Administration

Network architecture requirements

These are the network requirements for AI Hub to enable usage metering, AI model endpoints, and optional integrations.

For SaaS customers, Instabase configures your deployment appropriately. Customers who manage their own deployment in a Virtual Private Cloud (VPC) must configure outbound network connectivity for essential services.

Required egress connections

Certain connections are required for proper functioning of AI Hub in your environment.

Metronome usage metering

To enable real-time usage tracking and billing data transmission, your environment must be connected to Instabase Metronome API endpoints.

AttributeDetails
ProtocolHTTPS (Port 443)
Endpoints*.metronome.com
FrequencyPer request billing calls
Data TypeConsumption data
SLA ImpactCritical. If this connection is blocked, your AI Hub deployment is blocked.

Network requirements

  • Allow outbound HTTPS to Instabase telemetry servers.

  • Ensure that firewall rules permit continuous data transmission.

  • Configure the NAT gateway for private subnet deployments.

Azure Cognitive Services billing

To enable Microsoft Azure service billing and authentication, your environment must be connected to Azure Cognitive Services billing endpoints.

AttributeDetails
ProtocolHTTPS (Port 443)
Endpoints*.cognitiveservices.azure.com, management.azure.com
FrequencyPer-request billing calls
Data TypeDigitization consumption data
SLA ImpactCritical - blocking this connection blocks digitization of new files.

Network requirements

  • Allow outbound HTTPS to Azure management and cognitive services domains.

LLM provider access

To enable access to large language model (LLM) services for AI processing capabilities, your environment must be connected to at least one supported LLM provider endpoint.

AttributeDetails
ProtocolHTTPS (Port 443)
FrequencyPer AI request processing
Data TypeModel prompts, responses, embeddings
SLA ImpactCritical - blocking this connection prevents AI processing functionality.

Provider requirements

ProviderEndpointsAuthentication
OpenAI APIapi.openai.comAPI key authentication
Azure OpenAI API*.openai.azure.comAPI key authentication
AWS Bedrock (Anthropic Claude)bedrock-runtime.*.amazonaws.com, bedrock.*.amazonaws.comAWS IAM roles and policies

Network requirements

  • Configure egress access to at least one of the supported LLM provider endpoints.

  • Ensure adequate bandwidth for AI model requests and responses.

  • For private deployments, configure NAT Gateway or PrivateLink as appropriate.

  • Review supported LLM providers documentation for current model requirements and compatibility.

Optional egress connections

Google Vision API

Enterprise accounts only.

To enable advanced language OCR capabilities for complex document processing, connect your environment to the Google Cloud Vision API endpoints. Advanced OCR capabilities include:

  • Processing documents with complex layouts.

  • Multi-language document recognition.

  • Advanced table extraction requirements.

AttributeDetails
ProtocolHTTPS (Port 443)
Endpointsvision.googleapis.com, *.googleapis.com
FrequencyOn-demand for OCR processing
Data TypeDocument images, OCR results

Custom integration endpoints

For custom integrations with your own systems and APIs, use your specified endpoints.

AttributeDetails
ProtocolHTTPS/HTTP (Ports 80, 443, or custom)
EndpointsCustomer-defined
FrequencyBased on integration requirements
Data TypeExtracted data, webhook notifications, API calls

Common integration patterns:

  • Webhook notifications to your systems.

  • API calls to your databases or customer relationship management (CRM) systems.

  • File uploads to your storage systems.

  • Authentication with your identity providers.

Customer storage and connector ecosystem

You can access your data sources and storage systems with AI Hub connectors.

AI Hub supports extensive data connections for input sources, output destinations, and default storage. See the data connections configuration guides for detailed information.

Connection scope guidelines

  • Configure connections at workspace level for access separation.

  • Use organization-level connections only for default storage drives.

  • Avoid organization-level connections as shortcuts for cross-workspace access.

Authentication requirements

Use Role-Based Access Control (RBAC) with service principals, IAM roles, or managed identities.

Use storage keys and connection strings only when RBAC isn’t supported by the target system.

Network requirements by storage type

Cloud Storage TypePort/ProtocolAuthentication Recommendation
AWS S3Port 443 (HTTPS)Use IAM roles instead of access keys
Azure Blob StoragePort 443 (HTTPS)Use managed identity or service principal
Google Cloud StoragePort 443 (HTTPS)Use service account with minimal permissions
SharePoint OnlinePort 443 (HTTPS)Use Azure AD application registration

Troubleshooting

Metronome connection failures

  • Verify that the security group allows outbound HTTPS.

  • Check the NAT gateway configuration for private subnets.

  • Confirm that no corporate firewall blocking is active.

Azure billing failures

  • Validate the Azure service principal permissions.

  • Check for proxy authentication requirements.

  • Verify the DNS resolution for Azure endpoints.

Compliance and data privacy

Review these data protection measures and regional considerations when configuring your network.

Data in transit

  • All communications use TLS 1.2 or higher.

  • Only aggregated metrics are transmitted to Metronome and Azure.

  • No document content is transmitted for billing purposes.

Regional considerations

  • Configure endpoints appropriate for your deployment region.

  • Consider data residency requirements for optional services.

  • Review corporate policies for cross-border data transmission.

Support and documentation

For additional network configuration assistance:

  • Review the connector documentation.

  • Contact Instabase support for custom integration requirements.

  • Validate your network configuration during deployment planning phase.