ggLeap and ggRock Network Communication Requirements

This article aims to provide network communication requirements for cloud-hosted ggCircuit services

Outbound IPs

Fastly: ggLeap API runs through Fastly, requiring their outbound IPs for API access. These IPs change periodically, so subscribing to updates is recommended.
- IP list: https://api.fastly.com/public-ip-list

AWS: Add AWS IP ranges for SQS (tcp/443) and API gateway (tcp/443) to enable ggLeap client-to-backend communication (non-API).
- IP list: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

Note:

Addresses listed for API_GATEWAY are egress-only; no specific subset exists for SQS or API Gateway ingress.

Cloudflare: Alow Cloudflare IP ranges.
- IP list: https://www.cloudflare.com/ips/

Extracting IP Ranges with PowerShell

Use these PowerShell commands to extract IP ranges from the AWS JSON file:

Install the AWS Tools module:
```
Install-Module -Name AWS.Tools.Common
```

Get and filter IPv4 IP prefixes:

Get-AWSPublicIpAddressRange | where {$_.IpAddressFormat -eq "Ipv4"} | select IpPrefix

Note:
This outputs a list of IPv4 IP prefixes for configuring your network firewall or security group rules.

Additional Considerations

Firewall/Security Groups: Ensure your firewall or security group rules allow both inbound and outbound traffic to/from the specified IP ranges on the necessary ports (primarily tcp/443).
Regular Updates: IPs in these lists change periodically. Implement a process to keep these updated in your network configuration.
Testing: After making changes, thoroughly test your ggLeap and ggRock setup to ensure proper communication and functionality.

ggRock Server Network Requirements

For ggRock server updates and core functionality, the following URLs must be accessible:

Package Repositories:
- https://packagecloud.io
- http://apt.postgresql.org
- http://security.debian.org
- http://deb.debian.org
ggRock Application:
- https://api.ggleap.com
- https://loki-external.monitoring.ggcircuit.com:3101
- https://github.com
- https://ggrock.com

Recommendation: To ensure seamless operation and future compatibility, it is strongly recommended to whitelist all https://*.ggleap.com and https://*.ggcircuit.com, and https://*.ggrock.com URLs. This will accommodate potential new subdomains used for future features.

Note: ggRock servers do not directly access AWS services.

ggLeap Client Network Requirements

ggLeap clients require access to the following URLs:

https://api.ggleap.com
https://sqs.us-east-1.amazonaws.com
https://media.ggleap.com
https://updates.ggleap.com
https://s3.amazonaws.com
https://s3.us-east-1.amazonaws.com
https://media.ggleap.com.s3.us-east-1.amazonaws.com

Third-Party Integrations:

Kidas:
- https://kidas-installation-logs.s3.us-west-2.amazonaws.com
- https://kidas-updater-prod.s3.us-west-2.amazonaws.com
- Note: Additional Kidas URLs may be required. Consult Kidas documentation for the most up-to-date information.
Salad:
- https://salad.io
- https://salad.com
- Note: Refer to the official Salad support article for detailed network requirements: https://support.salad.com/article/186-how-to-unblock-salad-with-your-isp

Important Note: In addition to the URLs listed above, clients will also require access to the URLs necessary for launching and running games and applications. These requirements vary depending on the specific applications being used and should be addressed separately. Consult the documentation for each game or application for its specific network requirements.