> ## Documentation Index
> Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Trusted IPs and Endpoints

> Plan firewall allowlists, control-plane trusted networks, and outbound SDX service access.

Use this page when you need to prepare firewalls, control-plane policies, or router trusted-network lists for SDX.

## Endpoint Summary

| Destination             | Purpose                                                                                       | Allow                                                                         |
| ----------------------- | --------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- |
| `api.altostrat.io`      | Management VPN endpoint used by managed routers                                               | Outbound TCP `8443` for the management VPN                                    |
| `v1.api.altostrat.io`   | Public SDX API base URL used by the portal and integrations                                   | HTTPS from user browsers, integrations, and services that call the public API |
| `sftp.sdx.altostrat.io` | Configuration backup upload target used by SDX backup jobs                                    | SFTP from managed routers when backup jobs run                                |
| `154.66.115.255/32`     | SDX management-plane address used in control-plane defaults and transient access restrictions | Include in control-plane trusted networks where SDX must manage the router    |

<Note>
  Prefer DNS names for outbound firewall rules when your firewall supports them. IP addresses behind service names can change as platform infrastructure evolves.
</Note>

## Control Plane Trusted Networks

Control plane policies define which source networks can reach management services such as WinBox, SSH, HTTP, HTTPS, Telnet, FTP, API, and API-SSL.

The default control-plane policy includes:

* `154.66.115.255`
* `10.0.0.0/8`
* `172.16.0.0/12`
* `192.168.0.0/16`

Adjust these networks to match your security model. For production, avoid broad private ranges unless you intentionally trust every internal source that can reach the router.

## Management Tunnel Addressing

The management VPN uses addresses from `100.64.0.0/10`. Do not reuse this range for site LANs if it would create routing ambiguity with the SDX management tunnel.

## Practical Firewall Rules

At minimum, managed routers need:

* Outbound TCP `8443` to `api.altostrat.io` for the management VPN.
* Outbound HTTPS to `v1.api.altostrat.io` for portal and integration calls to the public SDX API.
* Outbound SFTP to `sftp.sdx.altostrat.io` when configuration backups are enabled.

For operator devices, allow HTTPS access to the portal and API endpoints used by your organization.

## When You Need IP-Based Allowlists

If your environment cannot use DNS-based rules, keep IP allowlists under change control and confirm the current list with Altostrat before enforcing them. Avoid copying old regional IP lists between environments without validation.

## Related Pages

<CardGroup cols={2}>
  <Card title="Management VPN" icon="lock-keyhole" href="./management-vpn" arrow="true">
    Understand how the outbound tunnel is created and recovered.
  </Card>

  <Card title="Control plane policies" icon="shield" href="../fleet/control-plane-policies" arrow="true">
    Configure router management services and trusted networks.
  </Card>
</CardGroup>