My NACL and Security Groups do allow 443, so I dont think thats a problem here.
Does ziti-router manage ufw rules on the router host? e.g. my SG rules allow 443, 80 from the world, there is no mention of 8081 in my SG rules, although I do see 8081 in my ufw rules which is the port I see being used by edge router for healthchecks.
Hi Everyone & @av-dev
I believe I understand your issue. The NetFoundry auto registration script will only auto open 443 inbound from the local subnet. If you wish to allow other subnets you would need to add additional firewall rules. Assuming you’d like to add the subnet 192.168.1.0/24, you can use a command like this:
sudo ufw allow from 192.168.1.0/24 to any port 443 proto tcp
aaha! thanks a ton @emoscardini
I was blocked for a day for being “overly enthusiastic!” 
@emoscardini by any chance, does the logic to auto open 443 to local subnet only, driven by “listener” flag in console? When my colleague set up a second router with “listener” on, 443 on that router was open to the world.
Hi @av-dev
The “listener” function is for those whom intent to make the ER they launch publicly accessible.
You can read more about it here: https://support.netfoundry.io/hc/en-us/articles/360034337892-How-to-Register-the-Edge-Router-VM
Hope that helps!