Skip to main content

Documentation Index

Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt

Use this file to discover all available pages before exploring further.

Use this page when you need to prepare firewalls, control-plane policies, or router trusted-network lists for SDX.

Endpoint Summary

DestinationPurposeAllow
api.altostrat.ioManagement VPN endpoint used by managed routersOutbound TCP 8443 for the management VPN
v1.api.altostrat.ioPublic SDX API base URL used by the portal and integrationsHTTPS from user browsers, integrations, and services that call the public API
sftp.sdx.altostrat.ioConfiguration backup upload target used by SDX backup jobsSFTP from managed routers when backup jobs run
154.66.115.255/32SDX management-plane address used in control-plane defaults and transient access restrictionsInclude in control-plane trusted networks where SDX must manage the router
Prefer DNS names for outbound firewall rules when your firewall supports them. IP addresses behind service names can change as platform infrastructure evolves.

Control Plane Trusted Networks

Control plane policies define which source networks can reach management services such as WinBox, SSH, HTTP, HTTPS, Telnet, FTP, API, and API-SSL. The default control-plane policy includes:
  • 154.66.115.255
  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16
Adjust these networks to match your security model. For production, avoid broad private ranges unless you intentionally trust every internal source that can reach the router.

Management Tunnel Addressing

The management VPN uses addresses from 100.64.0.0/10. Do not reuse this range for site LANs if it would create routing ambiguity with the SDX management tunnel.

Practical Firewall Rules

At minimum, managed routers need:
  • Outbound TCP 8443 to api.altostrat.io for the management VPN.
  • Outbound HTTPS to v1.api.altostrat.io for portal and integration calls to the public SDX API.
  • Outbound SFTP to sftp.sdx.altostrat.io when configuration backups are enabled.
For operator devices, allow HTTPS access to the portal and API endpoints used by your organization.

When You Need IP-Based Allowlists

If your environment cannot use DNS-based rules, keep IP allowlists under change control and confirm the current list with Altostrat before enforcing them. Avoid copying old regional IP lists between environments without validation.

Management VPN

Understand how the outbound tunnel is created and recovered.

Control plane policies

Configure router management services and trusted networks.