Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.jitera.ai/llms.txt

Use this file to discover all available pages before exploring further.

This page describes the network access patterns and endpoint requirements for Jitera Self-Hosted. Use this as a reference when configuring firewalls, network security groups, or network policies.
An egress firewall is recommended for production but optional for evaluation and pilot deployments. Without a firewall, all outbound traffic from the cluster is allowed — the endpoint tables below still serve as a reference for DNS resolution and connectivity requirements, but no active filtering is applied.An egress firewall (AWS Network Firewall ~300/mo,AzureFirewall 300/mo, Azure Firewall ~900/mo) adds FQDN-based outbound filtering, restricting pod traffic to only the endpoints listed below. Consider the cost impact when deciding whether to deploy one.
Domain placeholders used in this page: app.example.com (main domain, configured as ingress.domainName) and chat.example.com (chat domain, configured as ingress.chatDomainName). Replace with your actual domain names.
If you use an L7 firewall with TLS/SNI inspection (e.g., AWS Network Firewall, Azure Firewall, Palo Alto, Zscaler), additional configuration beyond the domain list below may be required. See your cloud provider’s documentation:

Network Access Patterns

Jitera Self-Hosted requires the following network access patterns:
  • Ingress: HTTPS (443/tcp) for web application access
  • Egress: HTTPS (443/tcp) for external API calls and container image pulls, SMTP (25/tcp or 587/tcp) for outbound email, DNS (53/tcp, 53/udp) for domain resolution, NTP (123/udp) for time synchronization
  • Pod-to-Pod: All internal services communicate within the Kubernetes cluster network using service discovery and internal DNS

Inbound Access

Inbound rules control traffic from external sources into the cluster.
PurposeSourceDestinationRequiredDescription
Jitera App AccessUser’s web browserhttps://app.example.comRequiredMain application domain
Jitera Chat API AccessUser’s web browserhttps://chat.example.comRequiredChat domain
GrafanaUser’s web browserhttps://grafana.example.comConditionalRequired only if Grafana ingress is enabled
PrometheusUser’s web browserhttps://prometheus.example.comConditionalRequired only if Prometheus ingress is enabled
MinIO AccessUser’s web browserhttps://minio.example.comConditionalRequired only if using MinIO with ingress enabled
MinIO ConsoleUser’s web browserhttps://minio-console.example.comConditionalRequired only if using MinIO Console
Cert-Manager HTTP01 ChallengesACME (Let’s Encrypt)http://*.example.comConditionalRequired only if using cert-manager HTTP01 challenges
Pod Hairpin Traffic (AWS)NAT Gateway EIPhttps://app.example.com, https://chat.example.comConditionalRequired on AWS when inbound filtering is configured on the Kong LoadBalancer Service’s Security Group. Pods resolve the public app domain via public DNS and egress through the NAT Gateway back to the CLB; without the NAT Gateway EIP(s) in the SG allow-list, intra-cluster calls that traverse the public domain are dropped. On Azure, filter at the AKS subnet NSG — include the VirtualNetwork service tag in the inbound allow rules so intra-VNet hairpin traffic is preserved.

Outbound Access

Setup Requirements

These endpoints must be reachable during initial deployment and upgrades.
PurposeSourceDestinationRequiredDescription
Jitera container imagesKubernetes worker nodehttps://jiteradockerimage.azurecr.ioRequiredRegistry API (authentication, manifest resolution)
Jitera container imagesKubernetes worker nodehttps://*.data.azurecr.ioRequiredACR data endpoint for image layer downloads
Jitera container imagesKubernetes worker nodehttps://*.blob.core.windows.netRequiredImage layer storage
Docker Hub imagesKubernetes worker nodehttps://docker.ioConditionalKong, PostgreSQL, MongoDB, Redis, RabbitMQ — not required if using Jitera ACR for all images (see deployment guide)
Docker Hub imagesKubernetes worker nodehttps://registry-1.docker.ioConditionalDocker Hub registry API
Docker Hub imagesKubernetes worker nodehttps://auth.docker.ioConditionalDocker Hub authentication
Docker Hub imagesKubernetes worker nodehttps://production.cloudflare.docker.comConditionalDocker Hub layer downloads (Cloudflare CDN)
Red Hat container imagesKubernetes worker nodehttps://*quay.ioConditionalRequired only if using cert-manager
JavaScript RegistryKubernetes worker nodehttp://jsr.ioRequiredRequired by Boost
GitHubKubernetes worker nodehttps://github.comRequiredRequired by Boost
GitHubKubernetes worker nodehttps://release-assets.githubusercontent.comRequiredRequired by Boost

1st Party Endpoints

Internal services that need to reach the application’s own endpoints.
PurposeSourceDestinationRequiredDescription
Jitera App AccessKubernetes worker nodehttps://app.example.comRequired
Jitera Chat API AccessKubernetes worker nodehttps://chat.example.comRequired

Cluster Infrastructure (cloud-specific)

Endpoints required for the Kubernetes control plane and managed add-ons themselves. These are not Jitera-specific — they are prerequisites for the cluster to bootstrap, pull system images, and report managed metrics. Refer to the cloud provider’s documentation as the authoritative source; the list below reflects the default allow-list enforced by the Jitera Terraform scripts.

AWS EKS

FQDNPurposeFailure mode if blocked
.amazonaws.comEKS cluster bootstrap, ECR, S3, STS, EC2 APINodes fail to join the cluster; ECR image pulls fail
public.ecr.awsAWS public ECR (Global Accelerator frontend)Managed add-on image pulls fail (AWS Node Termination Handler, VPC CNI, CoreDNS)
.cloudfront.netAWS public ECR layer downloads (CloudFront)Second-hop layer download fails
registry.k8s.ioUpstream Kubernetes registry (Cluster Autoscaler image)Cluster Autoscaler CrashLoopBackOff
.pkg.devGoogle Artifact Registry redirect target from registry.k8s.ioLayer pulls for Cluster Autoscaler fail
See AWS EKS best practices — Network Firewall and Pull images from ECR behind a firewall.

Azure AKS

FQDNPurposeFailure mode if blocked
mcr.microsoft.comMicrosoft Container Registry — AKS system images (CoreDNS, kube-proxy, CSI drivers, Azure CNI)Cluster components fail to start
*.data.mcr.microsoft.comMCR layer download endpoints (CDN)Same as above — layer hop
management.azure.comAzure ARM API — AKS control plane reconciliation, CSI disk/file driver attach/detachPod disk attach fails; cluster operations silently fail
login.microsoftonline.comEntra ID / managed identity token acquisitionAll calls to Azure APIs (Key Vault, ACR, Storage) fail; pods using federated identity crash
packages.microsoft.comNode OS package updates (apt/yum), Azure CLI, SDK packagesNode OS security updates fail
acs-mirror.azureedge.netAKS VHD components, Kubernetes binaries during node provisioningNode bootstrap fails on autoscale
*.ods.opinsights.azure.comAzure Monitor Container Insights ingestionContainer logs / metrics not reported
*.oms.opinsights.azure.comLog Analytics workspace ingestionSame as above
*.monitoring.azure.comAzure Monitor metrics ingestionManaged Prometheus metrics not reported
*.hcp.<region>.azmk8s.ioAKS API server FQDN (region-specific)kubectl and in-cluster service account token verification fail (also required on the developer laptop / CI)
See AKS outbound network rules — control egress traffic and Azure Monitor agent network requirements.

3rd Party Integrations

Conditional endpoints required by specific features. AI / LLM Providers:
PurposeDestinationDescription
Azure OpenAIhttps://*.openai.azure.comRequired only if using Azure OpenAI API
OpenAIhttps://api.openai.comRequired only if using OpenAI API
Anthropic Claudehttps://api.anthropic.comRequired only if using Anthropic API
AWS Bedrockhttps://bedrock-runtime.*.amazonaws.comRequired only if using Amazon Bedrock API
Google Generative AIhttps://generativelanguage.googleapis.comRequired only if using Google Generative AI API
Google Vertex AIhttps://*-aiplatform.googleapis.comRequired only if using Google Vertex AI
LLM token encodinghttps://tiktoken.pages.devRequired only if using chat v1 (Ultron)
Code Source Integrations:
PurposeDestinationDescription
GitHub Integrationhttps://github.comRequired only if using GitHub integration
GitHub Integrationhttps://api.github.comRequired only if using GitHub integration
GitHub Integrationhttps://raw.githubusercontent.comRequired only if using GitHub integration
GitHub Integrationhttps://codeload.github.comRequired only if using GitHub integration — 302 redirect target from api.github.com/.../zipball/<ref> that serves the actual zip bytes
GitLab Integrationhttps://<your-gitlab-host>Required only if using self-managed GitLab integration
GitHub’s api.github.com/repos/<owner>/<repo>/zipball/<ref> returns a 302 redirect to https://codeload.github.com/.... An L7 egress firewall that allow-lists api.github.com but not codeload.github.com will silently drop the redirect fetch, causing repository import to fail with a misleading fetch failed error whose URL still points at api.github.com. Allow-list both hosts when GitHub integration is enabled behind a firewall.
Web Search & URL Reading (Boost):
PurposeDestinationDescription
Tavily Search APIhttps://api.tavily.comRequired only if using Tavily as the web search backend
SearXNGhttps://<your-searxng-host>Required only if using self-hosted SearXNG as the web search backend
Jina Readerhttps://r.jina.aiRequired for boost__read_webpage tool — no fallback exists
Jina Rerank APIhttps://api.jina.aiOptional — used by Document Agent / Code Agent for RAG reranking
Cohere Rerank APIhttps://api.cohere.aiOptional — alternative reranker for Document Agent / Code Agent
Wikipediahttps://en.wikipedia.orgSupplementary search tool
ArXivhttps://export.arxiv.orgSupplementary search tool (HTTP/HTTPS)
PubMedhttps://eutils.ncbi.nlm.nih.govSupplementary search tool
HackerNewshttps://hacker-news.firebaseio.comSupplementary search tool
Yahoo Financehttps://query1.finance.yahoo.comSupplementary search tool
Yahoo Financehttps://query2.finance.yahoo.comSupplementary search tool
User-provided URLs* (any URL)MarkItDown / WebsiteTools / Jina fetch target URLs provided by users
Error Monitoring & Other Integrations:
PurposeDestinationDescription
Rollbarhttps://api.rollbar.comRequired only if using Rollbar error tracking
Playwright Tracinghttps://jitera-trace-viewer.pages.devRequired only if Playwright tracing viewer is used in the frontend
Certificate Management:
PurposeDestinationDescription
Cert-Managerhttps://acme-v02.api.letsencrypt.orgRequired only if using cert-manager
Cert-Manager HTTP01http://*.example.comRequired only if using HTTP01 challenges
Cert-Manager DNS01Various DNS API endpointsRequired only if using DNS01 challenges
Single Sign-On (EntraID):
PurposeDestinationDescription
EntraIDhttps://*.windows.netRequired only if using SSO with EntraID
EntraIDhttps://*.microsoftonline.comRequired only if using SSO with EntraID
EntraIDhttps://*.microsoft.comRequired only if using SSO with EntraID

Infrastructure Services

PurposeSourceDestinationRequiredDescription
DNSKubernetes worker nodeVarious DNS servers (53/tcp, 53/udp)Required
SMTP RelayKubernetes worker nodeVarious SMTP relay servers (25/tcp)ConditionalRequired if using local SMTP service
SMTP SubmissionKubernetes worker nodeVarious SMTP submission services (587/tcp)ConditionalRequired if using Amazon SES, Azure Communication Services, or SendGrid
NTPKubernetes worker nodeVarious NTP servers (123/udp)Required
On public cloud IaaS environments such as AWS and Azure, outbound port 25/tcp is usually blocked by default. If you need to use a local SMTP relay, contact your cloud provider in advance to request that this restriction be removed.

Deployment Requirements

Mandatory and optional deployment requirements

Server Certificates

TLS certificate requirements for Jitera Self-Hosted