UID2-7002 Add Private Operator Network Egress page with list of domains

docs/guides/integration-options-private-operator.md

@@ -136,3 +136,7 @@ There is no functional difference between the Private Operator versions.
 | GCP Confidential Space | [Private Operator for GCP integration guide](../guides/operator-private-gcp-confidential-space.md) | Information for setting up the UID2 Operator Service in [Confidential Space](https://cloud.google.com/confidential-computing#confidential-space), a confidential computing option from [Google Cloud](https://cloud.google.com/docs/overview/) Platform. |
 | Azure | [Private Operator for Azure integration guide](../guides/operator-guide-azure-enclave.md) | Instructions for setting up the UID2 Operator Service in an instance of Confidential Containers, a confidential computing option from Microsoft Azure. |
 | AKS | [Private Operator for AKS integration guide](../guides/operator-guide-aks-enclave.md) | Instructions for setting up the UID2 Operator Service in an instance of AKS, a confidential computing solution that runs on virtual nodes on Microsoft Azure container instances and uses Kubernetes. |
+
+:::note
+All Private Operators must be allowed to access the destinations in [Private Operator network egress](../ref-info/operator-private-network-requirements.md). If your organization is secured with a firewall or proxy, these domains must be added to the allowlist.
+:::

docs/guides/operator-guide-aks-enclave.md

@@ -254,6 +254,10 @@ az network vnet subnet update \
     --nat-gateway ${NAT_GATEWAY_NAME}
 ```
 
+:::note
+If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Private Operator network egress](../ref-info/operator-private-network-requirements.md).
+:::
+
 #### Get the AKS Subnet ID
 
 To create the AKS subnet ID, run the following command, using your own values as needed:

docs/guides/operator-guide-aws-marketplace.md

@@ -154,7 +154,11 @@ To avoid passing certificates associated with your domain into the enclave, inbo
 | ----------- | --------- | -------- | ------ |
 | 80 | Inbound | HTTP | Serves all UID2 APIs, including the healthcheck endpoint `/ops/healthcheck`.<br/>When everything is up and running, the endpoint returns HTTP 200 with a response body of `OK`. For details, see [Checking UID2 Operator status](#checking-uid2-operator-status). |
 | 9080 | Inbound | HTTP | Serves Prometheus metrics (`/metrics`). |
-| 443 | Outbound | HTTPS | Calls the UID2 Core Service, AWS S3, to download files for opt-out data and key store. |
+| 443 | Outbound | HTTPS | Calls the UID2 Core Service and AWS S3, to download files for opt-out data and key store. |
+
+:::note
+If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Private Operator network egress](../ref-info/operator-private-network-requirements.md).
+:::
 
 ### VPC chart
 

docs/guides/operator-guide-azure-enclave.md

@@ -330,7 +330,11 @@ The following table provides information about supported protocols.
 | ----------- | --------- | -------- | ------ |
 | 80 | Inbound | HTTP | Serves all UID2 APIs, including the health check endpoint `/ops/healthcheck`.<br/>When everything is up and running, the endpoint returns HTTP 200 with a response body of `OK`. For details, see [Running the health check](#running-the-health-check). |
 | 9080 | Inbound | HTTP | Serves Prometheus metrics (`/metrics`). For details, see [Scraping metrics](#scraping-metrics). |
-| 443 | Outbound | HTTPS | Calls the UID2 Core Service and Azure Blob Storage, to download files for opt-out data and key store. |
+| 443 | Outbound | HTTPS | Calls the UID2 Core Service and AWS S3, to download files for opt-out data and key store. |
+
+:::note
+If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Private Operator network egress](../ref-info/operator-private-network-requirements.md).
+:::
 
 ## Upgrading
 

docs/guides/operator-private-gcp-confidential-space.md

@@ -90,6 +90,8 @@ Before choosing your deployment option, complete these Google Cloud setup steps:
 
 1. Enable egress rule. If your VPC infrastructure only allows egress to known endpoints, you will need to enable an egress rule to allow the operator to retrieve the certificates required for attestation. To enable this, follow the details in this document from Google: [VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/supported-products#table_confidential_space).
 
+   You must also allow outbound access to the UID2 service and storage destinations that the operator depends on. For the full list, see [Private Operator network egress](../ref-info/operator-private-network-requirements.md).
+
 ### UID2 Operator account setup
 
 Ask your UID2 contact to register your organization as a UID2 Operator. If you're not sure who to ask, see [Contact info](../getting-started/gs-account-setup.md#contact-info).

docs/ref-info/operator-private-network-requirements.md

@@ -0,0 +1,39 @@
+---
+title: Private Operator network egress
+sidebar_label: Private Operator network egress
+pagination_label: Private Operator network egress
+description: Outbound network destinations a Private Operator must reach, for configuring egress firewall allowlists.
+hide_table_of_contents: false
+sidebar_position: 16
+displayed_sidebar: docs
+---
+
+import Link from '@docusaurus/Link';
+
+# Private Operator network egress
+
+A <Link href="../ref-info/glossary-uid#gl-private-operator">Private Operator</Link> connects to the UID2 <Link href="../ref-info/glossary-uid#gl-core-service">Core</Link> and <Link href="../ref-info/glossary-uid#gl-opt-out-service">Opt-Out</Link> services, and downloads data files directly from AWS S3 using URLs that the Core service provides. For details, see [Private Operator workflow](../guides/integration-options-private-operator.md#private-operator-workflow).
+
+If your environment restricts outbound network traffic, you must allow outbound HTTPS (port 443) to all of the destinations below, or the operator cannot start.
+
+## Integration
+The following table lists the hostnames you must allow for the integration environment.
+| Hostname | Purpose |
+| --- | --- |
+| `core-integ.uidapi.com` | Core Service (attestation, keys, salts, configuration) |
+| `optout-integ.uidapi.com` | Opt-Out Service |
+| `uid2-core-integ-store.s3.us-east-2.amazonaws.com` | Core data storage |
+| `uid2-optout-integ-store.s3.us-east-2.amazonaws.com` | Opt-out data storage |
+
+## Production
+The following table lists the hostnames you must allow for the production environment.
+| Hostname | Purpose |
+| --- | --- |
+| `core-prod.uidapi.com` | Core Service (attestation, keys, salts, configuration) |
+| `optout-prod.uidapi.com` | Opt-Out Service |
+| `uid2-core-prod-store.s3.us-east-2.amazonaws.com` | Core data storage |
+| `uid2-core-prod-store-replica.s3.us-west-2.amazonaws.com` | Core data storage (failover replica) |
+| `uid2-optout-prod-store.s3.us-east-2.amazonaws.com` | Opt-out data storage |
+| `uid2-optout-prod-store-replica.s3.us-west-2.amazonaws.com` | Opt-out data storage (failover replica) |
+
+Allow these by hostname rather than by IP address, because the underlying addresses might change.

i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md

@@ -0,0 +1,39 @@
+---
+title: Private Operator network egress
+sidebar_label: Private Operator network egress
+pagination_label: Private Operator network egress
+description: Outbound network destinations a Private Operator must reach, for configuring egress firewall allowlists.
+hide_table_of_contents: false
+sidebar_position: 16
+displayed_sidebar: docs
+---
+
+import Link from '@docusaurus/Link';
+
+# Private Operator network egress
+
+A <Link href="../ref-info/glossary-uid#gl-private-operator">Private Operator</Link> connects to the UID2 <Link href="../ref-info/glossary-uid#gl-core-service">Core</Link> and <Link href="../ref-info/glossary-uid#gl-opt-out-service">Opt-Out</Link> services, and downloads data files directly from AWS S3 using URLs that the Core service provides. For details, see [Private Operator workflow](../guides/integration-options-private-operator.md#private-operator-workflow).
+
+If your environment restricts outbound network traffic, you must allow outbound HTTPS (port 443) to all of the destinations below, or the operator cannot start.
+
+## Integration
+The following table lists the hostnames you must allow for the integration environment.
+| Hostname | Purpose |
+| --- | --- |
+| `core-integ.uidapi.com` | Core Service (attestation, keys, salts, configuration) |
+| `optout-integ.uidapi.com` | Opt-Out Service |
+| `uid2-core-integ-store.s3.us-east-2.amazonaws.com` | Core data storage |
+| `uid2-optout-integ-store.s3.us-east-2.amazonaws.com` | Opt-out data storage |
+
+## Production
+The following table lists the hostnames you must allow for the production environment.
+| Hostname | Purpose |
+| --- | --- |
+| `core-prod.uidapi.com` | Core Service (attestation, keys, salts, configuration) |
+| `optout-prod.uidapi.com` | Opt-Out Service |
+| `uid2-core-prod-store.s3.us-east-2.amazonaws.com` | Core data storage |
+| `uid2-core-prod-store-replica.s3.us-west-2.amazonaws.com` | Core data storage (failover replica) |
+| `uid2-optout-prod-store.s3.us-east-2.amazonaws.com` | Opt-out data storage |
+| `uid2-optout-prod-store-replica.s3.us-west-2.amazonaws.com` | Opt-out data storage (failover replica) |
+
+Allow these by hostname rather than by IP address, because the underlying addresses might change.

sidebars.js

@@ -378,6 +378,7 @@ const fullSidebar = [
         'ref-info/ref-how-uid-is-created',
         'ref-info/ref-server-side-token-generation',
         'ref-info/ref-integration-sso-providers',
+        'ref-info/operator-private-network-requirements',
         'ref-info/deprecation-schedule',
       ],
     },