TorkTORK
Docs/Deployment/Network Enforcement

Network Enforcement Guide

Route all AI agent traffic through Tork governance using your existing infrastructure.

Overview

Tork operates as an application-layer governance gateway. Every AI request your agents make is checked for PII, policy compliance, and security before reaching the AI provider.

For complete enforcement, configure your network infrastructure to route AI provider traffic through Tork. This ensures no agent can bypass governance by calling AI APIs directly.

Defense in Depth
Network enforcement is optional but recommended. Even without it, Tork's Shadow AI Discovery module detects ungoverned calls and alerts your security team.

AWS VPC Egress Rules

Use security group rules to restrict agent egress traffic to only the Tork API. This prevents agents from calling OpenAI, Anthropic, or other AI providers directly.

hcl
# Terraform — Block direct access to AI providers, allow only via Tork

resource "aws_security_group_rule" "block_direct_openai" {
  type              = "egress"
  security_group_id = aws_security_group.agents.id
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  description       = "Block direct HTTPS — agents must use Tork proxy"
}

# Allow only Tork API egress
resource "aws_security_group_rule" "allow_tork" {
  type              = "egress"
  security_group_id = aws_security_group.agents.id
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = ["76.76.21.0/24"]  # Vercel edge IPs
  description       = "Allow Tork governance API"
}
IP Ranges
Replace CIDR blocks with Tork's current IP ranges. Contact support@tork.network for dedicated IP allocation on Enterprise plans.

Cloudflare WAF / Gateway

If you use Cloudflare Gateway or Zero Trust, create a policy that blocks direct access to AI provider domains. All AI traffic is then forced through Tork's governance layer.

json
{
  "name": "Block Direct AI API Access",
  "conditions": [
    {
      "type": "traffic",
      "expression": "any(http.request.full_uri[*] contains \"api.openai.com\") or any(http.request.full_uri[*] contains \"api.anthropic.com\") or any(http.request.full_uri[*] contains \"generativelanguage.googleapis.com\")"
    }
  ],
  "action": "block",
  "description": "Force all AI traffic through Tork governance gateway"
}

You can also add rules for other AI providers: api.cohere.ai, api.mistral.ai, api.together.xyz.

Docker / Kubernetes Network Policy

Use a Kubernetes NetworkPolicy to restrict pod egress from your AI agent namespace. Only DNS and Tork API traffic are allowed.

yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: enforce-tork-governance
  namespace: ai-agents
spec:
  podSelector:
    matchLabels:
      app: ai-agent
  policyTypes:
    - Egress
  egress:
    # Allow DNS
    - to:
        - namespaceSelector: {}
      ports:
        - protocol: UDP
          port: 53
    # Allow Tork API only
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
      ports:
        - protocol: TCP
          port: 443
      # In production, restrict to Tork IP ranges
Docker Compose
For Docker Compose deployments, use network_mode or iptables rules on the host to achieve the same egress restriction.

Proxy Configuration

Configure agents to use Tork as an HTTPS proxy. All outbound AI API traffic is automatically routed through the governance gateway.

bash
# Set for all agent processes
export HTTPS_PROXY=https://governance.tork.network
export NO_PROXY=internal.company.com,localhost

# Or per-agent in Docker
docker run -e HTTPS_PROXY=https://governance.tork.network my-agent
Enterprise Feature
Proxy mode is available on Enterprise plans. Contact sales@tork.network for configuration details.

Verification with Shadow AI Discovery

Even without network enforcement, Tork's built-in Shadow AI Discovery (Bypass Detection) continuously scans for ungoverned AI API calls:

  • Detects direct calls to OpenAI, Anthropic, Google AI, and other providers that bypassed Tork
  • Alerts your security team via notification routing when ungoverned activity is found
  • Reports appear in the admin dashboard under Shadow AI Discovery
  • Classifies agents as active, dormant, or declining based on governance coverage

View your current coverage in the admin dashboard. Shadow AI Discovery runs automatically — no configuration required.

Defense-in-Depth Recommendation

For complete AI security coverage, combine network enforcement with Tork's governance, detection, and audit capabilities:

LayerToolPurpose
NetworkYour VPC / FirewallBlock direct AI API access
GatewayTork Governance APIPolicy enforcement, PII redaction
DetectionTork Shadow AI DiscoveryFind ungoverned agents
AuditTork Blockchain AnchoringImmutable compliance receipts

Tork provides governance, detection, and audit. Your infrastructure team provides network enforcement. Together, this delivers complete AI security coverage.