrading From cdd2d036acb36aba5a351b2bde4d18271394975c Mon Sep 17 00:00:00 2001 From: swibi-ttd Date: Wed, 17 Jun 2026 09:31:33 +1000 Subject: [PATCH 03/14] Update wording on IP address warning Co-authored-by: Gen Whitt <107279666+genwhittTTD@users.noreply.github.com> --- docs/guides/operator-private-network-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/operator-private-network-requirements.md b/docs/guides/operator-private-network-requirements.md index 33aa59c47..f8949122b 100644 --- a/docs/guides/operator-private-network-requirements.md +++ b/docs/guides/operator-private-network-requirements.md @@ -36,4 +36,4 @@ If your environment restricts outbound network traffic, you must allow outbound | `uid2-optout-prod-store.s3.us-east-2.amazonaws.com` | Opt-out data storage | | `uid2-optout-prod-store-replica.s3.us-west-2.amazonaws.com` | Opt-out data storage (failover replica) | -Allow these by hostname rather than by IP address, as the underlying addresses change. +Allow these by hostname rather than by IP address, because the underlying addresses might change. From 30ca2a9f5522d4e2bda68242a75de83ef99bc949 Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Wed, 17 Jun 2026 09:35:05 +1000 Subject: [PATCH 04/14] move network requirements page to ref-info --- .../{guides => ref-info}/operator-private-network-requirements.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/{guides => ref-info}/operator-private-network-requirements.md (100%) diff --git a/docs/guides/operator-private-network-requirements.md b/docs/ref-info/operator-private-network-requirements.md similarity index 100% rename from docs/guides/operator-private-network-requirements.md rename to docs/ref-info/operator-private-network-requirements.md From 63f8daa5587427d197beb8941e7ea0bedb5c226b Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Wed, 17 Jun 2026 09:47:15 +1000 Subject: [PATCH 05/14] update sidebar position --- sidebars.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sidebars.js b/sidebars.js index 173fd157e..9a9ceb03e 100644 --- a/sidebars.js +++ b/sidebars.js @@ -259,7 +259,6 @@ const fullSidebar = [ 'guides/operator-private-gcp-confidential-space', 'guides/operator-guide-azure-enclave', 'guides/operator-guide-aks-enclave', - 'guides/operator-private-network-requirements', ], }, ], @@ -379,6 +378,7 @@ const fullSidebar = [ 'ref-info/ref-how-uid-is-created', 'ref-info/ref-server-side-token-generation', 'ref-info/ref-integration-sso-providers', + 'ref-info/operator-private-network-requirements', 'ref-info/deprecation-schedule', ], }, From 598892a5f648f5fe5bf4e57e67f3ec423896f1e6 Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Wed, 17 Jun 2026 09:47:47 +1000 Subject: [PATCH 06/14] update links after moving page --- docs/guides/operator-guide-aks-enclave.md | 2 +- docs/guides/operator-guide-aws-marketplace.md | 2 +- docs/guides/operator-guide-azure-enclave.md | 2 +- docs/guides/operator-private-gcp-confidential-space.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/guides/operator-guide-aks-enclave.md b/docs/guides/operator-guide-aks-enclave.md index 2a9a2419f..3268151a1 100644 --- a/docs/guides/operator-guide-aks-enclave.md +++ b/docs/guides/operator-guide-aks-enclave.md @@ -255,7 +255,7 @@ az network vnet subnet update \ ``` :::note -If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Network and firewall requirements](operator-private-network-requirements.md). +If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Network and firewall requirements](../ref-info/operator-private-network-requirements.md). ::: #### Get the AKS Subnet ID diff --git a/docs/guides/operator-guide-aws-marketplace.md b/docs/guides/operator-guide-aws-marketplace.md index 6f2bf51a3..cade4901e 100644 --- a/docs/guides/operator-guide-aws-marketplace.md +++ b/docs/guides/operator-guide-aws-marketplace.md @@ -157,7 +157,7 @@ To avoid passing certificates associated with your domain into the enclave, inbo | 443 | Outbound | HTTPS | Calls the UID2 Core Service and AWS S3, to download files for opt-out data and key store. | :::note -If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Network and firewall requirements](operator-private-network-requirements.md). +If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Network and firewall requirements](../ref-info/operator-private-network-requirements.md). ::: ### VPC chart diff --git a/docs/guides/operator-guide-azure-enclave.md b/docs/guides/operator-guide-azure-enclave.md index 9fb74dbfc..ffaa21a54 100644 --- a/docs/guides/operator-guide-azure-enclave.md +++ b/docs/guides/operator-guide-azure-enclave.md @@ -333,7 +333,7 @@ The following table provides information about supported protocols. | 443 | Outbound | HTTPS | Calls the UID2 Core Service and AWS S3, to download files for opt-out data and key store. | :::note -If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Network and firewall requirements](operator-private-network-requirements.md). +If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Network and firewall requirements](../ref-info/operator-private-network-requirements.md). ::: ## Upgrading diff --git a/docs/guides/operator-private-gcp-confidential-space.md b/docs/guides/operator-private-gcp-confidential-space.md index 4528bb9a0..dfa74bcef 100644 --- a/docs/guides/operator-private-gcp-confidential-space.md +++ b/docs/guides/operator-private-gcp-confidential-space.md @@ -90,7 +90,7 @@ Before choosing your deployment option, complete these Google Cloud setup steps: 1. Enable egress rule. If your VPC infrastructure only allows egress to known endpoints, you will need to enable an egress rule to allow the operator to retrieve the certificates required for attestation. To enable this, follow the details in this document from Google: [VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/supported-products#table_confidential_space). - You must also allow outbound access to the UID2 service and storage destinations that the operator depends on. For the full list, see [Network and firewall requirements](operator-private-network-requirements.md). + You must also allow outbound access to the UID2 service and storage destinations that the operator depends on. For the full list, see [Network and firewall requirements](../ref-info/operator-private-network-requirements.md). ### UID2 Operator account setup From bc7b8a54855fc2e4aa4621de52aa02e984086f2f Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Wed, 17 Jun 2026 09:48:11 +1000 Subject: [PATCH 07/14] update sidebar label and relative link --- docs/ref-info/operator-private-network-requirements.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/ref-info/operator-private-network-requirements.md b/docs/ref-info/operator-private-network-requirements.md index f8949122b..f147ec10a 100644 --- a/docs/ref-info/operator-private-network-requirements.md +++ b/docs/ref-info/operator-private-network-requirements.md @@ -1,6 +1,6 @@ --- title: Private Operator network and firewall requirements -sidebar_label: Network and firewall requirements +sidebar_label: Private Operator network and firewall requirements pagination_label: Private Operator network and firewall requirements description: Outbound network destinations a Private Operator must reach, for configuring egress firewall allowlists. hide_table_of_contents: false @@ -12,7 +12,7 @@ import Link from '@docusaurus/Link'; # Private Operator network and firewall requirements -A Private Operator connects to the UID2 Core and Opt-Out services, and downloads data files directly from AWS S3 using URLs that the Core service provides. For details, see [Private Operator workflow](integration-options-private-operator.md#private-operator-workflow). +A Private Operator connects to the UID2 Core and Opt-Out services, and downloads data files directly from AWS S3 using URLs that the Core service provides. For details, see [Private Operator workflow](../guides/integration-options-private-operator.md#private-operator-workflow). If your environment restricts outbound network traffic, you must allow outbound HTTPS (port 443) to all of the destinations below, or the operator cannot start. From 908f8bdfa4891a7db9487dea572778b11b4800a6 Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Wed, 17 Jun 2026 09:53:09 +1000 Subject: [PATCH 08/14] copy file into japanese section to avoid broken links --- .../operator-private-network-requirements.md | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md diff --git a/i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md b/i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md new file mode 100644 index 000000000..f147ec10a --- /dev/null +++ b/i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md @@ -0,0 +1,39 @@ +--- +title: Private Operator network and firewall requirements +sidebar_label: Private Operator network and firewall requirements +pagination_label: Private Operator network and firewall requirements +description: Outbound network destinations a Private Operator must reach, for configuring egress firewall allowlists. +hide_table_of_contents: false +sidebar_position: 16 +displayed_sidebar: docs +--- + +import Link from '@docusaurus/Link'; + +# Private Operator network and firewall requirements + +A Private Operator connects to the UID2 Core and Opt-Out services, and downloads data files directly from AWS S3 using URLs that the Core service provides. For details, see [Private Operator workflow](../guides/integration-options-private-operator.md#private-operator-workflow). + +If your environment restricts outbound network traffic, you must allow outbound HTTPS (port 443) to all of the destinations below, or the operator cannot start. + +## Integration + +| Hostname | Purpose | +| --- | --- | +| `core-integ.uidapi.com` | Core Service (attestation, keys, salts, configuration) | +| `optout-integ.uidapi.com` | Opt-Out Service | +| `uid2-core-integ-store.s3.us-east-2.amazonaws.com` | Core data storage | +| `uid2-optout-integ-store.s3.us-east-2.amazonaws.com` | Opt-out data storage | + +## Production + +| Hostname | Purpose | +| --- | --- | +| `core-prod.uidapi.com` | Core Service (attestation, keys, salts, configuration) | +| `optout-prod.uidapi.com` | Opt-Out Service | +| `uid2-core-prod-store.s3.us-east-2.amazonaws.com` | Core data storage | +| `uid2-core-prod-store-replica.s3.us-west-2.amazonaws.com` | Core data storage (failover replica) | +| `uid2-optout-prod-store.s3.us-east-2.amazonaws.com` | Opt-out data storage | +| `uid2-optout-prod-store-replica.s3.us-west-2.amazonaws.com` | Opt-out data storage (failover replica) | + +Allow these by hostname rather than by IP address, because the underlying addresses might change. From 71cd52a6aa3528e428e3001aced8124d54954bb1 Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Wed, 17 Jun 2026 11:38:41 +1000 Subject: [PATCH 09/14] update page name to Network egress --- docs/guides/operator-guide-aks-enclave.md | 2 +- docs/guides/operator-guide-aws-marketplace.md | 2 +- docs/guides/operator-guide-azure-enclave.md | 2 +- docs/guides/operator-private-gcp-confidential-space.md | 2 +- docs/ref-info/operator-private-network-requirements.md | 8 ++++---- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/guides/operator-guide-aks-enclave.md b/docs/guides/operator-guide-aks-enclave.md index 3268151a1..c36fd09c7 100644 --- a/docs/guides/operator-guide-aks-enclave.md +++ b/docs/guides/operator-guide-aks-enclave.md @@ -255,7 +255,7 @@ az network vnet subnet update \ ``` :::note -If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Network and firewall requirements](../ref-info/operator-private-network-requirements.md). +If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Private Operator network egress](../ref-info/operator-private-network-requirements.md). ::: #### Get the AKS Subnet ID diff --git a/docs/guides/operator-guide-aws-marketplace.md b/docs/guides/operator-guide-aws-marketplace.md index cade4901e..9ea1b6b66 100644 --- a/docs/guides/operator-guide-aws-marketplace.md +++ b/docs/guides/operator-guide-aws-marketplace.md @@ -157,7 +157,7 @@ To avoid passing certificates associated with your domain into the enclave, inbo | 443 | Outbound | HTTPS | Calls the UID2 Core Service and AWS S3, to download files for opt-out data and key store. | :::note -If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Network and firewall requirements](../ref-info/operator-private-network-requirements.md). +If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Private Operator network egress](../ref-info/operator-private-network-requirements.md). ::: ### VPC chart diff --git a/docs/guides/operator-guide-azure-enclave.md b/docs/guides/operator-guide-azure-enclave.md index ffaa21a54..8d5106441 100644 --- a/docs/guides/operator-guide-azure-enclave.md +++ b/docs/guides/operator-guide-azure-enclave.md @@ -333,7 +333,7 @@ The following table provides information about supported protocols. | 443 | Outbound | HTTPS | Calls the UID2 Core Service and AWS S3, to download files for opt-out data and key store. | :::note -If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Network and firewall requirements](../ref-info/operator-private-network-requirements.md). +If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Private Operator network egress](../ref-info/operator-private-network-requirements.md). ::: ## Upgrading diff --git a/docs/guides/operator-private-gcp-confidential-space.md b/docs/guides/operator-private-gcp-confidential-space.md index dfa74bcef..1d2d7ecae 100644 --- a/docs/guides/operator-private-gcp-confidential-space.md +++ b/docs/guides/operator-private-gcp-confidential-space.md @@ -90,7 +90,7 @@ Before choosing your deployment option, complete these Google Cloud setup steps: 1. Enable egress rule. If your VPC infrastructure only allows egress to known endpoints, you will need to enable an egress rule to allow the operator to retrieve the certificates required for attestation. To enable this, follow the details in this document from Google: [VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/supported-products#table_confidential_space). - You must also allow outbound access to the UID2 service and storage destinations that the operator depends on. For the full list, see [Network and firewall requirements](../ref-info/operator-private-network-requirements.md). + You must also allow outbound access to the UID2 service and storage destinations that the operator depends on. For the full list, see [Private Operator network egress](../ref-info/operator-private-network-requirements.md). ### UID2 Operator account setup diff --git a/docs/ref-info/operator-private-network-requirements.md b/docs/ref-info/operator-private-network-requirements.md index f147ec10a..c761a5d66 100644 --- a/docs/ref-info/operator-private-network-requirements.md +++ b/docs/ref-info/operator-private-network-requirements.md @@ -1,7 +1,7 @@ --- -title: Private Operator network and firewall requirements -sidebar_label: Private Operator network and firewall requirements -pagination_label: Private Operator network and firewall requirements +title: Private Operator network egress +sidebar_label: Private Operator network egress +pagination_label: Private Operator network egress description: Outbound network destinations a Private Operator must reach, for configuring egress firewall allowlists. hide_table_of_contents: false sidebar_position: 16 @@ -10,7 +10,7 @@ displayed_sidebar: docs import Link from '@docusaurus/Link'; -# Private Operator network and firewall requirements +# Private Operator network egress A Private Operator connects to the UID2 Core and Opt-Out services, and downloads data files directly from AWS S3 using URLs that the Core service provides. For details, see [Private Operator workflow](../guides/integration-options-private-operator.md#private-operator-workflow). From e81f9ea725a049a51825270d41f0aa09755d10d0 Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Wed, 17 Jun 2026 11:46:10 +1000 Subject: [PATCH 10/14] update jp copy --- .../ref-info/operator-private-network-requirements.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md b/i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md index f147ec10a..c761a5d66 100644 --- a/i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md +++ b/i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md @@ -1,7 +1,7 @@ --- -title: Private Operator network and firewall requirements -sidebar_label: Private Operator network and firewall requirements -pagination_label: Private Operator network and firewall requirements +title: Private Operator network egress +sidebar_label: Private Operator network egress +pagination_label: Private Operator network egress description: Outbound network destinations a Private Operator must reach, for configuring egress firewall allowlists. hide_table_of_contents: false sidebar_position: 16 @@ -10,7 +10,7 @@ displayed_sidebar: docs import Link from '@docusaurus/Link'; -# Private Operator network and firewall requirements +# Private Operator network egress A Private Operator connects to the UID2 Core and Opt-Out services, and downloads data files directly from AWS S3 using URLs that the Core service provides. For details, see [Private Operator workflow](../guides/integration-options-private-operator.md#private-operator-workflow). From 5e1cb14e60b163d359b7233a646d304cd0cb606e Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Wed, 17 Jun 2026 12:15:20 +1000 Subject: [PATCH 11/14] add link from parent Private Operator Integrations page --- docs/guides/integration-options-private-operator.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/guides/integration-options-private-operator.md b/docs/guides/integration-options-private-operator.md index 266612fd9..34ac2fccf 100644 --- a/docs/guides/integration-options-private-operator.md +++ b/docs/guides/integration-options-private-operator.md @@ -136,3 +136,7 @@ There is no functional difference between the Private Operator versions. | GCP Confidential Space | [Private Operator for GCP integration guide](../guides/operator-private-gcp-confidential-space.md) | Information for setting up the UID2 Operator Service in [Confidential Space](https://cloud.google.com/confidential-computing#confidential-space), a confidential computing option from [Google Cloud](https://cloud.google.com/docs/overview/) Platform. | | Azure | [Private Operator for Azure integration guide](../guides/operator-guide-azure-enclave.md) | Instructions for setting up the UID2 Operator Service in an instance of Confidential Containers, a confidential computing option from Microsoft Azure. | | AKS | [Private Operator for AKS integration guide](../guides/operator-guide-aks-enclave.md) | Instructions for setting up the UID2 Operator Service in an instance of AKS, a confidential computing solution that runs on virtual nodes on Microsoft Azure container instances and uses Kubernetes. | + +:::note +All Private Operators must be allowed to access the destinations in [Private Operator network egress](../ref-info/operator-private-network-requirements.md). If your organization is secured with a firewall or proxy, these domains must be added to the allowlist. +::: From fc69cf8389282095c36ca2d5a76c3c4557fc1261 Mon Sep 17 00:00:00 2001 From: swibi-ttd Date: Thu, 18 Jun 2026 08:03:24 +1000 Subject: [PATCH 12/14] add lead-in before integ table Co-authored-by: Gen Whitt <107279666+genwhittTTD@users.noreply.github.com> --- docs/ref-info/operator-private-network-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ref-info/operator-private-network-requirements.md b/docs/ref-info/operator-private-network-requirements.md index c761a5d66..04facc211 100644 --- a/docs/ref-info/operator-private-network-requirements.md +++ b/docs/ref-info/operator-private-network-requirements.md @@ -17,7 +17,7 @@ A Private Operator Date: Thu, 18 Jun 2026 08:03:51 +1000 Subject: [PATCH 13/14] add lead-in before prod table Co-authored-by: Gen Whitt <107279666+genwhittTTD@users.noreply.github.com> --- docs/ref-info/operator-private-network-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ref-info/operator-private-network-requirements.md b/docs/ref-info/operator-private-network-requirements.md index 04facc211..0012090d8 100644 --- a/docs/ref-info/operator-private-network-requirements.md +++ b/docs/ref-info/operator-private-network-requirements.md @@ -26,7 +26,7 @@ The following table lists the hostnames you must allow for the integration envir | `uid2-optout-integ-store.s3.us-east-2.amazonaws.com` | Opt-out data storage | ## Production - +The following table lists the hostnames you must allow for the production environment. | Hostname | Purpose | | --- | --- | | `core-prod.uidapi.com` | Core Service (attestation, keys, salts, configuration) | From 46aadab6211e43523b5a877c244df78de0eaf8d8 Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Thu, 18 Jun 2026 08:05:17 +1000 Subject: [PATCH 14/14] update jp page --- .../current/ref-info/operator-private-network-requirements.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md b/i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md index c761a5d66..0012090d8 100644 --- a/i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md +++ b/i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md @@ -17,7 +17,7 @@ A Private Operator