Shotgun ecosystem

Shotgun is a cloud platform composed of many services. All of these services need to be accessible to users for Shotgun to be fully functional.



FQDNs and IPs

Here is an overview of the different fully qualified domain names (FQDN) and internet protocols (IPs) that are part of the Shotgun cloud platform.

Shotgun. The Shotgun service itself.

AWS S3. All your media and attachments are stored on Amazon Simple Storage Service (AWS S3). To read more about where your media is saved, please see Selecting a storage location for uploaded files overview.

AWS S3 Accelerated. High-end accelerated endpoints for S3. Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations.

Web Accelerator. Shotgun uses CDNetworks for Web Content Acceleration. CDNetworks improves the experience for users located farther away from Shotgun’s data center. Whether CDNetworks is used or not depends on the geolocation of the user.

Toolkit App Store. You must have access to the Toolkit App Store for users to be able to update Desktop and Toolkit.

Service FQDNs IP range Protocol



Shotgun Create

"service": "S3" AWS Dynamic IP Range tcp/443
Shotgun RV

"service": "S3" AWS Dynamic IP Range tcp/443

"region": "us-west-2", "service": "S3" AWS Dynamic IP Range tcp/443

"region": "ap-northeast-1", "service": "S3" AWS Dynamic IP Range tcp/443

"region": "eu-west-1", "service": "S3" AWS Dynamic IP Range tcp/443

"region": "sa-east-1", "service": "S3"

AWS Dynamic IP Range tcp/443

"region": "ap-south-1", "service": "S3"

AWS Dynamic IP Range tcp/443 "region": "ap-southeast-2", "service": "S3" AWS Dynamic IP Range tcp/443 
AWS S3 accelerated

"region": "GLOBAL", "service": "CLOUDFRONT"

AWS Dynamic IP Range


"region": "GLOBAL", "service": "CLOUDFRONT" AWS Dynamic IP Range tcp/443

"region": "GLOBAL", "service": "CLOUDFRONT" AWS Dynamic IP Range tcp/443

"region": "GLOBAL", "service": "CLOUDFRONT" AWS Dynamic IP Range tcp/443

"region": "GLOBAL", "service": "CLOUDFRONT"  AWS Dynamic IP Range  tcp/443 

"region": "GLOBAL", "service": "CLOUDFRONT" AWS Dynamic IP Range  tcp/443
Web Accelerator   See Appendix A tcp/443
Web Accelerator China
Toolkit App Store

See Shotgun Service

See Shotgun Service


"region": "GLOBAL", "service": "AMAZON"

AWS Dynamic IP Range


Restricting network access

Many studios are restricting network access to their users. Because Shotgun is a service composed of multiple endpoints, restricting network access while allowing Shotgun to be functional can be a challenge. Different approaches can be used, each with their pros and cons.

Firewall. Your studio probably already has a firewall restricting network access. For Shotgun to work, the FQDNs and the IP ranges will have to be granted access by your studio’s network administrators. The table above will help them put the required exceptions in place.

Gateway. It is possible to set up a gateway that would allow traffic to Shotgun to go through, but not other external traffic. The concept is to redirect all Shotgun traffic through that gateway, which has access to the internet. See Setting up a gateway server for more details.

Proxy. See Setting up a proxy server for Shotgun for more details. Please note where possible, we recommend using the gateway or the firewall approach instead.

Restricting access to a Shotgun site

Another way to increase the security around your Shotgun site is to allow only IPs from your studio to connect to your Shotgun site. See IP allowed listings for more details on this technique.


Appendix A: CDNetworks dynamic IP range

WARNING: This range is given as a reference and subject to change.