Different parts of the GovWorx application suite need different special considerations when setting up the network.
Data Agent
The following hosts, protocols and ports are needed for the data agent inside of your network to speak to the secure AWS GovCloud.
This is also outlined in the Data Agent Installation Checklist
Protocol | Host | Port | Purpose |
https | app.govworx.net | 443 | Main application |
https | realtime.govworx.net (if using Assist) | 443 | CommsCoach Assist |
https | s3-fips.us-gov-west-1.amazonaws.com | 443 | Data Upload |
https | gw-data-agent.s3.us-gov-west-1.amazonaws.com | 443 | Data Agent Installer |
https | http-intake.logs.us5.datadoghq.com | 443 | Agent Telemetry |
https | api.us5.datadoghq.com | 443 | Agent Telemetry |
Simulator
Protocol | Host | Port | Purpose |
https | simulate.govworx.net | 443 | Main application |
https | speech.microsoft.com | 443 | Scripted caller accessibility |
https | api.openai.com | 443 | Smart Caller backend for API calls |
UDP | realtime.api.openai.com | 443 | Primary WebRTC media transport for audio streams in Smart Caller |
Additional Considerations for Smart Caller
Allow outbound HTTPS to api.openai.com
Allow outbound UDP on ports 3478, 5349 (STUN/TURN)
Allow outbound UDP on high ports (49152-65535) for media streams
Why am I whitelisting OpenAI?
To power the conversational portion of our Smart Caller Simulator we chose the OpenAI Realtime API. In this article you will see a section on WebRTC.
WebRTC is a powerful set of standard interfaces for building real-time applications. The OpenAI Realtime API supports connecting to realtime models through a WebRTC peer connection. Follow this guide to learn how to configure a WebRTC connection to the Realtime API.
When tools like OpenAI’s real-time API leverage WebRTC over the internet, firewall configuration becomes more complex because WebRTC establishes direct, real-time connections between clients and servers using dynamically negotiated ports and protocols. Unlike traditional web traffic (which typically uses fixed ports like 443 for HTTPS), WebRTC uses a process called ICE (Interactive Connectivity Establishment) to find the best network path, involving STUN and TURN servers that may operate on varying IP addresses and a wide range of ports. This dynamic, multi-path setup helps WebRTC connections traverse NATs and firewalls but requires firewalls to whitelist a broader set of IPs and port ranges, not just standard web ports. As a result, organizations often need to adapt their firewall rules significantly to allow seamless, real-time communication over the internet using WebRTC-based APIs.
See more here for the STUN and TURN servers https://www.rfc-editor.org/rfc/rfc8656.html