Support Center
Explore, Analyze & Document your Code

Architecture & Network

Purpose

This document provides administrators with connectivity prerequisites and a detailed view of how Visual Expert AI requests flow through the system. It focuses on technical architecture and network requirements.

For security policies and controls, please refer to:

High-Level Architecture

System Actors

  • VE Client (desktop or web application): The Visual Expert interface, where you trigger AI analysis requests. The client sends a predefined AI macro (your question plus a relevant code excerpt) to VE Cloud.
  • VE Cloud (Novalys on Microsoft Azure): The Visual Expert cloud infrastructure hosted by Novalys on Azure. VE Cloud formats your AI request, manages Project Context data, calls the OpenAI API, and returns the AI response.
  • AI Sub-processor: Currently OpenAI, accessed via their API. OpenAI provides the AI model that generates responses to your analysis requests.

Request Flow

  1. VE Client → VE Cloud: Your client sends the question and minimized code excerpt over a TLS-encrypted connection.
  2. VE Cloud → OpenAI: VE Cloud formats your request and transmits it to OpenAI via API. Inputs/outputs are not used for AI training.
  3. VE Cloud → VE Client: AI response is returned to your VE Client and displayed in the interface.
  4. Context Retention: Project Context data may be retained in VE Cloud and OpenAI to improve future response quality. See Data Protection & Confidentiality for details.

For encryption, isolation model, and access policies, see Security & Admin Hardening.

Network Prerequisites

Required Allow-Listing (Domain)

Visual Expert AI requires outbound HTTPS access to the domain: https://ai.visual-expert.com/. This domain serves as the gateway from VE Cloud to the AI API and must be accessible from systems running Visual Expert clients or web servers.

Protocol & Ports

HTTPS/TLS over TCP port 443 (outbound) is required for:

  • Communication from VE Client or VE Web server to VE Cloud
  • Communication from VE Cloud to OpenAI API

No inbound ports need to be opened for Visual Expert AI functionality.

DNS Requirements

Corporate DNS infrastructure (or DNS over HTTPS) must resolve the ai.visual-expert.com subdomain for any workstation or server running Visual Expert clients.

Outbound Policy Examples (Illustrative)

Firewall (Egress Rule)

  • Action: Allow
  • Protocol: TCP
  • Port: 443
  • Destination: ai.visual-expert.com
  • Logging: Session end (recommended for audit purposes)

Proxy Configuration

  • Action: Allow CONNECT method
  • Destination: ai.visual-expert.com
  • Requirement: Preserve TLS certificate chain validation
  • Note: Do not break or intercept TLS connections to this domain
  • Ensure proxy does not perform SSL/TLS interception for this domain

Administrative Controls for AI Usage

Enable/Disable AI by Credits

  • Enable AI for specific teams: Allocate VE AI credits to teams or repositories requiring AI-assisted analysis
  • Disable AI for specific repositories: Contact Novalys to set VE AI credits to zero for repositories where AI features must not be used

This provides granular control over which parts of your codebase can be analyzed with AI assistance.

Defense-in-Depth Control

You can block outbound traffic to ai.visual-expert.com at your network perimeter to prevent AI traffic during pilot phases, audits, or full AI disablement.

What Is (and Isn't) Sent to AI

Data Transmitted to AI Service

  • Your analysis request: The specific question or analysis macro you trigger
  • A minimal code excerpt: Only the code fragment strictly necessary to answer your request

Data Not Transmitted to AI Service

  • Complete source code repositories or global database dumps
  • Production data or business records
  • Code or database objects unrelated to the current analysis request

For data processing scope, see Data Protection & Confidentiality. For encryption and isolation, see Security & Admin Hardening.

Troubleshooting (Connectivity)

  • Verify outbound connectivity: TCP port 443 to ai.visual-expert.com is allowed through firewall/network devices
  • Check proxy configuration:
    • Proxy allows CONNECT method to ai.visual-expert.com
    • TLS certificate chain validation is preserved
    • Proxy does not block/rate-limit connections
  • Confirm VE AI credits are available (non-zero)
  • Test DNS resolution to ai.visual-expert.com

Architecture & Network — FAQ

A1. Which domains must be allow-listed for outbound traffic?
You must allow outbound HTTPS traffic to ai.visual-expert.com.
A2. Which protocol and port are required?
HTTPS/TLS over TCP port 443 is required for outbound traffic.
A3. Which direction do network connections flow during normal operation?
All connections are outbound. VE Client connects to VE Cloud over TLS, and VE Cloud connects to OpenAI API over TLS. No inbound connections required.
A4. What DNS requirements apply to workstations or servers running VE?
Corporate DNS infrastructure (or DNS over HTTPS) must resolve subdomains of ai.visual-expert.com.
A5. What proxy rules are required if we use an HTTP proxy?
Proxy must allow CONNECT method to ai.visual-expert.com and preserve TLS certificate chain validation. Do not intercept SSL/TLS.
A6. How can we disable AI usage during a pilot or audit phase?
Request that Novalys set VE AI credits to zero for relevant repositories or teams. Additionally, you can block outbound traffic to ai.visual-expert.com at your network perimeter.

Glossary

  • API: Application Programming Interface — protocols for software communication
  • DNS: Domain Name System — translates domain names to IP addresses
  • DoH: DNS over HTTPS — DNS resolution over encrypted HTTPS connections
  • HTTPS: Hypertext Transfer Protocol Secure — HTTP over TLS encryption
  • TCP: Transmission Control Protocol — reliable, connection-oriented data transmission
  • TLS: Transport Layer Security — cryptographic protocol for secure communication

 

See Also:

 

Visual Expert Featured Resources


Videos