Documentation
Login

Network Requirements

At a high level, the following are the rules for GRAX network access:

  1. GRAX Application talks to Salesforce
  2. GRAX Application talks to hq.grax.com
  3. GRAX Application talks to Database
  4. GRAX Application talks to Storage
  5. End users talk to GRAX Application's APIs
  6. (Optional) Salesforce talks to GRAX Application
  7. hq.grax.com talks to Salesforce

Communication Details

Best practices suggest exposing your GRAX Application to public traffic via an Application Load Balancer of some form with additional filtering for security. However, GRAX doesn't support API gateways that modify payloads, terminate or modify authentication, enforce third-party schemas/protocols, or filter requests based on path, payload, or parameters. GRAX doesn't guarantee alignment with any published API standard, nor promise stability of the API interface for external use at this time.

GRAX Simplified Network Diagram

Egress Network Connections

The following are descriptions of the rules related to traffic that flows outward from the compute resource running your GRAX Application.

GRAX -> Salesforce

To query, update, or insert information in Salesforce, GRAX uses the public Salesforce REST and Composite APIs. Allow, at a minimum, at least one static IP for your GRAX Application to communicate out to Salesforce.

This may include allowing SFDC Login Access from this IP, as well as allowing the traffic to leave the VPC or other infrastructure network.

GRAX -> HQ

For software updates, telemetry, and license monitoring, GRAX communicates with GRAX HQ. Allow the GRAX Application to access hq.grax.com over HTTPS on port 443. A static IP for this communication isn't currently available. For more information on this communication, see here.

GRAX -> Database

For metadata storage, search indexing, and storage optimizations, GRAX uses Postgres. Allow the GRAX Application to access your configured Postgres database.

GRAX -> Storage

For longterm storage, GRAX uses blob storage platforms. Allow the GRAX Application to access your chosen blob storage bucket/platform.

Ingress Network Connections

The following are descriptions of the rules related to traffic that flows towards the compute resource running your GRAX Application.

End Users -> GRAX

End users of GRAX access the GRAX Application via a web browser. This traffic originates from their local IPs unless using a VPN or proxy. To allow your users to use GRAX, allow their IPs to hit the public endpoint for your GRAX Application. If all of your users share a network segment (VPN, corporate network, etc.), allowing that network segment access may be sufficient.

(Optional) Salesforce -> GRAX

Lightning Web Components and Embedded Pages are all driven by Salesforce-to-GRAX traffic. Salesforce publishes their global IP ranges. Allow, at a minimum, the IP ranges for your Salesforce instance region to access the GRAX Application API.

NOTE: this traffic is optional based on feature usage. If your use case for GRAX doesn't necessitate using LWC or iFrames, Salesforce won't make requests to your GRAX Application.

Independent Network Connections

The following are descriptions of the rules related to traffic that flows entirely independently from the compute resource running your GRAX Application, but which may impact its operation.

GRAX HQ -> Salesforce

GRAX HQ's static egress IPs appear in the Integration User's login history after connecting the app to Salesforce due to the nature of the GRAX OAuth process. Please add 3.232.229.75 to your whitelist/allowlist addresses on the Integration User's profile to allow the GRAX Application to connect to your org. In addition, you need to add the static IP addresses for each of your specific environments to ensure there are no IP restrictions.