diff --git a/articles/which-public-resources-to-expose-to-hosts.md b/articles/which-public-resources-to-expose-to-hosts.md
new file mode 100644
index 00000000000..1ebfdaba869
--- /dev/null
+++ b/articles/which-public-resources-to-expose-to-hosts.md
@@ -0,0 +1,39 @@
+# Which public resources to expose to hosts?
+
+Some organizations block all outbound internet traffic by default and only let hosts reach the internet through a VPN or other secure, managed network. If that's your setup, you need to explicitly allow a small set of public resources so hosts can enroll, stay managed by Fleet, receive OS updates, and keep Fleet's agent (fleetd) up to date.
+
+This guide lists those resources. Add them as exceptions in your VPN, proxy, or firewall's allowlist.
+
+## Fleet
+
+- Your Fleet server: Fleet's agent (fleetd) checks in with your Fleet server to run queries and policies, install software, and receive MDM commands. See [Which API endpoints to expose to the public internet?](https://fleetdm.com/guides/what-api-endpoints-to-expose-to-the-public-internet) for the exact paths to allow.
+- `download.fleetdm.com`: Hosts the public fleetd base installers (`.pkg`, `.msi`, `.deb`, and `.rpm`) used to enroll new hosts.
+- `updates.fleetdm.com`: Fleet's [The Update Framework (TUF)](https://theupdateframework.io/) server. Fleetd checks uses this for auto-updates.
+ - If you'd rather not expose this host, run [your own TUF update server](https://fleetdm.com/guides/fleetd-updates) with a Fleet Premium license.
+
+## Apple
+
+If you manage macOS, iOS, or iPadOS hosts, those hosts need direct access to Apple's own services, separate from Fleet's. This is especially true for hosts enrolled with [Automated Device Enrollment (ADE)](https://support.apple.com/guide/deployment/automated-device-enrollment-management-dep73069dd57/web).
+
+Apple maintains the [definitive, current list](https://support.apple.com/en-us/101555). At minimum, allow:
+
+- `*.push.apple.com`: Apple Push Notification service (APNs). Fleet uses this to deliver MDM commands to hosts.
+- `deviceenrollment.apple.com`, `mdmenrollment.apple.com`, and `iprofiles.apple.com`: Deliver enrollment profiles during Automated Device Enrollment.
+- `gdmf.apple.com` and `identity.apple.com`: Device management catalog lookups and APNs certificate requests.
+- `vpp.itunes.apple.com`: Assigning and revoking Apps and Books licenses.
+- The hosts listed under "Device setup" and "Software updates" in [Apple's list](https://support.apple.com/en-us/101555), if you use Fleet to enforce OS updates.
+
+## Microsoft
+
+If you manage Windows hosts, especially ones enrolled with Windows Autopilot, see Microsoft's [Windows Autopilot requirements](https://learn.microsoft.com/en-us/intune/autopilot/networking-requirements) for the hosts Windows needs to reach directly.
+
+## Google
+
+If you manage Android hosts, see Google's [Android Enterprise network requirements](https://support.google.com/android/work/answer/10513641) for the hosts Android needs to reach directly. You'll also need `/api/fleetd/*` exposed on your Fleet server if you [connect end users to Wi-Fi or VPN with a certificate](https://fleetdm.com/guides/connect-end-user-to-wifi-with-certificate).
+
+
+
+
+
+
+