Shotgun ecosystem

Shotgun is a cloud platform composed of many services. All of these services need to be accessible to users for Shotgun to be fully functional.

Shotgun ecocsytem

FQDNs and IPs

Here is an overview of the different fully qualified domain names (FQDN) and internet protocols (IPs) that are part of the Shotgun cloud platform.

Shotgun. The Shotgun service itself.

AWS S3. All your media and attachments are stored on Amazon Simple Storage Service (AWS S3). To read more about where your media is saved, please see Selecting a storage location for uploaded files overview.

AWS S3 Accelerated. High-end accelerated endpoints for S3.

Web Accelerator. Shotgun uses CDNetworks for Web Content Acceleration. CDNetworks improves the experience for users located farther away from Shotgun’s data center. Whether CDNetworks is used or not depends on the geolocation of the user.

Toolkit App Store. You must have access to the Toolkit App Store for users to be able to update Desktop and Toolkit.

Analytics. To better understand our users’ needs and focus our development, we gather high-level, non-personal metrics. That data is stored under a cloud service, Amplitude. We do not recommend whitelisting these services specifically, but if you find it is causing trouble for your firewall, please contact our support.

Service FQDNs IP range
Shotgun
  • *.shotgunstudio.com
  • 74.50.63.109
  • 74.50.63.111
AWS S3
  • sg-media-usor-01.s3.amazonaws.com
us-west-2 AWS Dynamic IP Range
 
  • sg-media-tokyo.s3.amazonaws.com
ap-northeast-1 AWS Dynamic IP Range
 
  • sg-media-ireland.s3.amazonaws.com
eu-west-1 AWS Dynamic IP Range
AWS S3 accelerated
  • sg-media-usor-01.s3-accelerate.amazonaws.com
us-west-2 AWS Dynamic IP Range
 
  • sg-media-tokyo.s3-accelerate.amazonaws.com
ap-northeast-1 AWS Dynamic IP Range
 
  • sg-media-ireland.s3-accelerate.amazonaws.com
eu-west-1 AWS Dynamic IP Range
Web accelerator
  • *.shotgunstudio.com
See Appendix A
Toolkit App Store
  • tank.shotgunstudio.com
  • 74.50.63.109
  • 74.50.63.111

Restricting network access

Many studios are restricting network access to their users. Because Shotgun is a service composed of multiple endpoints, restricting network access while allowing Shotgun to be functional can be a challenge. Different approaches can be used, each with their pros and cons.

Firewall. Your studio probably already has a firewall restricting network access. For Shotgun to work, the FQDNs and the IP ranges will have to be whitelisted by your studio’s network administrators. The table above will help them put the required exceptions in place.

Gateway. It is possible to set up a gateway that would allow traffic to Shotgun to go through, but not other external traffic. The concept is to redirect all Shotgun traffic through that gateway, which has access to the internet. See Setting up a gateway server for more details.

Proxy. See Setting up a proxy server for Shotgun for more details. Please note where possible, we recommend using the gateway or the firewall approach instead.

Restricting access to a Shotgun site

Another way to increase the security around your Shotgun site is to allow only IPs from your studio to connect to your Shotgun site. See IP whitelisting for more details on this technique.

FAQ

What are the URLs used for analytic purposes?

The Web Application may attempt to access the following domains:

  • amplitude.com
  • segment.io
  • segment.com
  • cloudfront.net

Failure to access these URLs won’t impact Shotgun functionality but may result in some errors in the browser console.

Appendix A: CDNetworks dynamic IP range

WARNING: This range is given as a reference and subject to change.
Follow

0 Comments

Please sign in to leave a comment.