At a high level, the following are the rules for GRAX network access:
- GRAX instance talks to Salesforce
- GRAX instance talks to
- GRAX instance talks to Database
- GRAX instance talks to Storage
- End users talk to GRAX instance APIs
- (Optional) Salesforce talks to GRAX instance
hq.grax.comtalks to Salesforce
Best practices suggest exposing your GRAX instance to public traffic via an Application Load Balancer of some form with additional filtering for security. However, GRAX doesn't support API gateways that modify payloads, terminate or modify authentication, enforce third-party schemas/protocols, or filter requests based on path, payload, or parameters. GRAX doesn't guarantee alignment with any published API standard, nor promise stability of the API interface for external use at this time.
The following are descriptions of the rules related to traffic that flows outward from the GRAX instance.
To query, update, or insert information in Salesforce, GRAX uses the public Salesforce REST and Composite APIs. Allow, at a minimum, at least one static IP for your GRAX app to communicate out to Salesforce.
This may include allowing SFDC Login Access from this IP, as well as allowing the traffic to leave the VPC or other infrastructure network.
For software updates, telemetry, and license monitoring, GRAX communicates with GRAX HQ. Allow the GRAX app to access
hq.grax.com over HTTPS on port 443. A static IP for this communication isn't currently available. For more information on this communication, see here.
For metadata storage, search indexing, and storage optimizations, GRAX uses Postgres. Allow the GRAX app to access your configured Postgres database.
For longterm storage, GRAX uses blob storage platforms. Allow the GRAX app to access your chosen blob storage bucket/platform.
The following are descriptions of the rules related to traffic that flows towards the GRAX instance.
End users of GRAX access the GRAX app via a web browser. This traffic originates from their local IPs unless using a VPN or proxy. To allow your users to use GRAX, allow their IPs to hit the public endpoint for your GRAX app. If all of your users share a network segment (VPN, corporate network, etc.), allowing that network segment access may be sufficient.
Lightning Web Components and Embedded Pages are all driven by Salesforce-to-GRAX traffic. Salesforce publishes their global IP ranges. Allow, at a minimum, the IP ranges for your Salesforce instance region to access the GRAX app API.
NOTE: this traffic is optional based on feature usage. If your use case for GRAX doesn't necessitate using LWC or iFrames, Salesforce won't make requests to your GRAX app.
The following are descriptions of the rules related to traffic that flows entirely externally from the GRAX instance network, but impacts the GRAX application.
GRAX HQ's static egress IPs appear in the Integration User's login history after connecting the app to Salesforce due to the nature of the GRAX OAuth process. Please add 220.127.116.11 to your whitelist/allowlist addresses on the Integration User's profile to allow the GRAX app to connect to your org. In addition, you need to add the static IP addresses for each of your specific environments to ensure there are no IP restrictions.
Updated about 4 hours ago