Shotgun ecosystem

Shotgun is a cloud platform composed of many services. All of these services need to be accessible to users for Shotgun to be fully functional.

 

shotgun_ecosystem.png

FQDNs and IPs

Here is an overview of the different fully qualified domain names (FQDN) and internet protocols (IPs) that are part of the Shotgun cloud platform.

Shotgun. The Shotgun service itself.

AWS S3. All your media and attachments are stored on Amazon Simple Storage Service (AWS S3). To read more about where your media is saved, please see Selecting a storage location for uploaded files overview.

AWS S3 Accelerated. High-end accelerated endpoints for S3. Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations.

Web Accelerator. Shotgun uses CDNetworks for Web Content Acceleration. CDNetworks improves the experience for users located farther away from Shotgun’s data center. Whether CDNetworks is used or not depends on the geolocation of the user.

Toolkit App Store. You must have access to the Toolkit App Store for users to be able to update Desktop and Toolkit.

Service FQDNs IP range
Shotgun

*.shotgunstudio.com

74.50.63.109

74.50.63.111

AWS S3

sg-media-usor-01.s3.amazonaws.com

"region": "us-west-2", "service": "S3" AWS Dynamic IP Range
 

sg-media-tokyo.s3.amazonaws.com

"region": "ap-northeast-1", "service": "S3" AWS Dynamic IP Range
 

sg-media-ireland.s3.amazonaws.com

"region": "eu-west-1", "service": "S3" AWS Dynamic IP Range
AWS S3 accelerated

sg-media-usor-01.s3-accelerate.amazonaws.com

"region": "GLOBAL", "service": "CLOUDFRONT"

AWS Dynamic IP Range

 

sg-media-tokyo.s3-accelerate.amazonaws.com

"region": "GLOBAL", "service": "CLOUDFRONT" AWS Dynamic IP Range
 

sg-media-ireland.s3-accelerate.amazonaws.com

"region": "GLOBAL", "service": "CLOUDFRONT" AWS Dynamic IP Range
Web accelerator

*.shotgunstudio.com

See Appendix A
Toolkit App Store

tank.shotgunstudio.com

74.50.63.109

74.50.63.111


Restricting network access

Many studios are restricting network access to their users. Because Shotgun is a service composed of multiple endpoints, restricting network access while allowing Shotgun to be functional can be a challenge. Different approaches can be used, each with their pros and cons.

Firewall. Your studio probably already has a firewall restricting network access. For Shotgun to work, the FQDNs and the IP ranges will have to be whitelisted by your studio’s network administrators. The table above will help them put the required exceptions in place.

Gateway. It is possible to set up a gateway that would allow traffic to Shotgun to go through, but not other external traffic. The concept is to redirect all Shotgun traffic through that gateway, which has access to the internet. See Setting up a gateway server for more details.

Proxy. See Setting up a proxy server for Shotgun for more details. Please note where possible, we recommend using the gateway or the firewall approach instead.

Restricting access to a Shotgun site

Another way to increase the security around your Shotgun site is to allow only IPs from your studio to connect to your Shotgun site. See IP whitelisting for more details on this technique.

 

Appendix A: CDNetworks dynamic IP range

WARNING: This range is given as a reference and subject to change.
Follow

0 Comments

Please sign in to leave a comment.