Skip to Content
Security & TrustNetwork Requirements

Network Requirements

This page gives your network and firewall team exactly what they need to allow TAPP through — and nothing more. It is written to be copy-paste ready for a firewall change request.

What Your Network Team Needs to Know Upfront

  • One device placed on your BMS / building-management VLAN
  • One MAC address visible on your network
  • All traffic is outbound-initiated — no inbound connections, no inbound firewall rules required
  • Accepts DHCP or can be assigned a static IP

Egress Rules Required

DestinationProtocolPortPurpose
AWS IoT CoreTCP8883Equipment telemetry (MQTT over TLS)
AWS (HTTPS)TCP443Supporting cloud services
Tailscale (relay fallback)TCP443Remote management tunnel fallback
Tailscale (direct tunnel)UDP41641NAT traversal for direct tunnel; falls back to TCP 443 if blocked
Health checkICMPOutbound ping to 8.8.8.8 / 1.1.1.1

Note on Tailscale ports: UDP 41641 is used for direct peer-to-peer tunnel establishment. If your firewall blocks UDP 41641, Tailscale automatically falls back to a TCP 443 relay (DERP ) with no action required on your end. This matches Tailscale’s own guidance on firewall ports  and connection types . See Remote Access for full details.

No Inbound Rules Needed

TAPP does not accept inbound connections. Nothing behind the Network Router is routable or visible from the customer network side. The router presents as a single NAT’d endpoint. If your policy requires a strict egress allowlist, Tailscale publishes its firewall guidance  for reference.

VLAN Placement

TAPP should be placed on the BMS or building-management VLAN — the same segment that other building automation devices use. It does not require access to corporate IT infrastructure, servers, or file shares.

Last updated on