Firewalls protect valuable data from public access. If your data sources reside behind a firewall for protection, and you are not using a Satellite Connector or Satellite location, then you must configure the firewall to allow the IP addresses for IBM watsonx and also for individual services. Otherwise, IBM watsonx is denied access to the data sources.

To allow IBM watsonx access to private data sources, you configure inbound firewall rules using the security mechanisms for your firewall. Inbound firewall rules are not required for connections that use a Satellite Connector or Satellite location, which establishes a link by performing an outbound connection. For more information, see Connecting to data behind a firewall.

All services in IBM watsonx actively use WebSockets for the proper functioning of the user interface and APIs. Any firewall between the user and the IBM watsonx domain must allow HTTPUpgrade. If IBM watsonx is installed behind a firewall, traffic for the wss:// protocol must be enabled.