Deployment guide
Network, hardware, and pre-install requirements for Operayde appliances.
Last updated 17 May 2026
This guide covers everything your infrastructure team needs before an Operayde appliance arrives on site. Follow the checklist and your appliance will enrol on first boot with no surprises.
Network requirements
Operayde appliances require outbound HTTPS only. No inbound ports need to be opened on your firewall.
Outbound connections
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
ops.<region>.operayde.com | 443 | HTTPS | Control plane (heartbeat, config, audit) |
bundles.<region>.operayde.com | 443 | HTTPS | OPA policy bundle distribution |
ntp.ubuntu.com | 123 | NTP | Time synchronisation |
| Your IdP issuer URL | 443 | HTTPS | OIDC authentication |
Bandwidth
| Tier | Steady-state | Peak (OTA update) |
|---|---|---|
| Starter Micro | < 1 Mbps | 50 Mbps for ~5 min |
| Starter | < 5 Mbps | 100 Mbps for ~5 min |
| Pro | < 10 Mbps | 200 Mbps for ~10 min |
Latency
The appliance tolerates up to 500 ms RTT to the central plane without degradation. Inference runs entirely on-appliance and is unaffected by WAN latency.
Hardware requirements
Appliance tiers
| Spec | Starter Micro | Starter | Pro |
|---|---|---|---|
| Form factor | Desktop unit | 1U rack-mount | 2U rack-mount |
| CPU | 8-core ARM | 16-core x86 | 32-core x86 |
| RAM | 32 GB | 64 GB | 128 GB |
| Storage | 512 GB NVMe | 1 TB NVMe | 2 TB NVMe (RAID-1) |
| GPU | None (CPU inference) | 1x NVIDIA L4 | 2x NVIDIA L40S |
| Power | 1x IEC C13, 220 W max | 1x IEC C13, 650 W max | 2x IEC C13 redundant, 1100 W each |
| Network | 1x 1 GbE RJ45 | 2x 10 GbE SFP+ | 2x 10 GbE SFP+ |
| Noise | Silent (fanless) | < 40 dB | < 50 dB |
| Weight | 1.5 kg | 8 kg | 18 kg |
Environmental
| Parameter | Requirement |
|---|---|
| Operating temperature | 10 - 35 C |
| Humidity | 20% - 80% non-condensing |
| Airflow clearance (rear) | 50 mm minimum |
| Rack clearance (Starter/Pro) | Standard 4-post 19" rack |
Pre-install checklist
Complete every item before powering on the appliance.
Network
- Allocate a static IP or DHCP reservation for the appliance.
- Configure DNS:
appliance.<your-domain>resolving to the appliance IP. - Open outbound HTTPS (443) to
*.operayde.comon your firewall. - Open outbound NTP (123) to
ntp.ubuntu.comor your internal NTP server. - Verify outbound connectivity from the target network segment.
Identity provider
- Register an OIDC client in your IdP for the appliance.
- Redirect URI:
https://appliance.<your-domain>/auth/callback - Grant type: Authorization Code + PKCE
- Scopes:
openid profile email groups
- Redirect URI:
- Map your IdP groups to Operayde roles:
tenant-admin— manages config, keys, audittenant-user— uses the workspace and API
- Test the OIDC client independently (e.g. with
curlor a test app).
Physical
- Power outlet(s) at the installation site.
- Network cable (Cat6 for Micro, SFP+ for Starter/Pro).
- Rack space reserved (Starter/Pro only).
- Slide rails installed (Pro ships with rails; Starter uses standard L-brackets).
Operayde portal
- Enrolment token generated in the operator portal.
- Tenant created and configured with correct residency region(s).
- Initial virtual key created for smoke testing.
Firewall rules
Minimal outbound rule set
# Operayde control plane
ALLOW OUT tcp dst ops.<region>.operayde.com:443
ALLOW OUT tcp dst bundles.<region>.operayde.com:443
# Time synchronisation
ALLOW OUT udp dst ntp.ubuntu.com:123
# Your identity provider
ALLOW OUT tcp dst <your-idp-issuer>:443
# (Optional) Cloud inference fallback — only if your policy allows it
ALLOW OUT tcp dst inference.<region>.operayde.com:443
# Deny everything else outbound from the appliance VLAN
DENY OUT all
Recommended: isolate the appliance
Place the appliance on its own VLAN. This limits the blast radius of any compromise and simplifies firewall rules.
VLAN 100 — Operayde Appliance
Subnet: 10.10.100.0/24
Default gateway: 10.10.100.1 (firewall)
DNS: your internal resolver (must resolve *.operayde.com)
DNS setup
Option A: Internal DNS (recommended)
Add an A record in your internal DNS server:
appliance.<your-domain> IN A 10.10.100.10
This keeps the appliance reachable only from your internal network.
Option B: Split-horizon DNS
If your users need to access the appliance from both on-premise and VPN:
; Internal view
appliance.<your-domain> IN A 10.10.100.10
; External view (VPN users)
appliance.<your-domain> IN A 10.10.100.10
TLS certificate
The appliance generates a self-signed TLS certificate at first boot. For production use, provide a certificate signed by your internal CA or a public CA:
- Generate a CSR or provide a wildcard certificate for
*.<your-domain>. - Upload the certificate and key through the operator portal or during enrolment.
- The appliance reloads TLS configuration without downtime.
Post-install verification
After the appliance boots and enrols, verify:
# Check the appliance is healthy
curl -s https://appliance.example.com/v1/health | jq .
# Verify authentication
curl -s -H "Authorization: Bearer $OPERAYDE_KEY" \
https://appliance.example.com/v1/models | jq .
# Run a smoke test
curl -s -X POST https://appliance.example.com/v1/chat/completions \
-H "Authorization: Bearer $OPERAYDE_KEY" \
-H "Content-Type: application/json" \
-d '{"model":"operayde/instruct-13b","messages":[{"role":"user","content":"ping"}]}' \
| jq .choices[0].message.contentIf all three commands succeed, the appliance is operational.