diff --git a/docs/enterprise/installing-embedded-requirements.mdx b/docs/enterprise/installing-embedded-requirements.mdx
index 57ea034cec..d243fcbe93 100644
--- a/docs/enterprise/installing-embedded-requirements.mdx
+++ b/docs/enterprise/installing-embedded-requirements.mdx
@@ -1,6 +1,6 @@
 import EmbeddedClusterRequirements from "../partials/embedded-cluster/_requirements.mdx"
 import EmbeddedClusterPortRequirements from "../partials/embedded-cluster/_port-reqs.mdx"
-import FirewallOpenings from "../partials/install/_firewall-openings.mdx"
+import FirewallOpeningsIntro from "../partials/install/_firewall-openings-intro.mdx"
 
 # Embedded Cluster Installation Requirements
 
@@ -14,6 +14,27 @@ This topic lists the installation requirements for Replicated Embedded Cluster.
 
 <EmbeddedClusterPortRequirements/>
 
-## Firewall Openings for Online Installations
-
-<FirewallOpenings/>
\ No newline at end of file
+## Firewall Openings for Online Installations with Embedded Cluster {#firewall}
+
+<FirewallOpeningsIntro/>
+
+<table>
+  <tr>
+      <th width="50%">Domain</th>
+      <th>Description</th>
+  </tr>
+  <tr>
+      <td>`proxy.replicated.com`</td>
+      <td><p>Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p><p>For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.</p></td>
+  </tr>
+  <tr>
+      <td>`replicated.app`</td>
+      <td><p>Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p><p>For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.</p></td>
+  </tr>
+  <tr>
+      <td>`registry.replicated.com` &#42;</td>
+      <td><p>Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.</p><p> For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.</p></td>
+  </tr>
+</table>
+
+&#42; Required only if the application uses the [Replicated proxy registry](/vendor/private-images-about).
\ No newline at end of file
diff --git a/docs/enterprise/installing-general-requirements.mdx b/docs/enterprise/installing-general-requirements.mdx
index 0f1d81b85a..2c5a59971f 100644
--- a/docs/enterprise/installing-general-requirements.mdx
+++ b/docs/enterprise/installing-general-requirements.mdx
@@ -1,6 +1,6 @@
 import DockerCompatibility from "../partials/image-registry/_docker-compatibility.mdx"
 import KubernetesCompatibility from "../partials/install/_kubernetes-compatibility.mdx"
-import FirewallOpenings from "../partials/install/_firewall-openings.mdx"
+import FirewallOpeningsIntro from "../partials/install/_firewall-openings-intro.mdx"
 
 # KOTS Installation Requirements
 
@@ -266,6 +266,41 @@ KOTS has been tested for compatibility with the following registries:
 
 <DockerCompatibility/>
 
-## Firewall Openings for Online Installations
-
-<FirewallOpenings/>
+## Firewall Openings for Online Installations with KOTS in an Existing Cluster {#firewall}
+
+<FirewallOpeningsIntro/>
+
+<table>
+  <tr>
+      <th width="50%">Domain</th>
+      <th>Description</th>
+  </tr>
+  <tr>
+      <td>Docker Hub</td>
+      <td><p>Some dependencies of KOTS are hosted as public images in Docker Hub. The required domains for this service are `index.docker.io`, `cdn.auth0.com`, `*.docker.io`, and `*.docker.com.`</p></td>
+  </tr>
+  <tr>
+      <td>`proxy.replicated.com` &#42;</td>
+      <td><p>Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p><p>For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.</p></td>
+  </tr>
+  <tr>
+      <td>`replicated.app`</td>
+      <td><p>Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p><p>For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.</p></td>
+  </tr>
+  <tr>
+      <td>`registry.replicated.com` &#42;&#42;</td>
+      <td><p>Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.</p><p> For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.</p></td>
+  </tr>
+  <tr>
+      <td>`kots.io`</td>
+      <td><p>Requests are made to this domain when installing the Replicated KOTS CLI. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p></td>
+  </tr>
+  <tr>
+     <td>`github.com`</td>
+     <td>Requests are made to this domain when installing the Replicated KOTS CLI. For information about retrieving GitHub IP addresses, see [About GitHub&#39;s IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) in the GitHub documentation.</td>
+  </tr>
+</table>
+
+&#42; Required only if the application uses the [Replicated proxy registry](/vendor/private-images-about).
+
+&#42;&#42; Required only if the application uses the [Replicated registry](/vendor/private-images-replicated).
diff --git a/docs/enterprise/installing-kurl-requirements.mdx b/docs/enterprise/installing-kurl-requirements.mdx
index 2c75ecca41..c3a17222fb 100644
--- a/docs/enterprise/installing-kurl-requirements.mdx
+++ b/docs/enterprise/installing-kurl-requirements.mdx
@@ -1,4 +1,4 @@
-import FirewallOpenings from "../partials/install/_firewall-openings.mdx"
+import FirewallOpeningsIntro from "../partials/install/_firewall-openings-intro.mdx"
 
 # kURL Installation Requirements
 
@@ -33,6 +33,41 @@ You must meet the additional kURL system requirements when applicable:
 
 - **Cloud Disk Performance**: For a list of cloud VM instance and disk combinations that are known to provide sufficient performance for etcd and pass the write latency preflight, see [Cloud Disk Performance](https://kurl.sh/docs/install-with-kurl/system-requirements#cloud-disk-performance) in the kURL documentation.
 
-## Firewall Openings for Online Installations
+## Firewall Openings for Online Installations with kURL {#firewall}
 
-<FirewallOpenings/>
\ No newline at end of file
+<FirewallOpeningsIntro/>
+
+<table>
+  <tr>
+      <th width="50%">Domain</th>
+      <th>Description</th>
+  </tr>
+  <tr>
+      <td>Docker Hub</td>
+      <td><p>Some dependencies of KOTS are hosted as public images in Docker Hub. The required domains for this service are `index.docker.io`, `cdn.auth0.com`, `*.docker.io`, and `*.docker.com.`</p></td>
+  </tr>
+  <tr>
+      <td>`proxy.replicated.com` &#42;</td>
+      <td><p>Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p><p>For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.</p></td>
+  </tr>
+  <tr>
+      <td>`replicated.app`</td>
+      <td><p>Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p><p>For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.</p></td>
+  </tr>
+  <tr>
+      <td>`registry.replicated.com` &#42;&#42;</td>
+      <td><p>Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.</p><p> For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.</p></td>
+  </tr>
+  <tr>
+     <td><p>`k8s.kurl.sh`</p><p>`s3.kurl.sh`</p></td>
+     <td><p>kURL installation scripts and artifacts are served from [kurl.sh](https://kurl.sh). An application identifier is sent in a URL path, and bash scripts and binary executables are served from kurl.sh. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p><p> For the range of IP addresses for `k8s.kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L34-L39) in GitHub.</p><p> The range of IP addresses for `s3.kurl.sh` are the same as IP addresses for the `kurl.sh` domain. For the range of IP address for `kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L28-L31) in GitHub.</p></td>
+  </tr>
+  <tr>
+     <td>`amazonaws.com`</td>
+     <td>`tar.gz` packages are downloaded from Amazon S3 during installations with kURL. For information about dynamically scraping the IP ranges to allowlist for accessing these packages, see [AWS IP address ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#aws-ip-download) in the AWS documentation.</td>
+  </tr>
+</table>
+
+&#42; Required only if the application uses the [Replicated proxy registry](/vendor/private-images-about).
+
+&#42;&#42; Required only if the application uses the [Replicated registry](/vendor/private-images-replicated).
\ No newline at end of file
diff --git a/docs/partials/install/_firewall-openings-intro.mdx b/docs/partials/install/_firewall-openings-intro.mdx
new file mode 100644
index 0000000000..538a0d7254
--- /dev/null
+++ b/docs/partials/install/_firewall-openings-intro.mdx
@@ -0,0 +1,5 @@
+The domains for the services listed in the table below need to be accessible from servers performing online installations. No outbound internet access is required for air gap installations.
+
+For services hosted at domains owned by Replicated, the table below includes a link to the list of IP addresses for the domain at [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json) in GitHub. Note that the IP addresses listed in the `replicatedhq/ips` repository also include IP addresses for some domains that are _not_ required for installation.
+
+For any third-party services hosted at domains not owned by Replicated, consult the third-party's documentation for the IP address range for each domain, as needed. 
\ No newline at end of file
diff --git a/docs/partials/install/_firewall-openings.mdx b/docs/partials/install/_firewall-openings.mdx
index dfa0dda490..53c4489565 100644
--- a/docs/partials/install/_firewall-openings.mdx
+++ b/docs/partials/install/_firewall-openings.mdx
@@ -4,17 +4,83 @@ For services hosted at domains owned by Replicated, the table below includes a l
 
 For third-party services hosted at domains not owned by Replicated, the table below lists the required domains. Consult the third-party's documentation for the IP address range for each domain, as needed. 
 
-| Host   | Embedded Cluster | KOTS Existing Cluster | kURL Clusters | Description |
-|--------|------------------|-------------------|-------------------|-------------|
-| Docker Hub    | Not Required | Required    | Required    | Some dependencies of KOTS are hosted as public images in Docker Hub. The required domains for this service are `index.docker.io`, `cdn.auth0.com`, `*.docker.io`, and `*.docker.com.` |
-| `replicated.app`  | Required | Required  | Required | <p>Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p> <p>For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.</p> |
-| `proxy.replicated.com` | Required | Required&#42;| Required&#42;| <p>Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p> <p>For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.</p> |
-| `registry.replicated.com` | Required&#42;&#42; | Required&#42;&#42;         | Required&#42;&#42;            | <p>Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.</p><p> For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.</p>
-| `kots.io`              | Not Required | Required     | Not Required | Requests are made to this domain when installing the Replicated KOTS CLI. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.|
-| `github.com `          | Not Required | Required     | Not Required | Requests are made to this domain when installing the Replicated KOTS CLI. For information about retrieving GitHub IP addresses, see [About GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) in the GitHub documentation. |
-| `k8s.kurl.sh`<br/>`s3.kurl.sh`    | Not Required | Not Required | Required     | <p>kURL installation scripts and artifacts are served from [kurl.sh](https://kurl.sh). An application identifier is sent in a URL path, and bash scripts and binary executables are served from kurl.sh. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p><p> For the range of IP addresses for `k8s.kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L34-L39) in GitHub.</p><p> The range of IP addresses for `s3.kurl.sh` are the same as IP addresses for the `kurl.sh` domain. For the range of IP address for `kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L28-L31) in GitHub.</p> |
-| `amazonaws.com`  | Not Required | Not Required    | Required        | `tar.gz` packages are downloaded from Amazon S3 during installations with kURL. For information about dynamically scraping the IP ranges to allowlist for accessing these packages, see [AWS IP address ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#aws-ip-download) in the AWS documentation.|
+<table>
+    <tr>
+        <th width="10%">Host</th>
+        <th width="20%">Embedded Cluster</th>
+        <th width="20%">Helm</th>
+        <th width="20%">KOTS Existing Cluster</th>
+        <th width="20%">kURL</th>
+        <th width="10%">Description</th>
+    </tr>
+    <tr>
+        <td>Docker Hub</td>
+        <td>Not Required</td>
+        <td>Not Required</td>
+        <td>Required</td>
+        <td>Required</td>
+        <td>Some dependencies of KOTS are hosted as public images in Docker Hub. The required domains for this service are `index.docker.io`, `cdn.auth0.com`, `*.docker.io`, and `*.docker.com.`</td>
+    </tr>
+    <tr>
+        <td>`replicated.app`</td>
+        <td>Required</td>
+        <td>Required&#42;&#42;&#42;</td>
+        <td>Required</td>
+        <td>Required</td>
+        <td><p>Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p><p>For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.</p></td>
+    </tr>
+    <tr>
+        <td>`proxy.replicated.com`</td>
+        <td>Required</td>
+        <td>Required</td>
+        <td>Required&#42;</td>
+        <td>Required&#42;</td>
+        <td><p>Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p><p>For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.</p></td>
+    </tr>
+    <tr>
+        <td>`registry.replicated.com`</td>
+        <td>Required&#42;&#42;</td>
+        <td>Required</td>
+        <td>Required&#42;&#42;</td>
+        <td>Required&#42;&#42;</td>
+        <td><p>Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.</p><p> For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.</p></td>
+    </tr>
+    <tr>
+        <td>`kots.io`</td>
+        <td>Not Required</td>
+        <td>Not Required</td>
+        <td>Required</td>
+        <td>Not Required</td>
+        <td>Requests are made to this domain when installing the Replicated KOTS CLI. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</td>
+    </tr>
+    <tr>
+        <td>`github.com`</td>
+        <td>Not Required</td>
+        <td>Not Required</td>
+        <td>Required</td>
+        <td>Not Required</td>
+        <td>Requests are made to this domain when installing the Replicated KOTS CLI. For information about retrieving GitHub IP addresses, see [About GitHub&#39;s IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) in the GitHub documentation.</td>
+    </tr>
+    <tr>
+        <td><p>`k8s.kurl.sh`</p><p>`s3.kurl.sh`</p></td>
+        <td>Not Required</td>
+        <td>Not Required</td>
+        <td>Not Required</td>
+        <td>Required</td>
+        <td><p>kURL installation scripts and artifacts are served from [kurl.sh](https://kurl.sh). An application identifier is sent in a URL path, and bash scripts and binary executables are served from kurl.sh. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p><p> For the range of IP addresses for `k8s.kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L34-L39) in GitHub.</p><p> The range of IP addresses for `s3.kurl.sh` are the same as IP addresses for the `kurl.sh` domain. For the range of IP address for `kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L28-L31) in GitHub.</p></td>
+    </tr>
+    <tr>
+        <td>`amazonaws.com`</td>
+        <td>Not Required</td>
+        <td>Not Required</td>
+        <td>Not Required</td>
+        <td>Required</td>
+        <td>`tar.gz` packages are downloaded from Amazon S3 during installations with kURL. For information about dynamically scraping the IP ranges to allowlist for accessing these packages, see [AWS IP address ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#aws-ip-download) in the AWS documentation.</td>
+    </tr>
+</table>
 
-&#42; Required only if the application uses the Replicated proxy registry. Contact your software vendor for more information.
+&#42; Required only if the application uses the [Replicated proxy registry](/vendor/private-images-about).
 
-&#42;&#42; Required only if the application uses the Replicated registry. Contact your software vendor for more information.
\ No newline at end of file
+&#42;&#42; Required only if the application uses the [Replicated registry](/vendor/private-images-replicated).
+
+&#42;&#42;&#42; Required only if the [Replicated SDK](/vendor/replicated-sdk-overview) if included as a dependency of the application Helm chart.
\ No newline at end of file
diff --git a/docs/vendor/install-with-helm.md b/docs/vendor/install-with-helm.mdx
similarity index 65%
rename from docs/vendor/install-with-helm.md
rename to docs/vendor/install-with-helm.mdx
index 477d87f648..ad8deb9792 100644
--- a/docs/vendor/install-with-helm.md
+++ b/docs/vendor/install-with-helm.mdx
@@ -1,4 +1,5 @@
 import Prerequisites from "../partials/helm/_helm-install-prereqs.mdx"
+import FirewallOpeningsIntro from "../partials/install/_firewall-openings-intro.mdx"
 
 # Installing with Helm
 
@@ -10,6 +11,31 @@ Before you install, complete the following prerequisites:
 
 <Prerequisites/>
 
+## Firewall Openings for Online Installations with Helm {#firewall}
+
+<FirewallOpeningsIntro/>
+
+<table>
+  <tr>
+      <th width="50%">Domain</th>
+      <th>Description</th>
+  </tr>
+  <tr>
+      <td>`replicated.app` &#42;</td>
+      <td><p>Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p><p>For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.</p></td>
+  </tr>
+  <tr>
+      <td>`registry.replicated.com`</td>
+      <td><p>Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.</p><p>For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.</p></td>
+  </tr>
+  <tr>
+      <td>`proxy.replicated.com`</td>
+      <td><p>Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.</p><p>For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.</p></td>
+  </tr>
+</table>
+
+&#42; Required only if the [Replicated SDK](/vendor/replicated-sdk-overview) is included as a dependency of the application Helm chart.
+
 ## Install
 
 To install a Helm chart:

Domain	Description
Docker Hub	Some dependencies of KOTS are hosted as public images in Docker Hub. The required domains for this service are `index.docker.io`, `cdn.auth0.com`, `.docker.io`, and `.docker.com.`
`proxy.replicated.com` *	Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA. For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.
`replicated.app`	Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA. For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.
`registry.replicated.com` **	Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA. For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.
`kots.io`	Requests are made to this domain when installing the Replicated KOTS CLI. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.
`github.com`	Requests are made to this domain when installing the Replicated KOTS CLI. For information about retrieving GitHub IP addresses, see [About GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) in the GitHub documentation.
Host	Embedded Cluster	Helm	KOTS Existing Cluster	kURL	Description
Docker Hub	Not Required	Not Required	Required	Required	Some dependencies of KOTS are hosted as public images in Docker Hub. The required domains for this service are `index.docker.io`, `cdn.auth0.com`, `.docker.io`, and `.docker.com.`
`replicated.app`	Required	Required***	Required	Required	Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA. For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.
`proxy.replicated.com`	Required	Required	Required*	Required*	Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA. For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.
`registry.replicated.com`	Required**	Required	Required**	Required**	Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA. For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.
`kots.io`	Not Required	Not Required	Required	Not Required	Requests are made to this domain when installing the Replicated KOTS CLI. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.
`github.com`	Not Required	Not Required	Required	Not Required	Requests are made to this domain when installing the Replicated KOTS CLI. For information about retrieving GitHub IP addresses, see [About GitHub's IP addresses](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses) in the GitHub documentation.
`k8s.kurl.sh` `s3.kurl.sh`	Not Required	Not Required	Not Required	Required	kURL installation scripts and artifacts are served from [kurl.sh](https://kurl.sh). An application identifier is sent in a URL path, and bash scripts and binary executables are served from kurl.sh. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA. For the range of IP addresses for `k8s.kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L34-L39) in GitHub. The range of IP addresses for `s3.kurl.sh` are the same as IP addresses for the `kurl.sh` domain. For the range of IP address for `kurl.sh`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L28-L31) in GitHub.
`amazonaws.com`	Not Required	Not Required	Not Required	Required	`tar.gz` packages are downloaded from Amazon S3 during installations with kURL. For information about dynamically scraping the IP ranges to allowlist for accessing these packages, see [AWS IP address ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#aws-ip-download) in the AWS documentation.