> ## Documentation Index
> Fetch the complete documentation index at: https://enterprise-docs.crewai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Network allowlist

# CrewAI Factory — Network Allowlist

> **Purpose:** This document lists every external domain that a CrewAI Factory installation may contact. Use it to configure firewall rules, proxy allowlists, or egress network policies.
>
> **Last updated:** 2026-04-28

***

## How to Read This Document

| Column               | Meaning                                                                                                                             |
| -------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| **Domain / Pattern** | The hostname or wildcard to allow                                                                                                   |
| **Port**             | Default destination port (`443` unless noted)                                                                                       |
| **Protocol**         | `HTTPS`, `WSS`, or both                                                                                                             |
| **Direction**        | `Egress` (cluster → internet) or `Browser` (end-user browser only)                                                                  |
| **Required?**        | ✅ = blocks install/runtime if missing · ⚙️ = required only when the feature is enabled · 🔌 = depends on customer's chosen provider |

***

## 1 · Critical Path — Blocks Installation

These domains are contacted during `helm install` and initial platform bootstrap. **Blocking any of them will prevent installation.**

| Domain                    | Port | Notes                                                              | Required?  |
| ------------------------- | ---- | ------------------------------------------------------------------ | ---------- |
| `*.crewai.com`            | 443  | Helm chart OCI registry, container images, license & update checks | ✅          |
| `replicated.app`          | 443  | Replicated license verification                                    | ✅          |
| `proxy.replicated.com`    | 443  | Image proxy backend                                                | ✅          |
| `registry.replicated.com` | 443  | OCI registry backend                                               | ✅          |
| `pypi.crewaifactory.com`  | 443  | Private PyPI mirror for CrewAI packages                            | ✅          |
| `pypi.org`                | 443  | Public Python packages (fallback when not mirrored)                | ✅          |
| `files.pythonhosted.org`  | 443  | Python package downloads                                           | ✅          |
| `get.replicated.com`      | 443  | Embedded Cluster installer binary                                  | ⚙️ EC only |
| `github.com`              | 443  | Crew repos with `git+https://` pip deps; crewAI-enterprise install | ⚙️         |

***

## 2 · Platform Runtime Services

These are first-party CrewAI services the platform communicates with at runtime.

| Domain                    | Port | Protocol | Notes                                                                                                                | Required? |
| ------------------------- | ---- | -------- | -------------------------------------------------------------------------------------------------------------------- | --------- |
| `<your-application-host>` | 443  | HTTPS    | OAuth integration proxy served via ingress path (e.g. `<APPLICATION_HOST>/oauth/`). No dedicated subdomain required. | ⚙️        |

***

## 3 · LLM Providers

Allow whichever providers your teams will use. The platform does **not** hardcode a single provider — customers choose which LLM APIs to connect.

| Domain Pattern                            | Provider                       |
| ----------------------------------------- | ------------------------------ |
| `api.openai.com`                          | OpenAI                         |
| `api.anthropic.com`                       | Anthropic                      |
| `generativelanguage.googleapis.com`       | Google Gemini                  |
| `*.openai.azure.com`                      | Azure OpenAI                   |
| `bedrock-runtime.*.amazonaws.com`         | AWS Bedrock                    |
| `*-aiplatform.googleapis.com`             | Google Vertex AI               |
| `api.cohere.ai`                           | Cohere                         |
| `api.groq.com`                            | Groq                           |
| `api.cerebras.ai`                         | Cerebras                       |
| `api.sambanova.ai`                        | SambaNova                      |
| `*.snowflakecomputing.com`                | Snowflake Cortex               |
| `api-inference.huggingface.co`            | Hugging Face Inference         |
| `huggingface.co`                          | Hugging Face (model downloads) |
| `api.mistral.ai`                          | Mistral                        |
| `api.together.xyz`                        | Together AI                    |
| `api.fireworks.ai`                        | Fireworks AI                   |
| `api.replicate.com`                       | Replicate                      |
| `api.deepseek.com`                        | DeepSeek                       |
| `api.databricks.com` / `*.databricks.com` | Databricks                     |
| `api.deepinfra.com`                       | DeepInfra                      |

> **Note:** The built-in LLM (`BUILT_IN_LLM_PROVIDER`) defaults to OpenAI (`gpt-4.1-mini`). At minimum, allow the provider configured for the built-in LLM.

***

## 4 · Search, Scraping & Tool Providers

These are used by CrewAI tool integrations. Allow based on which tools your teams enable.

| Domain                                   | Tool / Service             |
| ---------------------------------------- | -------------------------- |
| `serpapi.com`                            | SerpAPI                    |
| `api.tavily.com`                         | Tavily                     |
| `api.firecrawl.dev`                      | Firecrawl                  |
| `api.linkup.so`                          | LinkUp                     |
| `api.exa.ai`                             | Exa                        |
| `api.you.com`                            | You.com                    |
| `api.scrapingbee.com`                    | ScrapingBee                |
| `api.scrapfly.io`                        | Scrapfly                   |
| `api.brightdata.com`                     | Bright Data                |
| `api.browserbase.com`                    | Browserbase                |
| `api.hyperbrowser.ai`                    | Hyperbrowser               |
| `api.brave.com` / `api.search.brave.com` | Brave Search               |
| `api.bing.microsoft.com`                 | Bing Search                |
| `registry.smithery.ai`                   | Smithery MCP tool registry |

***

## 5 · Vector Databases

Only required if your crews connect to managed vector database services. Allow based on which provider you use.

| Domain Pattern                         | Provider      |
| -------------------------------------- | ------------- |
| `*.pinecone.io`                        | Pinecone      |
| `*.weaviate.io` / `*.weaviate.network` | Weaviate      |
| `*.qdrant.io`                          | Qdrant        |
| `*.mongodb.net`                        | MongoDB Atlas |

***

## 6 · Authentication & SSO

Allow the domain(s) for your chosen SSO provider. These are customer-specific.

| Provider               | Domains to Allow                                    |
| ---------------------- | --------------------------------------------------- |
| **Okta**               | `<your-org>.okta.com`, `<your-org>.oktapreview.com` |
| **Microsoft Entra ID** | `login.microsoftonline.com`, `graph.microsoft.com`  |
| **WorkOS**             | `api.workos.com`, `<your-authkit-domain>`           |
| **Keycloak**           | Your self-hosted Keycloak URL                       |
| **Google OAuth**       | `accounts.google.com`, `oauth2.googleapis.com`      |
| **GitHub OAuth**       | `github.com`                                        |

***

## 7 · OAuth Integrations (Built-In Connectors)

If you enable built-in OAuth connectors for third-party services, allow the corresponding domains below. The OAuth proxy is served via an ingress path on your application host (see [OAuth chart values](https://enterprise-docs.crewai.com/reference/chart-values/oauth#param-oauth-ingress-path)) — no dedicated subdomain is required.

| Integration          | Domains                                                                                                                          |
| -------------------- | -------------------------------------------------------------------------------------------------------------------------------- |
| **Google Workspace** | `accounts.google.com`, `oauth2.googleapis.com`, `www.googleapis.com`, `docs.google.com`, `drive.google.com`, `slides.google.com` |
| **Microsoft 365**    | `login.microsoftonline.com`, `graph.microsoft.com`                                                                               |
| **HubSpot**          | `api.hubspot.com`, `app.hubspot.com`                                                                                             |
| **Salesforce**       | `login.salesforce.com`, `*.salesforce.com`                                                                                       |
| **Notion**           | `api.notion.so`                                                                                                                  |
| **Slack**            | `slack.com`, `api.slack.com`                                                                                                     |
| **GitHub**           | `github.com`, `api.github.com`                                                                                                   |

***

## 8 · Cloud Provider Services

Allow based on your deployment cloud. These are for object storage, secrets management, and identity federation from **within the cluster**.

### AWS

| Domain Pattern                              | Service                     |
| ------------------------------------------- | --------------------------- |
| `s3.*.amazonaws.com` / `*.s3.amazonaws.com` | S3 object storage           |
| `secretsmanager.*.amazonaws.com`            | Secrets Manager             |
| `logs.*.amazonaws.com`                      | CloudWatch Logs             |
| `sts.amazonaws.com` / `sts.*.amazonaws.com` | STS (IAM role assumption)   |
| `rds.*.amazonaws.com`                       | RDS (if using RDS endpoint) |
| `eks.*.amazonaws.com`                       | EKS API (kubeconfig update) |

### Azure

| Domain Pattern                  | Service                       |
| ------------------------------- | ----------------------------- |
| `*.blob.core.windows.net`       | Blob Storage                  |
| `*.vault.azure.net`             | Key Vault                     |
| `*.postgres.database.azure.com` | Azure Database for PostgreSQL |

### GCP

| Domain Pattern                  | Service                           |
| ------------------------------- | --------------------------------- |
| `storage.googleapis.com`        | Cloud Storage                     |
| `secretmanager.googleapis.com`  | Secret Manager                    |
| `iamcredentials.googleapis.com` | Workload Identity Federation      |
| `sts.googleapis.com`            | Security Token Service            |
| `sqladmin.googleapis.com`       | Cloud SQL Admin (Cloud SQL Proxy) |

***

## Quick-Copy Allowlist

For convenience, here is a consolidated flat list of all **mandatory + commonly-needed** domains for a typical Factory deployment:

```text theme={null}
# === CRITICAL (installation) ===
*.crewai.com
replicated.app
proxy.replicated.com
registry.replicated.com
pypi.crewaifactory.com
pypi.org
files.pythonhosted.org

# === LLM PROVIDERS (add as needed) ===
api.openai.com
api.anthropic.com
# ... add per your LLM choices

# === SSO (add your provider) ===
# login.microsoftonline.com  # Entra ID
# <org>.okta.com              # Okta
# api.workos.com              # WorkOS
```

***

## Revision History

| Date       | Author                            | Changes                                       |
| ---------- | --------------------------------- | --------------------------------------------- |
| 2026-04-28 | Iris (AI) / Diego Nogues (review) | Initial version from FAC-50 source code audit |
