Network Requirements
Last updated
Was this helpful?
Last updated
Was this helpful?
At a high level, the following are the rules for GRAX network access:
GRAX Application talks to Salesforce
GRAX Application talks to hq.grax.com
GRAX Application talks to Database
GRAX Application talks to Storage
End users talk to GRAX Application's APIs
(Optional) Salesforce talks to GRAX Application
hq.grax.com talks to Salesforce
Best practices suggest exposing your GRAX Application to public traffic via an Application Load Balancer of some form with additional filtering for security. However, GRAX doesn't support API gateways that modify payloads, terminate or modify authentication, enforce third-party schemas/protocols, or filter requests based on path, payload, or parameters. GRAX doesn't guarantee alignment with any published API standard, nor promise stability of the API interface for external use at this time.
The following are descriptions of the rules related to traffic that flows outward from the compute resource running your GRAX Application.
To query, update, or insert information in Salesforce, GRAX uses the public Salesforce REST and Composite APIs (and never uses the Salesforce Bulk API). Allow, at a minimum, at least one static IP for your GRAX Application to communicate out to Salesforce.
For metadata storage, search indexing, and storage optimizations, GRAX uses Postgres. Allow the GRAX Application to access your configured Postgres database.
For longterm storage, GRAX uses blob storage platforms. Allow the GRAX Application to access your chosen blob storage bucket/platform.
The following are descriptions of the rules related to traffic that flows towards the compute resource running your GRAX Application.
End users of GRAX access the GRAX Application via a web browser. This traffic originates from their local IPs unless using a VPN or proxy. To allow your users to use GRAX, allow their IPs to hit the public endpoint for your GRAX Application. If all of your users share a network segment (VPN, corporate network, etc.), allowing that network segment access may be sufficient.
NOTE: this traffic is optional based on feature usage. If your use case for GRAX doesn't necessitate using LWC or iFrames, Salesforce won't make requests to your GRAX Application.
The following are descriptions of the rules related to traffic that flows entirely independently from the compute resource running your GRAX Application, but which may impact its operation.
GRAX HQ's static egress IPs appear in the Integration User's login history after connecting the app to Salesforce due to the nature of the GRAX OAuth process. Please add 3.232.229.75 to your whitelist/allowlist addresses on the Integration User's profile to allow the GRAX Application to connect to your org. In addition, you need to add the static IP addresses for each of your specific environments to ensure there are no IP restrictions.
This may include allowing , as well as allowing the traffic to leave the VPC or other infrastructure network.
For software updates, telemetry, and license monitoring, GRAX communicates with GRAX HQ. Allow the GRAX Application to access hq.grax.com over HTTPS on port 443. A static IP for this communication isn't currently available. For more information on this communication, see .
Lightning Web Components and Embedded Pages are all driven by Salesforce-to-GRAX traffic. Salesforce publishes their global IP ranges. Allow, at a minimum, the to access the GRAX Application API.
