Skip to main content
SDX infrastructure is distributed so managed sites and services can operate close to users and routers. In day-to-day operations, you normally do not select a management server manually. You prepare outbound access to the SDX service names and let the platform route the connection.

What Operators Need To Know

  • The management VPN is created as an outbound OpenVPN connection to api.altostrat.io on TCP 8443.
  • Managed VPN instances have an explicit region because the region affects peer latency.
  • Captive portals, workflow services, backups, reporting, and API calls rely on platform service endpoints rather than manual per-server selection.
  • If your firewall supports DNS allowlists, prefer service names over static IP rules.

When Region Choice Matters

You should think about regions when:
  • Creating a managed VPN instance.
  • Planning latency-sensitive site-to-site or remote-user VPN access.
  • Troubleshooting a site whose upstream firewall or ISP restricts outbound destinations.
  • Coordinating with Altostrat support on an infrastructure change.
For managed VPN, choose the region closest to the majority of peers. For management VPN, focus on allowing the documented service endpoint rather than hardcoding a regional node.

Firewall Guidance

If your organization requires IP-based firewall rules, keep the regional endpoint list as a controlled operational artifact. Confirm the current list before enforcing it, because infrastructure can move independently of documentation releases.
Use the endpoint summary in Trusted IPs and Endpoints as your first planning reference, then add IP-level restrictions only when your environment requires them.