Skip to main content
This document describes the network requirements for Omni deployments. Requirements differ depending on whether Omni is deployed on-prem or used as a SaaS service.

Omni on-prem

When Omni is deployed on-prem, network access is required in three areas:
  • Outbound access from Omni to external services (e.g. Image Factory and authentication service)
  • Connectivity from Talos nodes to Omni
  • Optional outbound access from Talos nodes, depending on configuration

Outbound access from Omni

Omni can be deployed in a fully air-gapped environment. In such setups, external dependencies (container images, install media, and factory builds) must be mirrored internally. When Omni has outbound internet access, network access is required in three areas:
  • Pull the Omni container image
  • Download Talos install media
  • Generate factory builds
The following domains must be accessible from the host where Omni is running:
DomainPurposePort
ghcr.ioDownload Omni container image443
*.githubusercontent.comBacking blob storage for images443
factory.talos.devTalos install media443
*.factory.talos.devTalos factory builds443
*.r2.cloudflarestorage.comCDN / object storage for install media443
All traffic uses TCP port 443.

Connectivity from Talos nodes to Omni

Talos nodes must be able to connect to Omni for cluster management and SideroLink. Talos uses two endpoints exposed by Omni:
  • The API Endpoint, used for HTTPS management traffic
  • The SideroLink Endpoint, used for WireGuard connectivity
Both endpoints are shown in the Omni UI under Home → General Information. The following ports must be allowed between Talos nodes and the Omni endpoint:
PortProtocolPurpose
443TCPHTTPS API
51820*UDPWireGuard (SideroLink)
The WireGuard port may vary depending on deployment configuration. When SideroLink is established, Talos communicates with Omni over a WireGuard tunnel. Inside this tunnel, Omni is reachable at the fixed IPv6 address: 
fd00:41e4:649b:9303::1
This address is internal to the tunnel and does not need to be exposed externally.

Optional outbound access from Talos nodes

In some deployments, Talos nodes download install media directly. If this is required, see the Talos Egress Requirements documentation for the list of required domains. If Omni handles install media downloads, direct outbound access from Talos nodes may not be required.

Omni SaaS

When using Omni SaaS, Talos nodes must be able to reach the Omni endpoints provided during cluster registration. These include:
  • The API endpoint (HTTPS)
  • The SideroLink endpoint (WireGuard)
Required ports:
PortProtocol
443TCP
51820UDP
The exact hostname and WireGuard endpoint are displayed in the Omni UI.