Arcules is designed to make a minimal footprint on your network infrastructure, and requires a few rules to be put in place to allow us to access your gateways, with permission, as well as to apply updates to the Arcules Software, and the operating system. Some minor changes may be required on the customer’s side to ensure all of these criteria are met.
Physical Gateway Requirements
Specifications (Dimensions are Width x Depth x Height)
Micro Form Factor Gateways - 1.42"x7.01"x7.17"
Small Form Factor Gateways - 3.65"x11.42"x11.53"
Rack Form Factor Gateways* - 1U Rack Space, 23.45" Deep
Micro and Small Form Factor Gateways require an HDMI or Display Port connection for a monitor. Rack Form Factors require VGA connections.
*Rack Form Factor Gateways come with Dell Ready Rails for installation to a standard 4 post rack.
Installation
Gateways should be unboxed, installed, and attached to power and network prior to attempting to add the gateway to your organization, or contacting Customer Care for assistance. A USB Keyboard and monitor are required to set a Static IP Address on the gateway.
Network Architecture recommendations can be found in this Knowledge Base Article: Recommended Network Architectures
For easiest installation, the gateway should be on the network with access to the cameras, and the internet.
Network Adapters
Micro Form Factors and Small Form Factors have a single network adapter.
Rack Form Factors come with multiple NIC's, but will require Customer Care assistance to utilize more than one NIC in order to reach a second network (i.e. NIC 1 is Internet Facing, NIC 2 is on a segregated camera network). Rack Form Factors cannot be configured for load balancing or redundancy over the network adapters.
Guidelines and Notes
Certificates
Arcules will only validate against trusted certificate authorities, and not self signed certificates when communicating via the public internet. If you have questions around this please reach out to our security and compliance team.
Multi-ISP Environments
When the Arcules system lives within an environment that contains multiple ISP's, a firewall rule should be implemented to ensure all Arcules traffic goes over the same ISP, with the fastest ISP speed. Load balancing this traffic can affect the performance of live video feeds and gateway uploads.
Firewall Settings
Outbound only: All required firewall rules apply to outbound traffic.
No inbound ports required: You do not need to open any inbound ports, helping minimize your security surface.
This approach is designed to maximize security while keeping firewall configuration simple.
Secure data handling: All customer data is encrypted both in transit and at rest to ensure integrity and protection.
Use domain names (recommended): Configure allowlists using domain names rather than IP addresses, as IPs may change over time.
Important Notice: IP Allowlisting Scope and Limitations
Arcules does not provide a complete or authoritative IP-based allowlist for gateway connectivity.
The IP ranges listed below are intended to support Arcules-managed infrastructure for upcoming platform environments only. While these ranges are sourced from our cloud provider and are generally expected to remain stable within that scope, they are not guaranteed and do not represent the full set of required endpoints.
It is important to understand that:
Arcules gateways rely on connectivity to both Arcules-managed services and external third-party services (e.g., time synchronization, operating system updates, container/platform dependencies).
IP addresses associated with third-party services are outside of Arcules' control and may change without notice.
Arcules does not provide or maintain a complete list of IP addresses for all service endpoints, including current or real-time IP mappings.
Requests for a complete or current IP-based allowlist cannot be fulfilled, as IP addressing for both Arcules-managed and external dependencies may change dynamically over time.
What this means in practice
Configuring only the IP ranges listed below will not result in a fully functional deployment.
IP-based allowlisting cannot guarantee reliable or future-proof operation.
IP Ranges (Limited Scope)
For customers operating in environments where IP-based controls are required, the following ranges may be used as a best-effort baseline for Arcules-managed infrastructure only.
Starting May 1, 2026, Arcules is introducing these ranges to support expanded platform environments. Existing allowed IPs should remain until further notice.
Important: These ranges do not cover third-party dependencies and are not sufficient on their own to ensure full functionality.
New IP ranges to allowlist:
34.54.0.144/28 – Covers IPs from 34.54.0.144 to 34.54.0.159
34.54.0.176/28 – Covers IPs from 34.54.0.176 to 34.54.0.191
34.54.0.192/28 – Covers IPs from 34.54.0.192 to 34.54.0.207
34.54.1.160/28 – Covers IPs from 34.54.1.160 to 34.54.1.175
SSL/TLS Deep Packet Inspection
Arcules does not support network appliances running deep packet inspection on our traffic. This can cause certificate issues, and trust issues with our traffic’s encryption, and will have a detrimental effect on the operation of the Arcules system.
Proxy Servers
Arcules does not support network appliances functioning as proxy servers for internet traffic.
Camera Protocol Configuration
Currently, Arcules requires a camera to have both HTTP and HTTPS enabled for successful connection to the Arcules Gateway Device.
Gateway Device Rules
The following domains and ports must be opened in order for the Arcules Gateway to be able to function, pull down updates, and report home for proactive monitoring.
These domains and ports must be opened so that each Gateway has access to these endpoints.
Domain Name | Purpose | Protocol | Port |
*.arcules.com | API Services | UDP/TCP/HTTPS,WSS | 443 |
|
|
|
|
*.cloud.google.com | Google Services | TCP/HTTPS | 443 |
*.googleapis.com | Google Services | TCP/HTTPS | 443 |
*.googleusercontent.com | Google Services | TCP/HTTPS | 443 |
|
|
|
|
*.ubuntu.com | OS Updates | TCP/HTTPS,HTTP,UDP/NTP | 443, 80, 123 |
*.launchpad.net | OS Updates | TCP/HTTPS,HTTP | 443, 80 |
*.snapcraft.io | OS Updates | TCP/HTTPS,HTTP | 443, 80 |
*.snapcraftcontent.com | OS Updates | TCP/HTTPS | 443 |
*.canonical.com | OS Updates | TCP/HTTPS,HTTP | 443, 80 |
|
|
|
|
*.gcr.io | Arcules Image Repository | TCP/HTTPS | 443 |
|
|
|
|
*.docker.io | Core Image Repository | TCP/HTTPS | 443 |
*.docker.com | Core Image Repository | TCP/HTTPS | 443 |
*.k8s.io | Core Image Repository | TCP/HTTPS | 443 |
|
|
|
|
rcss-production.arcules.com | Remote Support | TCP/SSH | 2222 |
rcs-production.arcules.com | Remote Support | TCP/SSH | 443 |
|
|
|
|
* | Speed Test | TCP/HTTPS | 8080 |
* | Online/Offline Detection | ICMP |
|
*.pool.ntp.org | Network Time Protocol | UDP | 123 |
8.8.8.8 & <Insert own DNS here> | Domain Name Services | TCP & UDP | 53 |
Specific Rules for WebRTC
In some cases, firewalls will need the specific endpoints for WebRTC to set up rules for STUN/TURN traffic. This list is the current list of Arcules endpoints for WebRTC.
Endpoint URL | IP Address | Port | Protocol |
Global Endpoints | Endpoints to be deprecated in July 2026 |
|
|
turn.arcules.com* | 34.122.20.30 | 443 | UDP/STUN |
turn2.arcules.com* | 34.136.68.211 | 443 | UDP/STUN |
US Data Center Orgs | Login URL: manage.arcules.com |
|
|
turn-us-central1-a.arcules.com | 34.122.20.30 | 443 | UDP/STUN |
turn-us-central1-b.arcules.com | 35.255.224.92 | 443 | UDP/STUN |
turn-us-east1-b.arcules.com | 35.231.251.91 | 443 | UDP/STUN |
turn-us-east1-c.arcules.com | 34.148.215.103 | 443 | UDP/STUN |
EU Data Center Orgs | Login URL: manage-eu.arcules.com |
|
|
turn-europe-west1-b.arcules.com | 34.14.60.47 | 443 | UDP/STUN |
turn-europe-west1-d.arcules.com | 34.140.35.229 | 443 | UDP/STUN |
JP/APAC Data Center Orgs | Login URL: manage.jp.arcules.com |
|
|
turn-asia-northeast1-a.arcules.com | 34.146.83.102 | 443 | UDP/STUN |
turn-asia-northeast1-b.arcules.com | 34.180.100.204 | 443 | UDP/STUN |
Client Network Rules
These client rules will allow for any system accessing the Arcules platform seamless usage. Any Inbound Ports associated to the requests would be client specified by the Client’s Operating System. Local Live / Local Playback feature requires clients to communicate directly to the cloud using UDP on Port 443. You cannot use Local Live / Local Playback if the client needs to go through proxies.
Domain | Usage | Protocol | Outbound Ports |
API Services | UDP/TCP/HTTPS,WSS | 443 | |
*.arcules.com | Remote Device Access | TCP | 4200 - 4250 |
*.intercom.com | Support And Chat | TCP/HTTPS/WSS | 443 |
*.split.io | Early release Features | TCP/HTTPS/WSS | 443 |
<Insert own DNS here> | Domain Name Services | TCP & UDP | 53 |
Internal Network Service Rules
All of these requirements are only within your local network, and no external application of these rules are required. Due to the wide range of drivers we support, some devices and cameras may operate differently than listed below, but this captures the most universal information.
Connection Type | Purpose | Protocols | Ports |
|
SERVER | For emergency offline viewing | TCP/HTTP,WS | 9000/443 |
|
CLIENT | ONVIF Communication (Camera) | TCP/SOAP | ~80, 443 |
|
CLIENT | Video Stream (Camera) | TCP/RTSP | ~554 |
|
CLIENT | Video or Audio Data | UDP/RTP | ~10000-20000 |
|
CLIENT/SERVER | Auto Discovery | UDP/mDNS | 5353 |
|
CLIENT/SERVER | Auto Discovery | UDP/uPNP | 1900 |
|
CLIENT | Auto Discovery | TCP/HTTP | ~80 |
|
CLIENT/SERVER | Auto Discovery | UDP/ONVIF | 3702 |
|
CLIENT/SERVER | Local Live Viewing | UDP/RTP | 20000 - 24999 |
|
CLIENT | Signaling and File Transfer | TCP/HTTP, HTTPS | 80,443 |
|
Note '~' Indicates the typical port that this operates on, and can be changed by the installer.
Optional Firmware Rule (Axis Cameras Only)
Domain | Purpose | Protocols | Ports |
*.axis.com | Firmware Updates for Axis hardware | TCP/HTTPS | 443 |