Network endpoints
A self-hosted Sema4.ai deployment communicates with a small set of Sema4.ai services over outbound HTTPS (port 443) — for licensing, image and update distribution, and a few managed services. Allow egress from your environment to the hostnames below.
These are the Sema4.ai endpoints only. Your deployment also needs egress to the services you connect it to — LLM providers, MCP servers, and databases. See Add networking rules.
Required endpoints
| Endpoint | Purpose |
|---|---|
get.sema4.ai | Enterprise Portal — licensing, and install/update instructions. |
proxy.sema4.ai | Container image distribution — pulling the application images. |
registry.sema4.ai | Helm chart registry — pulling and upgrading the application Helm chart (EKS/AKS). |
app-updates.sema4.ai | Application update service — release availability and update delivery. |
backend.sema4.ai | License validation, issue/support report uploads, and Document Intelligence. |
Optional endpoints
These are only needed when the corresponding capability is enabled for your deployment:
| Endpoint | Purpose |
|---|---|
llm.backend.sema4.ai | Sema4.ai-managed LLM proxy — only required if Sema4.ai provides a managed LLM endpoint for your deployment. |
dx.sema4.ai | Product usage telemetry. |
Unrestricted outbound HTTPS is the simplest configuration and what we recommend for most deployments. If your environment requires an explicit allow-list, the hosts above are the Sema4.ai destinations to include.