Network Requirements
Understand the network architecture, ports, and protocols required to deploy TruthVouch self-hosted components.
Port Requirements
Governance Gateway
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 50052 | gRPC | Inbound | Applications send scan requests |
| 443 | HTTPS | Outbound | LLM provider APIs (OpenAI, Anthropic, Azure) |
| 5432 | PostgreSQL | Inbound (internal) | Database connections |
| 9090 | HTTP | Inbound (optional) | Prometheus metrics |
| 8080 | HTTP | Inbound (optional) | Health check endpoint |
Sentinel Agent
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 443 | HTTPS | Outbound | Policy sync from TruthVouch cloud |
| Ephemeral | HTTPS | Inbound | Cloud commands (rare) |
Network Topology
Typical Deployment
┌─ Your Network ────────────────────────────────────────┐│ ││ Applications (OpenAI SDK, Anthropic SDK, etc.) ││ │ ││ │ :50052 gRPC ││ ▼ ││ ┌──────────────────────┐ ││ │ Governance Gateway │ ││ │ (One or More Pods) │ ││ └──────────────────────┘ ││ │ :443 HTTPS (outbound) ││ │ ││ ▼ ││ ┌──────────────────────┐ ┌──────────────────┐││ │ Your PostgreSQL │ │ Sentinel Agents │││ │ + pgvector + tsdb │ │ (Windows, Mac, │││ └──────────────────────┘ │ Linux) │││ └──────────────────┘││ │ :443 ││ │ Sync (hourly)│└──────────────────────────────────────┼──────────────┘ │ TruthVouch Cloud (Dashboard, Policy Mgmt)Firewall Rules
Inbound Rules
Allow these inbound connections to the Gateway host:
From: Application serversTo: Governance GatewayPort: 50052 (gRPC)Outbound Rules
Allow these outbound connections from the Gateway:
From: Governance GatewayTo: api.openai.com, api.anthropic.com, openai.azure.comPort: 443 (HTTPS)Allow these outbound connections from Sentinel agents:
From: Sentinel agents (employee devices)To: your-truthvouch-cloud.example.comPort: 443 (HTTPS)DNS Configuration
Governance Gateway
If using a domain name for the Gateway (recommended):
gateway.yourcompany.local A 192.168.1.100Sentinel Agent Policy Endpoint
Configure in Sentinel agent config:
policy_sync_url: https://policies.yourcompany.local:443/api/v1/policyReverse Proxy Setup
Nginx Example
upstream gateway_backend { server localhost:50052;}
server { listen 443 ssl; server_name gateway.yourcompany.local;
ssl_certificate /etc/nginx/certs/gateway.crt; ssl_certificate_key /etc/nginx/certs/gateway.key;
location / { grpc_pass grpcs://gateway_backend; grpc_ssl_trusted_certificate /etc/nginx/certs/ca.crt; }}mTLS Configuration
For production deployments, enable mutual TLS between applications and the Gateway:
Client Certificate Setup
Generate client certificates:
openssl req -new -x509 -keyout client.key -out client.crt -days 365Configure in your application SDK:
# Example with gRPC Python clientimport grpc
creds = grpc.ssl_channel_credentials( root_certificates=open('ca.crt').read(), private_key=open('client.key').read(), certificate_chain=open('client.crt').read())channel = grpc.secure_channel('gateway.local:50052', creds)Service Mesh Integration
Istio Example
Deploy the Gateway with Istio sidecar injection:
apiVersion: v1kind: Namespacemetadata: name: truthvouch labels: istio-injection: enabled---apiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata: name: gateway namespace: truthvouchspec: hosts: - gateway http: - match: - port: 50052 route: - destination: host: gateway port: number: 50052Load Balancing
Multiple Gateway Instances
For high availability, deploy multiple Gateway instances behind a load balancer:
┌─────────────────────────┐│ Load Balancer ││ (Nginx, HAProxy, AWS ││ NLB, GCP LB, etc) │└────────┬────────────────┘ │ ┌────┴────┬─────────┐ │ │ │┌───▼──┐ ┌──▼───┐ ┌──▼───┐│ GW 1 │ │ GW 2 │ │ GW 3 │└──────┘ └──────┘ └──────┘Health check endpoint (optional):
curl http://gateway-1:8080/health# Returns 200 OK if readyLatency Considerations
Expected Latencies
- Local network (LAN): <10ms for Gateway scan
- Cross-datacenter: <50ms
- Over VPN: 50-200ms depending on VPN overhead
Optimization Tips
- Deploy Gateway near your applications (same network/region)
- Use dedicated network links for production (avoid shared corporate WiFi)
- Enable connection pooling in gRPC clients
- Monitor metrics with Prometheus (see Monitoring)
Data Residency
The Governance Gateway stores:
- Request/response logs in PostgreSQL (your infrastructure)
- Vector embeddings in pgvector (your infrastructure)
- Audit trails in TimescaleDB (your infrastructure)
No data is sent to TruthVouch cloud unless explicitly configured.
Sentinel agents send:
- Usage reports (what tools were used, policies enforced)
- Policy sync requests (hourly by default)
- Encrypted telemetry (no user data or request contents)
Compliance Considerations
- GDPR: Deploy Gateway in EU for EU-scanned requests
- HIPAA: Use mTLS and encryption at rest for healthcare data
- SOC2: Enable audit logging and monitoring
- Industry-specific: Configure allowlists to match compliance requirements
See Firewall Configuration for detailed compliance settings.