LogoLogo
TrustAPI Docs
  • Application
  • Support
  • Platform
  • Infrastructure
  • Security
  • Notices
  • Install Guides
    • Install on Heroku
    • Install on Linux
    • Install on Docker Desktop
  • Requirements
    • Technical Requirements
    • Network Requirements
    • URL Registration for GRAX
  • Architecture
    • Architecture
    • AWS Architecture Example
    • Azure Architecture Example
  • Other
    • Longterm Storage
    • Operating Costs
    • Monitoring
    • Rotating Infrastructure Secrets

Copyright © 2025 GRAX, Inc.

On this page
  • Communication Details
  • Egress Network Connections
  • GRAX → Salesforce
  • GRAX → HQ
  • GRAX → Database
  • GRAX → Storage
  • Ingress Network Connections
  • End Users → GRAX
  • (Optional) Salesforce → GRAX
  • Independent Network Connections
  • GRAX HQ → Salesforce

Was this helpful?

Export as PDF
  1. Requirements

Network Requirements

Last updated 1 month ago

Was this helpful?

At a high level, the following are the rules for GRAX network access:

  1. GRAX Application talks to Salesforce

  2. GRAX Application talks to hq.grax.com

  3. GRAX Application talks to Database

  4. GRAX Application talks to Storage

  5. End users talk to GRAX Application's APIs

  6. (Optional) Salesforce talks to GRAX Application

  7. hq.grax.com talks to Salesforce

Communication Details

Best practices suggest exposing your GRAX Application to public traffic via an Application Load Balancer of some form with additional filtering for security. However, GRAX doesn't support API gateways that modify payloads, terminate or modify authentication, enforce third-party schemas/protocols, or filter requests based on path, payload, or parameters. GRAX doesn't guarantee alignment with any published API standard, nor promise stability of the API interface for external use at this time.

Egress Network Connections

The following are descriptions of the rules related to traffic that flows outward from the compute resource running your GRAX Application.

GRAX → Salesforce

To query, update, or insert information in Salesforce, GRAX uses the public Salesforce REST and Composite APIs (and never uses the Salesforce Bulk API). Allow, at a minimum, at least one static IP for your GRAX Application to communicate out to Salesforce.

GRAX → HQ

GRAX → Database

For metadata storage, search indexing, and storage optimizations, GRAX uses Postgres. Allow the GRAX Application to access your configured Postgres database.

GRAX → Storage

For longterm storage, GRAX uses blob storage platforms. Allow the GRAX Application to access your chosen blob storage bucket/platform.

Ingress Network Connections

The following are descriptions of the rules related to traffic that flows towards the compute resource running your GRAX Application.

End Users → GRAX

End users of GRAX access the GRAX Application via a web browser. This traffic originates from their local IPs unless using a VPN or proxy. To allow your users to use GRAX, allow their IPs to hit the public endpoint for your GRAX Application. If all of your users share a network segment (VPN, corporate network, etc.), allowing that network segment access may be sufficient.

(Optional) Salesforce → GRAX

NOTE: this traffic is optional based on feature usage. If your use case for GRAX doesn't necessitate using LWC or iFrames, Salesforce won't make requests to your GRAX Application.

Independent Network Connections

The following are descriptions of the rules related to traffic that flows entirely independently from the compute resource running your GRAX Application, but which may impact its operation.

GRAX HQ → Salesforce

GRAX HQ's static egress IPs appear in the Integration User's login history after connecting the app to Salesforce due to the nature of the GRAX OAuth process. Please add 3.232.229.75 to your whitelist/allowlist addresses on the Integration User's profile to allow the GRAX Application to connect to your org. In addition, you need to add the static IP addresses for each of your specific environments to ensure there are no IP restrictions.

This may include allowing , as well as allowing the traffic to leave the VPC or other infrastructure network.

For software updates, telemetry, and license monitoring, GRAX communicates with GRAX HQ. Allow the GRAX Application to access hq.grax.com over HTTPS on port 443. A static IP for this communication isn't currently available. For more information on this communication, see .

Lightning Web Components and Embedded Pages are all driven by Salesforce-to-GRAX traffic. Salesforce publishes their global IP ranges. Allow, at a minimum, the to access the GRAX Application API.

SFDC Login Access from this IP
IP ranges for your Salesforce instance region
GRAX Simplified Network Diagram
here