About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Configuring firewall access
Last updated: Jul 25, 2025
Firewalls protect valuable data from public access. If your data sources reside behind a firewall for protection, and you are not using a Satellite Connector or Satellite location, then you must configure the firewall to allow the IP addresses for IBM watsonx and also for individual services. Otherwise, IBM watsonx is denied access to the data sources.
To allow IBM watsonx access to private data sources, you configure inbound firewall rules using the security mechanisms for your firewall. Inbound firewall rules are not required for connections that use a Satellite Connector or Satellite location, which establishes a link by performing an outbound connection. For more information, see Connecting to data behind a firewall.
All services in IBM watsonx actively use WebSockets for the proper functioning of the user interface and APIs. Any firewall between the user and the IBM watsonx domain must allow HTTPUpgrade. If IBM watsonx is installed behind a firewall, traffic for the wss:// protocol must be enabled.
Configuring inbound access rules for firewalls
If data sources reside behind a firewall, then inbound access rules are required for IBM watsonx. Inbound firewall rules protect the network against incoming traffic from the internet. The following scenarios require inbound access rules through a firewall:
Learn more
Parent topic: Setting up the platform for administrators
Was the topic helpful?
0/1000