diff --git a/docs/guides/integration-options-private-operator.md b/docs/guides/integration-options-private-operator.md
index 266612fd9..34ac2fccf 100644
--- a/docs/guides/integration-options-private-operator.md
+++ b/docs/guides/integration-options-private-operator.md
@@ -136,3 +136,7 @@ There is no functional difference between the Private Operator versions.
| GCP Confidential Space | [Private Operator for GCP integration guide](../guides/operator-private-gcp-confidential-space.md) | Information for setting up the UID2 Operator Service in [Confidential Space](https://cloud.google.com/confidential-computing#confidential-space), a confidential computing option from [Google Cloud](https://cloud.google.com/docs/overview/) Platform. |
| Azure | [Private Operator for Azure integration guide](../guides/operator-guide-azure-enclave.md) | Instructions for setting up the UID2 Operator Service in an instance of Confidential Containers, a confidential computing option from Microsoft Azure. |
| AKS | [Private Operator for AKS integration guide](../guides/operator-guide-aks-enclave.md) | Instructions for setting up the UID2 Operator Service in an instance of AKS, a confidential computing solution that runs on virtual nodes on Microsoft Azure container instances and uses Kubernetes. |
+
+:::note
+All Private Operators must be allowed to access the destinations in [Private Operator network egress](../ref-info/operator-private-network-requirements.md). If your organization is secured with a firewall or proxy, these domains must be added to the allowlist.
+:::
diff --git a/docs/guides/operator-guide-aks-enclave.md b/docs/guides/operator-guide-aks-enclave.md
index c44a7b9f7..c36fd09c7 100644
--- a/docs/guides/operator-guide-aks-enclave.md
+++ b/docs/guides/operator-guide-aks-enclave.md
@@ -254,6 +254,10 @@ az network vnet subnet update \
--nat-gateway ${NAT_GATEWAY_NAME}
```
+:::note
+If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Private Operator network egress](../ref-info/operator-private-network-requirements.md).
+:::
+
#### Get the AKS Subnet ID
To create the AKS subnet ID, run the following command, using your own values as needed:
diff --git a/docs/guides/operator-guide-aws-marketplace.md b/docs/guides/operator-guide-aws-marketplace.md
index 739ac4123..9ea1b6b66 100644
--- a/docs/guides/operator-guide-aws-marketplace.md
+++ b/docs/guides/operator-guide-aws-marketplace.md
@@ -154,7 +154,11 @@ To avoid passing certificates associated with your domain into the enclave, inbo
| ----------- | --------- | -------- | ------ |
| 80 | Inbound | HTTP | Serves all UID2 APIs, including the healthcheck endpoint `/ops/healthcheck`. When everything is up and running, the endpoint returns HTTP 200 with a response body of `OK`. For details, see [Checking UID2 Operator status](#checking-uid2-operator-status). |
| 9080 | Inbound | HTTP | Serves Prometheus metrics (`/metrics`). |
-| 443 | Outbound | HTTPS | Calls the UID2 Core Service, AWS S3, to download files for opt-out data and key store. |
+| 443 | Outbound | HTTPS | Calls the UID2 Core Service and AWS S3, to download files for opt-out data and key store. |
+
+:::note
+If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Private Operator network egress](../ref-info/operator-private-network-requirements.md).
+:::
### VPC chart
diff --git a/docs/guides/operator-guide-azure-enclave.md b/docs/guides/operator-guide-azure-enclave.md
index 6e43ad28e..8d5106441 100644
--- a/docs/guides/operator-guide-azure-enclave.md
+++ b/docs/guides/operator-guide-azure-enclave.md
@@ -330,7 +330,11 @@ The following table provides information about supported protocols.
| ----------- | --------- | -------- | ------ |
| 80 | Inbound | HTTP | Serves all UID2 APIs, including the health check endpoint `/ops/healthcheck`. When everything is up and running, the endpoint returns HTTP 200 with a response body of `OK`. For details, see [Running the health check](#running-the-health-check). |
| 9080 | Inbound | HTTP | Serves Prometheus metrics (`/metrics`). For details, see [Scraping metrics](#scraping-metrics). |
-| 443 | Outbound | HTTPS | Calls the UID2 Core Service and Azure Blob Storage, to download files for opt-out data and key store. |
+| 443 | Outbound | HTTPS | Calls the UID2 Core Service and AWS S3, to download files for opt-out data and key store. |
+
+:::note
+If your environment restricts outbound network traffic, you must allow outbound access to the destinations listed in [Private Operator network egress](../ref-info/operator-private-network-requirements.md).
+:::
## Upgrading
diff --git a/docs/guides/operator-private-gcp-confidential-space.md b/docs/guides/operator-private-gcp-confidential-space.md
index 4981d9abb..1d2d7ecae 100644
--- a/docs/guides/operator-private-gcp-confidential-space.md
+++ b/docs/guides/operator-private-gcp-confidential-space.md
@@ -90,6 +90,8 @@ Before choosing your deployment option, complete these Google Cloud setup steps:
1. Enable egress rule. If your VPC infrastructure only allows egress to known endpoints, you will need to enable an egress rule to allow the operator to retrieve the certificates required for attestation. To enable this, follow the details in this document from Google: [VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/supported-products#table_confidential_space).
+ You must also allow outbound access to the UID2 service and storage destinations that the operator depends on. For the full list, see [Private Operator network egress](../ref-info/operator-private-network-requirements.md).
+
### UID2 Operator account setup
Ask your UID2 contact to register your organization as a UID2 Operator. If you're not sure who to ask, see [Contact info](../getting-started/gs-account-setup.md#contact-info).
diff --git a/docs/ref-info/operator-private-network-requirements.md b/docs/ref-info/operator-private-network-requirements.md
new file mode 100644
index 000000000..0012090d8
--- /dev/null
+++ b/docs/ref-info/operator-private-network-requirements.md
@@ -0,0 +1,39 @@
+---
+title: Private Operator network egress
+sidebar_label: Private Operator network egress
+pagination_label: Private Operator network egress
+description: Outbound network destinations a Private Operator must reach, for configuring egress firewall allowlists.
+hide_table_of_contents: false
+sidebar_position: 16
+displayed_sidebar: docs
+---
+
+import Link from '@docusaurus/Link';
+
+# Private Operator network egress
+
+A Private Operator connects to the UID2 Core and Opt-Out services, and downloads data files directly from AWS S3 using URLs that the Core service provides. For details, see [Private Operator workflow](../guides/integration-options-private-operator.md#private-operator-workflow).
+
+If your environment restricts outbound network traffic, you must allow outbound HTTPS (port 443) to all of the destinations below, or the operator cannot start.
+
+## Integration
+The following table lists the hostnames you must allow for the integration environment.
+| Hostname | Purpose |
+| --- | --- |
+| `core-integ.uidapi.com` | Core Service (attestation, keys, salts, configuration) |
+| `optout-integ.uidapi.com` | Opt-Out Service |
+| `uid2-core-integ-store.s3.us-east-2.amazonaws.com` | Core data storage |
+| `uid2-optout-integ-store.s3.us-east-2.amazonaws.com` | Opt-out data storage |
+
+## Production
+The following table lists the hostnames you must allow for the production environment.
+| Hostname | Purpose |
+| --- | --- |
+| `core-prod.uidapi.com` | Core Service (attestation, keys, salts, configuration) |
+| `optout-prod.uidapi.com` | Opt-Out Service |
+| `uid2-core-prod-store.s3.us-east-2.amazonaws.com` | Core data storage |
+| `uid2-core-prod-store-replica.s3.us-west-2.amazonaws.com` | Core data storage (failover replica) |
+| `uid2-optout-prod-store.s3.us-east-2.amazonaws.com` | Opt-out data storage |
+| `uid2-optout-prod-store-replica.s3.us-west-2.amazonaws.com` | Opt-out data storage (failover replica) |
+
+Allow these by hostname rather than by IP address, because the underlying addresses might change.
diff --git a/i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md b/i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md
new file mode 100644
index 000000000..0012090d8
--- /dev/null
+++ b/i18n/ja/docusaurus-plugin-content-docs/current/ref-info/operator-private-network-requirements.md
@@ -0,0 +1,39 @@
+---
+title: Private Operator network egress
+sidebar_label: Private Operator network egress
+pagination_label: Private Operator network egress
+description: Outbound network destinations a Private Operator must reach, for configuring egress firewall allowlists.
+hide_table_of_contents: false
+sidebar_position: 16
+displayed_sidebar: docs
+---
+
+import Link from '@docusaurus/Link';
+
+# Private Operator network egress
+
+A Private Operator connects to the UID2 Core and Opt-Out services, and downloads data files directly from AWS S3 using URLs that the Core service provides. For details, see [Private Operator workflow](../guides/integration-options-private-operator.md#private-operator-workflow).
+
+If your environment restricts outbound network traffic, you must allow outbound HTTPS (port 443) to all of the destinations below, or the operator cannot start.
+
+## Integration
+The following table lists the hostnames you must allow for the integration environment.
+| Hostname | Purpose |
+| --- | --- |
+| `core-integ.uidapi.com` | Core Service (attestation, keys, salts, configuration) |
+| `optout-integ.uidapi.com` | Opt-Out Service |
+| `uid2-core-integ-store.s3.us-east-2.amazonaws.com` | Core data storage |
+| `uid2-optout-integ-store.s3.us-east-2.amazonaws.com` | Opt-out data storage |
+
+## Production
+The following table lists the hostnames you must allow for the production environment.
+| Hostname | Purpose |
+| --- | --- |
+| `core-prod.uidapi.com` | Core Service (attestation, keys, salts, configuration) |
+| `optout-prod.uidapi.com` | Opt-Out Service |
+| `uid2-core-prod-store.s3.us-east-2.amazonaws.com` | Core data storage |
+| `uid2-core-prod-store-replica.s3.us-west-2.amazonaws.com` | Core data storage (failover replica) |
+| `uid2-optout-prod-store.s3.us-east-2.amazonaws.com` | Opt-out data storage |
+| `uid2-optout-prod-store-replica.s3.us-west-2.amazonaws.com` | Opt-out data storage (failover replica) |
+
+Allow these by hostname rather than by IP address, because the underlying addresses might change.
diff --git a/sidebars.js b/sidebars.js
index d23c8b9d0..9a9ceb03e 100644
--- a/sidebars.js
+++ b/sidebars.js
@@ -378,6 +378,7 @@ const fullSidebar = [
'ref-info/ref-how-uid-is-created',
'ref-info/ref-server-side-token-generation',
'ref-info/ref-integration-sso-providers',
+ 'ref-info/operator-private-network-requirements',
'ref-info/deprecation-schedule',
],
},