Skip to main content
Operayde
Talk to us
/
Operations

Deployment guide

Network and pre-install requirements for Operayde appliances.

Last updated 17 May 2026

This guide covers everything your infrastructure team needs before an Operayde appliance is deployed. Follow the checklist and your appliance will enrol on first boot with no surprises.

Deployment options

Operayde appliances can run in two environments:

  • On-premises — deployed on your own infrastructure, inside your datacenter or server room.
  • Operayde-hosted — deployed in one of our datacenter regions: EU, KSA, or UAE.

In both cases, all inference runs locally on the appliance. Prompts and documents never leave the appliance boundary.

Network requirements

Operayde appliances require outbound HTTPS only. No inbound ports need to be opened on your firewall.

Outbound connections

DestinationPortProtocolPurpose
ops.<region>.operayde.com443HTTPSControl plane (heartbeat, config, audit)
bundles.<region>.operayde.com443HTTPSOPA policy bundle distribution
ntp.ubuntu.com123NTPTime synchronisation
Your IdP issuer URL443HTTPSOIDC authentication

Latency

The appliance tolerates up to 500 ms RTT to the central plane without degradation. Inference runs entirely on-appliance and is unaffected by WAN latency.

Pre-install checklist

Complete every item before powering on the appliance.

Network

  • Allocate a static IP or DHCP reservation for the appliance.
  • Configure DNS: appliance.<your-domain> resolving to the appliance IP.
  • Open outbound HTTPS (443) to *.operayde.com on your firewall.
  • Open outbound NTP (123) to ntp.ubuntu.com or your internal NTP server.
  • Verify outbound connectivity from the target network segment.

Identity provider

  • Register an OIDC client in your IdP for the appliance.
    • Redirect URI: https://appliance.<your-domain>/auth/callback
    • Grant type: Authorization Code + PKCE
    • Scopes: openid profile email groups
  • Map your IdP groups to Operayde roles:
    • tenant-admin — manages config, keys, audit
    • tenant-user — uses the workspace and API
  • Test the OIDC client independently (e.g. with curl or a test app).

Operayde portal

  • Enrolment token generated in the operator portal.
  • Tenant created and configured with correct residency region(s).
  • Initial virtual key created for smoke testing.

Firewall rules

Minimal outbound rule set

# Operayde control plane
ALLOW OUT tcp dst ops.<region>.operayde.com:443
ALLOW OUT tcp dst bundles.<region>.operayde.com:443

# Time synchronisation
ALLOW OUT udp dst ntp.ubuntu.com:123

# Your identity provider
ALLOW OUT tcp dst <your-idp-issuer>:443

# (Optional) Cloud inference fallback — only if your policy allows it
ALLOW OUT tcp dst inference.<region>.operayde.com:443

# Deny everything else outbound from the appliance VLAN
DENY OUT all

Place the appliance on its own VLAN. This limits the blast radius of any compromise and simplifies firewall rules.

VLAN 100 — Operayde Appliance
  Subnet: 10.10.100.0/24
  Default gateway: 10.10.100.1 (firewall)
  DNS: your internal resolver (must resolve *.operayde.com)

DNS setup

Add an A record in your internal DNS server:

appliance.<your-domain>    IN  A  10.10.100.10

This keeps the appliance reachable only from your internal network.

Option B: Split-horizon DNS

If your users need to access the appliance from both on-premise and VPN:

; Internal view
appliance.<your-domain>    IN  A  10.10.100.10

; External view (VPN users)
appliance.<your-domain>    IN  A  10.10.100.10

TLS certificate

The appliance generates a self-signed TLS certificate at first boot. For production use, provide a certificate signed by your internal CA or a public CA:

  1. Generate a CSR or provide a wildcard certificate for *.<your-domain>.
  2. Upload the certificate and key through the operator portal or during enrolment.
  3. The appliance reloads TLS configuration without downtime.

Post-install verification

After the appliance boots and enrols, verify:

# Check the appliance is healthy
curl -s https://appliance.example.com/v1/health | jq .
 
# Verify authentication
curl -s -H "Authorization: Bearer $OPERAYDE_KEY" \
  https://appliance.example.com/v1/models | jq .
 
# Run a smoke test
curl -s -X POST https://appliance.example.com/v1/chat/completions \
  -H "Authorization: Bearer $OPERAYDE_KEY" \
  -H "Content-Type: application/json" \
  -d '{"model":"operayde/instruct","messages":[{"role":"user","content":"ping"}]}' \
  | jq .choices[0].message.content

If all three commands succeed, the appliance is operational.