Virtual Appliance Networking

Network ingress and egress

Overview

The GRAX Virtual Appliance is designed to work in a a highly secure Salesforce instance and AWS network that implements network access control and firewalls that meet your infrastructure security policy.

At the highest level for every deployment:

  1. The SFDC platform needs to make requests out to the GRAX virtual appliance API
  2. The web browsers of SFDC users need to make requests out to the GRAX virtual appliance API
  3. The GRAX control plane needs to make API requests out to the SFDC API and to the GRAX virtual appliance API
  4. The GRAX instance needs to make API requests out to the central GRAX Control Plane API, SFDC API and AWS API

SFDC platform to GRAX virtual appliance API

The SFDC platform makes automated requests out to your appliance to run backups and get backup status. Therefore:

  • SFDC needs egress to the appliance GRAX API
  • The appliance Application Load Balancer (ALB) needs ingress from SFDC

SFDC egress to your appliance GRAX API requires a Remote Site Setting in SFDC.

A standard Internet-facing ALB allows all Internet traffic, so requires no additional ingress configuration.

For an advanced AWS network that blocks all Internet traffic by default, such as a Web Application Firewall (WAF) in front of the ALB, or an internal ALB with a Transit Gateway, this requires rules to allow ingress from Salesforce IP addresses.

GRAX offers a reference WAF configuration with an IPSet of known Salesforce IP addresses.

Web browsers of SFDC users to GRAX virtual appliance API

SFDC users that interact with the GRAX Package and Lightning Components make interactive requests out to the appliance to configure it and access backup and archive data. Therefore:

  • SFDC user IPs need egress to the appliance GRAX API
  • The appliance (ALB) needs ingress from your SFDC user IPs

A standard Internet-facing ALB allows all Internet traffic, so requires no additional ingress configuration.

For an advanced network with a VPN that your users must connect to access restricted SFDC and internal AWS resources, this requires rules to allow ingress from a set of trusted client IP ranges.

GRAX offers a reference WAF configuration with an ClientSideIPSet parameter for specifying IPs.

GRAX Control Plane to SFDC API and GRAX virtual appliance API

The GRAX Control Plane (https://hq.grax.com) needs to make requests to the SFDC API to establish or refresh an OAuth connection, and to the GRAX appliance API to save OAuth tokens. Therefore:

  • SFDC needs ingress from the GRAX Control Plane
  • The appliance (ALB) needs ingress from the GRAX Control Plane

A basic SFDC instance allows any IP with a valid API token to make API requests, and a basic AWS VPC with an Internet Gateway allows egress to the entire Internet, so this requires no additional ingress or egress configuration.

For an advanced SFDC config that blocks all API access except from allowed IPs, this requires a rule to allows ingress from trusted GRAX IPs.

For an advanced AWS network that blocks all Internet traffic by default, this requires rules to allow ingress from trusted GRAX IPs.

The static ingress IP addreses are:

  • 3.232.229.75 (hq.grax.com)

GRAX Instance to GRAX Control Plane GRAX API

The GRAX instance makes automated requests to the GRAX Control Plane API to submit metrics about the successes or failures of backup, archive, and restore operations. Therefore:

  • The AWS VPC needs egress to the GRAX Control Plane API

A standard VPC and NAT gateway all outbound traffic, so requires no additional ingress configuration.

For an advanced AWS network that blocks all Internet traffic by default, this requires rules to allow egress to trusted GRAX hostnames and ports.

The static egress hostnames are:

GRAX Instance to SFDC API

The GRAX virtual appliance instance makes automated requests to the Salesforce API to create a valid API session and to request backup data. Therefore:

A basic SFDC instance allows any IP with a valid API token to make API requests, and a basic AWS VPC with an Internet Gateway allows egress to the entire Internet, so this requires no additional ingress or egress configuration.

For an advanced SFDC config that blocks all API access except from allowed IPs, this requires a rule to allows ingress from trusted AWS IPs.

GRAX by default uses a NAT Gateway for all outbound traffic which uses a static Elastic IP for all requests. This static IP address is:

  • the EIP resource in CloudFormation

For an advanced AWS network that blocks all Internet traffic by default, this requires rules to allow egress to trusted SFDC hostnames:

GRAX Instance to AWS API

The GRAX virtual appliance instance makes automated requests to AWS APIs to:

  • download OS packages from public Amazon Linux S3 repositories
  • read metadata from the EC2 metadata service
  • read identity and access metadata from IAM and STS services
  • send success signals to CloudFormation
  • read and write secrets to Secrets Manager
  • read and write backup metadata to RDS
  • read and write backup data to S3
  • read and write backup data to ElasticSearch

For an advanced VPC that blocks all traffic by default, this requires rules to allow egress to trusted global and regional AWS endpoints:

This also requires rules to allow egress to hostnames and ports for resources in the appliance:

  • the DB resource in CloudFormation, e,g sdwvww5gn5nigd.csg3cls743vn.<region>.rds.amazonaws.com:3306
  • the ElasticSearch resource, e.g. https://<stack>-1sj7tnah6zchn-h4rmqj24lze5vd3r2mu6joo4ri.<region>.es.amazonaws.com (port 443)