docs: Restructure Enteprise networking.

[gavinelder]

Currently the network configuration requirements for Cloud are within the Enterprise section as such these have been moved to the Cloud under enterprise/advanced-topics/firewall-configuration.md

The original content can be viewed at https://docs.seqera.io/platform-enterprise/25.1/enterprise/advanced-topics/firewall-configuration

Further to that for Enterprise customers self-hosting their own installation

• Seqera Cloud requires no inbound connectivity to their environment.
• The customers Seqera Self-Hosted instance should be allowed to communicate with licences.seqera.io on port 443 the ip addresses for this are the ones defined as ingress at https://meta.seqera.io

Enterprise Plugins & Fusion

Seqera Enterprise plugins & fusion have licence checking built-in as such it's not sufficient to only allow outbound traffic to port 443 from the Seqera Enterprise installation , they will also have to allow network traffic from the Compute Environment executing the Nextflow jobs.

Wave

If the customer is using Seqera Cloud hosted Wave and they're using the Mirror or Freeze functionality which requires Wave to store built containers within their container registry then they will have to ensure that the wave-build VPC is allowed to push to their container registry, for most cloud providers this requires additional configuration to lock down as such it's not normally a problem.

These would be the IP addresses on port 443 defined as egress at https://meta.seqera.io

If the customer would like to restrict outbound traffic from their installation they would be responsible for ensuring they allow access to Seqera Assets hosted on Cloudflare along with Nextflow assets hosted on Github artifacts along with any code hosting solutions or third party dependancies they're using such as Github / Gitlab / Artifactory.

Structure.

I have tried to follow the following structure for the networking requirements.

• Create a distinction between platform & compute environments.
• Give a brief simple overview.
• Go into depth where required on a service by service basis depending on customer usage.

The main item I am trying to do with the docs is inform the customer of our networking needs and how their pipeline and external services used create different networking requirements slightly outside of the scope of our documentation as it's non-exhaustive and they should take into consideration their intended usage patterns.

In short customers only need Licence manager access & cloud info as an optional service all other items can be hosted inside their internal network and are not required for platform to function.

There is a feature of Studios which needs to talk to wave however this is not released fully and is being re-worked by the team.

[netlify]

✅ Deploy Preview for seqera-docs ready!

Name	Link
🔨 Latest commit	0396ded
🔍 Latest deploy log	https://app.netlify.com/projects/seqera-docs/deploys/697bacbc29fc1500085b9c68
😎 Deploy Preview	https://deploy-preview-556--seqera-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[ShahzebMahmood]

We need to update the IP addresses listed in the documentation. I'm also wondering if it makes sense to include them there at all. Additionally, we should add a list of the services that sit behind those IPs for better clarity.

At the moment, the documentation focuses only on the Enterprise offering, but there are scenarios where Cloud customers also need access to this information, so we may want to expand the scope accordingly.

On a related note, we've recently updated meta.seqera.io to display both ingress and egress IPs, which should make it easier to surface and maintain this information. I updated this PR to show the correct IPs, which should look like below.

{
  "egress": [
    "18.169.21.18/32",
    "18.135.7.45/32",
    "18.171.4.252/32"
  ],
  "ingress": [
    "35.179.197.5/32",
    "3.11.38.17/32",
    "18.175.79.222/32"
  ]
}

[bebosudo]

Seqera Cloud requires no inbound connectivity to their environment.

I'm not sure that's correct; take the case of customers who are using the wave service with mirror and/or freeze functionalities, they'd need to allowlist our egress IPs in order for wave to store images in their Container Registry of choice, or for Fusion to call home, etc

[bebosudo]

This isn't a complete review, but I'll continue the discussion on slack

[bebosudo]

I'd probably restructure this page by moving the Platform vs CE explanation first, then the two tables with requirements, then the section about DNS/IP (both Seqera's and Cloudflare's) allowlisting, and finally the detailed explanation of each service
Requesting changes because the tables need to be updated

[bebosudo]

Suggested change

	Seqera Platform Enterprise requires inbound and outbound connections to external services. This page details the ingress and egress networking considerations required for your Seqera Enterprise deployment.
	Seqera Platform Enterprise requires inbound and outbound connections to external services: this page details the required ingress and egress networking considerations.

[bebosudo]

Suggested change

	**Platform requirements** refer to network connectivity needed by your Seqera Platform instance itself. This includes connections for license validation, user authentication, accessing platform resources, and managing pipeline definitions. These connections originate from the server or infrastructure where your Seqera Platform application is installed.
	**Platform requirements** refer to the network connectivity required by your Seqera Platform instance. This includes connections for license validation, user authentication, access to platform resources, and management of pipeline definitions. These connections originate from the server or infrastructure where your Platform Enterprise application is installed.

[bebosudo]

Suggested change

**Compute environment requirements** refer to network connectivity needed by the infrastructure where Nextflow pipeline jobs execute. This includes connections for pulling pipeline code, downloading container images, accessing data sources, and utilizing Seqera enterprise features like Fusion or Wave. These connections originate from your compute resources (e.g., Kubernetes clusters, AWS Batch, Azure Batch, HPC clusters).

**Compute environment requirements** refer to the network connectivity needed by the infrastructure where Nextflow pipeline jobs execute, which is provisioned on-demand by your Platform Enterprise installation. This includes connections for pulling pipeline code, downloading container images, accessing data sources, and using Seqera enterprise features, like Fusion or Wave. These connections originate from your compute resources (e.g., Kubernetes clusters, AWS Batch, Azure Batch, HPC clusters).

[bebosudo]

Suggested change

	In many deployments, Platform and Compute environments are isolated from each other with different network security policies. Ensure you configure firewall rules for both environments according to their respective requirements.
	Refer to the [Platform architecture](../overview) for details on how Platform works.
	In many deployments, Platform and Compute environments are isolated from each other with different network security policies. Ensure you configure firewall rules for both environments according to their respective requirements.

[bebosudo]

A bunch of these hostnames don't exist or their description isn't correct, I can help fix them if needed

[bebosudo]

Suggested change

	| `cerbero.seqera.io` | 443 | Conditional | License validation |
	| `cerbero.seqera.io` | 443 | Conditional | Auth service for Community CR |