External Services / Egress Targets¶
Every external system this app talks to. Use this to set egress firewall rules, NetworkPolicies, and to figure out which Secrets need to exist.
Inbound (callers reach us)¶
| Caller | What for | Notes |
|---|---|---|
| Shopify | Webhooks (orders, fulfillment, etc.) | Need a public-facing ingress hostname. Shopify retries on failure but does not authenticate by source IP — HMAC signature only. |
| Salesforce Commerce Cloud (Demandware) | Webhooks for order events | Same — public ingress. |
| Internal users | Web UI (/admin, /batching, etc.) and admin tools (/sidekiq, /flipper, /event_store — gated by CanAccessInternalConfigUI) |
Internal hostname OK. |
| Print stations | /api/... integration endpoints |
Confirm with Rails team if these run inside the corp network. |
Outbound (we reach them)¶
Storage & infra¶
- AWS S3 — buckets configured per env (PDF, packing slips, shipping labels,
TIFF, PNG, pod_assembler_tiff). Region
us-east-1. Egress:*.s3.amazonaws.com,s3.us-east-1.amazonaws.com. - MySQL — managed (Azure Database for MySQL or RDS).
- Redis — managed (Azure Cache for Redis or ElastiCache).
Order/commerce platforms¶
- Shopify —
*.myshopify.com,*.shopify.com(Admin GraphQL API). Auth:shopify_api_key+ per-shop tokens. - Salesforce Commerce Cloud (Demandware) — endpoints hardcoded in
Demandware::Client: production-na01-popsockets.demandware.netwww.popsockets.comwww.emeaoms.popsockets.appwww.popsockets.group- Plus staging and dev variants
- Auth: per-store client credentials in DB.
- Amazon Selling Partner API (SP-API) — supplier orders.
Egress:
sellingpartnerapi-*.amazon.com.
Fulfillment & 3PL¶
- Cirro 3PL — fulfillment exports. Single-thread Sidekiq queue (
camel). - PrintStation via Azure Service Bus — event-driven order creation /
cancellation. Egress:
*.servicebus.windows.net. Uses SAS keys (recently updated — see commite15470702). - Carrier APIs — confirm with Rails team. Likely UPS / FedEx / USPS.
File transfer¶
- SFTP / FTP — order/shipment data exchange. Gems:
net-sftp,net-ftp. Outbound TCP 22 (SFTP) / 21 + passive ports (FTP). Specific hosts: ask Rails team for the list — they're per-customer.
Communication & marketing¶
- Postmark — transactional email API. Egress:
api.postmarkapp.com. - Klaviyo — customer events. Egress:
a.klaviyo.com.
Rendering / utility¶
- wkhtmltopdf / wkhtmltoimage — local binaries (no egress).
- Drive Commerce recipe API —
cz.drrv.co/recipe/. Product rendering metadata. - Labelary — shipping label rendering. Egress:
api.labelary.com.
Observability¶
- Datadog — agent on the cluster forwards. Egress (from agent, not app):
*.datadoghq.com. App talks to the agent viaDD_AGENT_HOST:DD_DOGSTATSD_PORT(in-cluster).
Egress firewall recommendation¶
Allowlist the destinations above, log-and-deny everything else. Pay particular attention to:
- FTP passive ports (if any FTP partner is non-SFTP) — these are dynamic high ports and need explicit firewall handling.
- Static egress IP — some carriers and 3PL partners require source IPs to be allowlisted on their side. The new k8s cluster needs a NAT gateway with a stable public IP so we can hand the IP to those partners. Action item for infra: confirm static egress IP plan and we'll collect the partner list.