Network Settings
Configure network access, security, and connectivity for your Chiro AI instance. Achiral provides enterprise-grade networking with flexible security controls.
Default Network Configuration
Each Chiro instance includes:
- Secure API Endpoint: HTTPS-enabled API endpoint with SSL/TLS encryption
- Tenant Isolation: Logical isolation for your organization's data and models
- DDoS Protection: Automatic protection against distributed denial-of-service attacks
- Load Balancing: Built-in load balancing for high availability
API Endpoint
Endpoint Format
Your Chiro instance is accessible via:
https://api.achiral.ai/v1/chat/completions
Authentication is handled via API keys in the Authorization header.
Custom Domains
Configure custom domains for your Chiro instance (available on Scale+ plans):
Via Dashboard
- Navigate to Configuration → Network → Custom Domain
- Click Add Custom Domain
- Enter your domain name (e.g.,
api.example.com) - Add the provided DNS records to your domain:
- Type: CNAME
- Name:
api(or your subdomain) - Value:
api.achiral.ai
- Click Verify DNS
- Wait for SSL certificate provisioning (usually < 5 minutes)
Via API
curl -X POST https://api.achiral.ai/v1/organizations/{org_id}/domain \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"domain": "api.example.com"
}'
SSL/TLS Configuration
All endpoints use TLS 1.3 by default with:
- Certificate Authority: Let's Encrypt (automatic renewal)
- Cipher Suites: Modern, secure cipher suites only
- HSTS: HTTP Strict Transport Security enabled
- Perfect Forward Secrecy: Enabled
Custom SSL Certificates
Upload your own SSL certificates:
curl -X POST https://api.achiral.ai/v1/organizations/{org_id}/ssl \
-H "Authorization: Bearer YOUR_API_KEY" \
-F "certificate=@cert.pem" \
-F "private_key=@key.pem" \
-F "ca_bundle=@ca.pem"
IP Allowlisting
Restrict access to your Chiro instance by IP address.
Configure via Dashboard
- Navigate to Configuration → Network → IP Allowlist
- Click Add IP Range
- Enter IP address or CIDR block (e.g.,
203.0.113.0/24) - Add a description (optional)
- Click Save
Configure via API
curl -X POST https://api.achiral.ai/v1/organizations/{org_id}/allowlist \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"ip_ranges": [
{
"cidr": "203.0.113.0/24",
"description": "Office network"
},
{
"cidr": "198.51.100.50/32",
"description": "CI/CD server"
}
]
}'
Allowlist Management
- Default: All IPs allowed when list is empty
- Behavior: Only listed IPs can access your Chiro instance
- Format: IPv4 CIDR notation (e.g.,
192.0.2.0/24or192.0.2.1/32) - Maximum entries: 100 IP ranges per organization
VPC Integration
Connect your Chiro instance to your Virtual Private Cloud for enhanced security (available on Dedicated plan).
AWS VPC Peering
Prerequisites
- AWS account with VPC
- VPC CIDR range that doesn't conflict with Achiral network (10.0.0.0/8)
- Appropriate AWS IAM permissions
Setup Steps
- Navigate to Configuration → Network → VPC Peering
- Select AWS as cloud provider
- Enter your VPC details:
- AWS Account ID
- VPC ID
- VPC Region
- VPC CIDR
- Click Request Peering
- Accept the peering connection in your AWS console
- Update route tables in your VPC to route traffic to Achiral
Via API
curl -X POST https://api.achiral.ai/v1/organizations/{org_id}/vpc-peering \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"provider": "aws",
"vpc_id": "vpc-0123456789abcdef0",
"region": "us-east-1",
"cidr": "172.31.0.0/16",
"account_id": "123456789012"
}'
Google Cloud VPC Peering
Similar setup available for Google Cloud Platform VPCs. Contact support for configuration assistance.
Azure VNet Peering
Azure Virtual Network peering available on Dedicated plan. Contact support for configuration.
Private Endpoints
Create private endpoints accessible only within your VPC (Dedicated plan only).
Setup Private Endpoint
curl -X POST https://api.achiral.ai/v1/organizations/{org_id}/private-endpoint \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"vpc_id": "vpc-0123456789abcdef0",
"subnet_ids": ["subnet-abc123", "subnet-def456"],
"security_group_ids": ["sg-xyz789"]
}'
Private endpoint URL format:
https://{org-id}.private.achiral.ai
Firewall Rules
Configure outbound network access from your Chiro instance (Dedicated plan only).
Default Outbound Rules
By default, Chiro instances can access:
- External APIs (for integrations)
- Data sources (for RAG)
- Webhook endpoints
Custom Firewall Rules
Restrict outbound access:
curl -X POST https://api.achiral.ai/v1/organizations/{org_id}/firewall \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"outbound_rules": [
{
"destination": "api.example.com",
"port": 443,
"protocol": "tcp",
"action": "allow"
},
{
"destination": "0.0.0.0/0",
"port": "*",
"protocol": "*",
"action": "deny"
}
]
}'
Network Performance
Bandwidth Limits
| Plan | Inbound Bandwidth | Outbound Bandwidth | Burst Capability |
|---|---|---|---|
| Spark | 1 Gbps | 1 Gbps | 2 Gbps (5 min) |
| Seed | 10 Gbps | 10 Gbps | 20 Gbps (5 min) |
| Growth | 40 Gbps | 40 Gbps | 100 Gbps (5 min) |
Latency Optimization
- Regional Deployment: Choose regions closest to your users
- Edge Caching: Enable response caching for repeated queries
- Keep-Alive Connections: Reuse HTTP connections for better performance
- HTTP/2: Enabled by default for multiplexing
Connection Pooling
Configure connection pool settings:
curl -X PATCH https://api.achiral.ai/v1/organizations/{org_id}/config \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"network": {
"max_connections": 1000,
"connection_timeout": 30,
"keepalive_timeout": 75
}
}'
Network Monitoring
Metrics Available
- Request Rate: Requests per second
- Bandwidth Usage: Inbound/outbound traffic
- Connection Count: Active connections
- Error Rate: Network-related errors
- Latency: P50, P95, P99 response times
Network Alerts
Set up alerts for:
- Bandwidth exceeding 80% of limit
- Connection count approaching maximum
- High error rates (> 1%)
- Unusual traffic patterns (DDoS detection)
DNS Configuration
DNS Records
Achiral manages DNS for your default endpoint. For custom domains:
- Add CNAME record pointing to
api.achiral.ai - Wait for DNS propagation (up to 48 hours)
- Verify in the dashboard
DNS Caching
- TTL: 300 seconds (5 minutes) for default endpoints
- Custom TTL: Configurable for custom domains
- Propagation: Global propagation via Cloudflare network
WebSocket Support
WebSocket connections are supported for real-time chat:
const ws = new WebSocket('wss://api.achiral.ai/v1/chat/stream')
ws.onopen = () => {
ws.send(
JSON.stringify({
model: 'chiro',
messages: [{role: 'user', content: 'Hello, world!'}],
stream: true,
})
)
}
ws.onmessage = event => {
console.log('Received:', event.data)
}
WebSocket Configuration
curl -X PATCH https://api.achiral.ai/v1/organizations/{org_id}/config \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"websocket": {
"enabled": true,
"max_connections": 100,
"idle_timeout": 300
}
}'
Network Troubleshooting
Common Issues
Connection Timeouts
- Check firewall rules and IP allowlist
- Verify DNS resolution
- Test with
curl -v https://{your-endpoint}
SSL Certificate Errors
- Ensure custom domain DNS is configured correctly
- Wait for certificate provisioning to complete
- Check certificate expiration dates
High Latency
- Choose a region closer to your users
- Enable connection keep-alive
- Use private endpoints for VPC-internal traffic
Network Diagnostics
# Test endpoint connectivity
curl -I https://api.achiral.ai/health
# Check DNS resolution
dig api.achiral.ai
# Test WebSocket connection
wscat -c wss://api.achiral.ai/v1/chat/stream
Next Steps
- Storage Options - Configure persistent storage
- Security & Compliance - Advanced security features
- API Reference - Network API endpoints