Network Requirements

At a high level, the following are the rules for GRAX network access:

  1. GRAX instance talks to Salesforce
  2. GRAX instance talks to hq.grax.com
  3. GRAX instance talks to Database
  4. GRAX instance talks to Storage
  5. End users talk to GRAX instance APIs
  6. (Optional) Salesforce talks to GRAX instance
  7. hq.grax.com talks to Salesforce

Communication Details

Best practices suggest exposing your GRAX instance to public traffic via an Application Load Balancer of some form with additional filtering for security. However, GRAX doesn't support API gateways that modify payloads, terminate or modify authentication, enforce third-party schemas/protocols, or filter requests based on path, payload, or parameters. GRAX doesn't guarantee alignment with any published API standard, nor promise stability of the API interface for external use at this time.

GRAX Simplified Network Diagram

Egress Network Connections

The following are descriptions of the rules related to traffic that flows outward from the GRAX instance.

GRAX -> Salesforce

To query, update, or insert information in Salesforce, GRAX uses the public Salesforce REST and Composite APIs. Allow, at a minimum, at least one static IP for your GRAX app to communicate out to Salesforce.

This may include allowing SFDC Login Access from this IP, as well as allowing the traffic to leave the VPC or other infrastructure network.


For software updates, telemetry, and license monitoring, GRAX communicates with GRAX HQ. Allow the GRAX app to access hq.grax.com over HTTPS on port 443. A static IP for this communication isn't currently available. For more information on this communication, see here.

GRAX -> Database

For metadata storage, search indexing, and storage optimizations, GRAX uses Postgres. Allow the GRAX app to access your configured Postgres database.

GRAX -> Storage

For longterm storage, GRAX uses blob storage platforms. Allow the GRAX app to access your chosen blob storage bucket/platform.

Ingress Network Connections

The following are descriptions of the rules related to traffic that flows towards the GRAX instance.

End Users -> GRAX

End users of GRAX access the GRAX app via a web browser. This traffic originates from their local IPs unless using a VPN or proxy. To allow your users to use GRAX, allow their IPs to hit the public endpoint for your GRAX app. If all of your users share a network segment (VPN, corporate network, etc.), allowing that network segment access may be sufficient.

(Optional) Salesforce -> GRAX

Lightning Web Components and Embedded Pages are all driven by Salesforce-to-GRAX traffic. Salesforce publishes their global IP ranges. Allow, at a minimum, the IP ranges for your Salesforce instance region to access the GRAX app API.

NOTE: this traffic is optional based on feature usage. If your use case for GRAX doesn't necessitate using LWC or iFrames, Salesforce won't make requests to your GRAX app.

External Network Connections

The following are descriptions of the rules related to traffic that flows entirely externally from the GRAX instance network, but impacts the GRAX application.

GRAX HQ -> Salesforce

GRAX HQ's static egress IPs appear in the Integration User's login history after connecting the app to Salesforce due to the nature of the GRAX OAuth process. Please add to your whitelist/allowlist addresses on the Integration User's profile to allow the GRAX app to connect to your org. In addition, you need to add the static IP addresses for each of your specific environments to ensure there are no IP restrictions.