docs: Restructure Enteprise networking.

[gavinelder]

Currently the network configuration requirements for Cloud are within the Enterprise section as such these have been moved to the Cloud under enterprise/advanced-topics/firewall-configuration.md

The original content can be viewed at https://docs.seqera.io/platform-enterprise/25.1/enterprise/advanced-topics/firewall-configuration

Further to that for Enterprise customers self-hosting their own installation

• Seqera Cloud requires no inbound connectivity to their environment.
• The customers Seqera Self-Hosted instance should be allowed to communicate with licences.seqera.io on port 443 the ip addresses for this are the ones defined as ingress at https://meta.seqera.io

Enterprise Plugins & Fusion

Seqera Enterprise plugins & fusion have licence checking built-in as such it's not sufficient to only allow outbound traffic to port 443 from the Seqera Enterprise installation , they will also have to allow network traffic from the Compute Environment executing the Nextflow jobs.

Wave

If the customer is using Seqera Cloud hosted Wave and they're using the Mirror or Freeze functionality which requires Wave to store built containers within their container registry then they will have to ensure that the wave-build VPC is allowed to push to their container registry, for most cloud providers this requires additional configuration to lock down as such it's not normally a problem.

These would be the IP addresses on port 443 defined as egress at https://meta.seqera.io

If the customer would like to restrict outbound traffic from their installation they would be responsible for ensuring they allow access to Seqera Assets hosted on Cloudflare along with Nextflow assets hosted on Github artifacts along with any code hosting solutions or third party dependancies they're using such as Github / Gitlab / Artifactory.

Structure.

I have tried to follow the following structure for the networking requirements.

• Create a distinction between platform & compute environments.
• Give a brief simple overview.
• Go into depth where required on a service by service basis depending on customer usage.

The main item I am trying to do with the docs is inform the customer of our networking needs and how their pipeline and external services used create different networking requirements slightly outside of the scope of our documentation as it's non-exhaustive and they should take into consideration their intended usage patterns.

In short customers only need Licence manager access & cloud info as an optional service all other items can be hosted inside their internal network and are not required for platform to function.

There is a feature of Studios which needs to talk to wave however this is not released fully and is being re-worked by the team.

[netlify]

✅ Deploy Preview for seqera-docs ready!

Name	Link
🔨 Latest commit	dae081a
🔍 Latest deploy log	https://app.netlify.com/projects/seqera-docs/deploys/69d80974e468dc0008db0b94
😎 Deploy Preview	https://deploy-preview-556--seqera-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[ShahzebMahmood]

We need to update the IP addresses listed in the documentation. I'm also wondering if it makes sense to include them there at all. Additionally, we should add a list of the services that sit behind those IPs for better clarity.

At the moment, the documentation focuses only on the Enterprise offering, but there are scenarios where Cloud customers also need access to this information, so we may want to expand the scope accordingly.

On a related note, we've recently updated meta.seqera.io to display both ingress and egress IPs, which should make it easier to surface and maintain this information. I updated this PR to show the correct IPs, which should look like below.

{
  "egress": [
    "18.169.21.18/32",
    "18.135.7.45/32",
    "18.171.4.252/32"
  ],
  "ingress": [
    "35.179.197.5/32",
    "3.11.38.17/32",
    "18.175.79.222/32"
  ]
}

[bebosudo]

Seqera Cloud requires no inbound connectivity to their environment.

I'm not sure that's correct; take the case of customers who are using the wave service with mirror and/or freeze functionalities, they'd need to allowlist our egress IPs in order for wave to store images in their Container Registry of choice, or for Fusion to call home, etc

[bebosudo]

This isn't a complete review, but I'll continue the discussion on slack

[bebosudo]

I'd probably restructure this page by moving the Platform vs CE explanation first, then the two tables with requirements, then the section about DNS/IP (both Seqera's and Cloudflare's) allowlisting, and finally the detailed explanation of each service
Requesting changes because the tables need to be updated

[bebosudo]

Some open questions for the wave team and some improvements to the recap tables

[bebosudo]

Does Platform ever interact/pull data from CRs before submitting jobs that pull and use the images? @munishchouhan @pditommaso
Because we may need to add Cloudflare CDNs to the allowlists of the firewall rules for platform installations too (wave-cache-prod-cloudflare.seqera.io, wave-cache-prod-cloudflare.seqera.io.cdn.cloudflare.net, etc)

[bebosudo]

Suggested change

	- `community.wave.seqera.io`
	- `community.wave.seqera.io`
	- `cerbero.seqera.io`

Even though pulls don't require authentication, users still need to interact with cerbero to obtain an anonymous token to pull manifests and images

[bebosudo]

wait.. does wave interact with community.wave.seqera.io or should it be moved down into the "Seqera hosted container registries" section?

[bebosudo]

Suggested change

	| `ai.seqera.io` | 443 | Optional | Seqera AI |
	| `ai.seqera.io` | 443 | Optional | Seqera AI |
	| `ai-api.seqera.io` | 443 | Optional | Seqera AI |
	| `mcp.seqera.io` | 443 | Optional | Seqera MCP |

There are more AI services right now, but they aren't required by Platform per-se, and weren't listed in the sections above. Shall we document them or drop them?

[bebosudo]

Suggested change

| `cerbero.seqera.io` | 443 | Conditional | Auth service for Community CR |

[bebosudo]

Suggested change

	| `community.wave.seqera.io` | 443 | Conditional | Wave community services |
	| `community.wave.seqera.io` | 443 | Conditional | Wave community services |
	| `cerbero.seqera.io` | 443 | Conditional | Auth service for Community CR |