Documentation Index
Fetch the complete documentation index at: https://enterprise-docs.crewai.com/llms.txt
Use this file to discover all available pages before exploring further.
CrewAI Factory — Network Allowlist
Purpose: This document lists every external domain that a CrewAI Factory installation may contact. Use it to configure firewall rules, proxy allowlists, or egress network policies.
Last updated: 2026-04-28
How to Read This Document
| Column | Meaning |
|---|
| Domain / Pattern | The hostname or wildcard to allow |
| Port | Default destination port (443 unless noted) |
| Protocol | HTTPS, WSS, or both |
| Direction | Egress (cluster → internet) or Browser (end-user browser only) |
| Required? | ✅ = blocks install/runtime if missing · ⚙️ = required only when the feature is enabled · 🔌 = depends on customer’s chosen provider |
1 · Critical Path — Blocks Installation
These domains are contacted during helm install and initial platform bootstrap. Blocking any of them will prevent installation.
| Domain | Port | Notes | Required? |
|---|
*.crewai.com | 443 | Helm chart OCI registry, container images, license & update checks | ✅ |
replicated.app | 443 | Replicated license verification | ✅ |
proxy.replicated.com | 443 | Image proxy backend | ✅ |
registry.replicated.com | 443 | OCI registry backend | ✅ |
pypi.crewaifactory.com | 443 | Private PyPI mirror for CrewAI packages | ✅ |
pypi.org | 443 | Public Python packages (fallback when not mirrored) | ✅ |
files.pythonhosted.org | 443 | Python package downloads | ✅ |
get.replicated.com | 443 | Embedded Cluster installer binary | ⚙️ EC only |
github.com | 443 | Crew repos with git+https:// pip deps; crewAI-enterprise install | ⚙️ |
These are first-party CrewAI services the platform communicates with at runtime.
| Domain | Port | Protocol | Notes | Required? |
|---|
<your-application-host> | 443 | HTTPS | OAuth integration proxy served via ingress path (e.g. <APPLICATION_HOST>/oauth/). No dedicated subdomain required. | ⚙️ |
3 · LLM Providers
Allow whichever providers your teams will use. The platform does not hardcode a single provider — customers choose which LLM APIs to connect.
| Domain Pattern | Provider |
|---|
api.openai.com | OpenAI |
api.anthropic.com | Anthropic |
generativelanguage.googleapis.com | Google Gemini |
*.openai.azure.com | Azure OpenAI |
bedrock-runtime.*.amazonaws.com | AWS Bedrock |
*-aiplatform.googleapis.com | Google Vertex AI |
api.cohere.ai | Cohere |
api.groq.com | Groq |
api.cerebras.ai | Cerebras |
api.sambanova.ai | SambaNova |
*.snowflakecomputing.com | Snowflake Cortex |
api-inference.huggingface.co | Hugging Face Inference |
huggingface.co | Hugging Face (model downloads) |
api.mistral.ai | Mistral |
api.together.xyz | Together AI |
api.fireworks.ai | Fireworks AI |
api.replicate.com | Replicate |
api.deepseek.com | DeepSeek |
api.databricks.com / *.databricks.com | Databricks |
api.deepinfra.com | DeepInfra |
Note: The built-in LLM (BUILT_IN_LLM_PROVIDER) defaults to OpenAI (gpt-4.1-mini). At minimum, allow the provider configured for the built-in LLM.
These are used by CrewAI tool integrations. Allow based on which tools your teams enable.
| Domain | Tool / Service |
|---|
serpapi.com | SerpAPI |
api.tavily.com | Tavily |
api.firecrawl.dev | Firecrawl |
api.linkup.so | LinkUp |
api.exa.ai | Exa |
api.you.com | You.com |
api.scrapingbee.com | ScrapingBee |
api.scrapfly.io | Scrapfly |
api.brightdata.com | Bright Data |
api.browserbase.com | Browserbase |
api.hyperbrowser.ai | Hyperbrowser |
api.brave.com / api.search.brave.com | Brave Search |
api.bing.microsoft.com | Bing Search |
registry.smithery.ai | Smithery MCP tool registry |
5 · Vector Databases
Only required if your crews connect to managed vector database services. Allow based on which provider you use.
| Domain Pattern | Provider |
|---|
*.pinecone.io | Pinecone |
*.weaviate.io / *.weaviate.network | Weaviate |
*.qdrant.io | Qdrant |
*.mongodb.net | MongoDB Atlas |
6 · Authentication & SSO
Allow the domain(s) for your chosen SSO provider. These are customer-specific.
| Provider | Domains to Allow |
|---|
| Okta | <your-org>.okta.com, <your-org>.oktapreview.com |
| Microsoft Entra ID | login.microsoftonline.com, graph.microsoft.com |
| WorkOS | api.workos.com, <your-authkit-domain> |
| Keycloak | Your self-hosted Keycloak URL |
| Google OAuth | accounts.google.com, oauth2.googleapis.com |
| GitHub OAuth | github.com |
7 · OAuth Integrations (Built-In Connectors)
If you enable built-in OAuth connectors for third-party services, allow the corresponding domains below. The OAuth proxy is served via an ingress path on your application host (see OAuth chart values) — no dedicated subdomain is required.
| Integration | Domains |
|---|
| Google Workspace | accounts.google.com, oauth2.googleapis.com, www.googleapis.com, docs.google.com, drive.google.com, slides.google.com |
| Microsoft 365 | login.microsoftonline.com, graph.microsoft.com |
| HubSpot | api.hubspot.com, app.hubspot.com |
| Salesforce | login.salesforce.com, *.salesforce.com |
| Notion | api.notion.so |
| Slack | slack.com, api.slack.com |
| GitHub | github.com, api.github.com |
8 · Cloud Provider Services
Allow based on your deployment cloud. These are for object storage, secrets management, and identity federation from within the cluster.
AWS
| Domain Pattern | Service |
|---|
s3.*.amazonaws.com / *.s3.amazonaws.com | S3 object storage |
secretsmanager.*.amazonaws.com | Secrets Manager |
logs.*.amazonaws.com | CloudWatch Logs |
sts.amazonaws.com / sts.*.amazonaws.com | STS (IAM role assumption) |
rds.*.amazonaws.com | RDS (if using RDS endpoint) |
eks.*.amazonaws.com | EKS API (kubeconfig update) |
Azure
| Domain Pattern | Service |
|---|
*.blob.core.windows.net | Blob Storage |
*.vault.azure.net | Key Vault |
*.postgres.database.azure.com | Azure Database for PostgreSQL |
GCP
| Domain Pattern | Service |
|---|
storage.googleapis.com | Cloud Storage |
secretmanager.googleapis.com | Secret Manager |
iamcredentials.googleapis.com | Workload Identity Federation |
sts.googleapis.com | Security Token Service |
sqladmin.googleapis.com | Cloud SQL Admin (Cloud SQL Proxy) |
Quick-Copy Allowlist
For convenience, here is a consolidated flat list of all mandatory + commonly-needed domains for a typical Factory deployment:
# === CRITICAL (installation) ===
*.crewai.com
replicated.app
proxy.replicated.com
registry.replicated.com
pypi.crewaifactory.com
pypi.org
files.pythonhosted.org
# === LLM PROVIDERS (add as needed) ===
api.openai.com
api.anthropic.com
# ... add per your LLM choices
# === SSO (add your provider) ===
# login.microsoftonline.com # Entra ID
# <org>.okta.com # Okta
# api.workos.com # WorkOS
Revision History
| Date | Author | Changes |
|---|
| 2026-04-28 | Iris (AI) / Diego Nogues (review) | Initial version from FAC-50 source code audit |
