Network Requirements
This page gives your network and firewall team exactly what they need to allow TAPP through — and nothing more. It is written to be copy-paste ready for a firewall change request.
What Your Network Team Needs to Know Upfront
- One device placed on your BMS / building-management VLAN
- One MAC address visible on your network
- All traffic is outbound-initiated — no inbound connections, no inbound firewall rules required
- Accepts DHCP or can be assigned a static IP
Egress Rules Required
| Destination | Protocol | Port | Purpose |
|---|---|---|---|
| AWS IoT Core | TCP | 8883 | Equipment telemetry (MQTT over TLS) |
| AWS (HTTPS) | TCP | 443 | Supporting cloud services |
| Tailscale (relay fallback) | TCP | 443 | Remote management tunnel fallback |
| Tailscale (direct tunnel) | UDP | 41641 | NAT traversal for direct tunnel; falls back to TCP 443 if blocked |
| Health check | ICMP | — | Outbound ping to 8.8.8.8 / 1.1.1.1 |
Note on Tailscale ports: UDP 41641 is used for direct peer-to-peer tunnel establishment. If your firewall blocks UDP 41641, Tailscale automatically falls back to a TCP 443 relay (DERP ) with no action required on your end. This matches Tailscale’s own guidance on firewall ports and connection types . See Remote Access for full details.
No Inbound Rules Needed
TAPP does not accept inbound connections. Nothing behind the Network Router is routable or visible from the customer network side. The router presents as a single NAT’d endpoint. If your policy requires a strict egress allowlist, Tailscale publishes its firewall guidance for reference.
VLAN Placement
TAPP should be placed on the BMS or building-management VLAN — the same segment that other building automation devices use. It does not require access to corporate IT infrastructure, servers, or file shares.