Networking Requirements
Network requirements and firewall rules for pyck.cloud SaaS service
Audience: System Administrator
Overview
This document outlines the network requirements and firewall configurations needed to integrate with pyck's SaaS service at pyck.cloud. pyck uses multiple protocols over standard HTTPS ports and requires support for long-lived connections.
Protocols and Ports
pyck consolidates all communication through standard web ports:
Port 80 (HTTP): Used exclusively for redirecting browsers to HTTPS
Port 443 (HTTPS): All application traffic runs on this port using multiple protocols:
HTTPS (standard HTTP/2 and HTTP/1.1)
gRPC (over HTTP/2)
WebSockets (for real-time bidirectional communication)
Long-Lived Connections
Important: Your network infrastructure must support long-lived connections:
WebSocket connections may remain open for extended periods
gRPC streaming connections can be persistent
Proxy servers and firewalls must be configured to:
Not terminate idle connections prematurely
Support WebSocket protocol upgrades
Handle HTTP/2 traffic properly for gRPC
Maintain connection state for streaming protocols
pyck.cloud SaaS Service
When using pyck's SaaS offering, additional network considerations apply due to the dynamic, auto-scaling infrastructure.
Outgoing IP Addresses
pyck publishes all outgoing IP addresses for the SaaS platform:
IP Address Discovery:
Domain:
ips.pyck.cloudPublished as both A records (individual IPs) and TXT records (comma-separated list)
Query both record types to get the complete list of IPs
Example DNS queries:
Firewall Configuration: If your systems need to receive callbacks or webhooks from pyck's SaaS platform, whitelist all IPs published at ips.pyck.cloud in your firewall rules.
Dynamic Infrastructure and Auto-Scaling
pyck SaaS runs on Kubernetes with auto-scaling enabled:
Host Changes: Backend hosts may change frequently
Typical Frequency: Hosts can change every few minutes during normal operation
High Load: Under high load conditions, changes can occur as frequently as every 5 minutes
DNS TTL: Always respect the TTL values returned by pyck DNS servers
Recommendation: Do not cache DNS responses longer than the specified TTL
Inbound Traffic Requirements
For traffic from your network to pyck.cloud:
Domains: All communication uses
pyck.cloudor subdomains (e.g.,*.pyck.cloud)Port 443 (HTTPS): Required for all API and application access
Port 80 (HTTP): Optional, only used for browser redirects to HTTPS
Outbound Traffic from pyck.cloud
When pyck needs to reach systems in your network:
Source IPs: Will originate from IPs listed at
ips.pyck.cloudProtocols: HTTPS, gRPC, WebSockets (all over port 443)
Firewall Rules: Whitelist all IPs from
ips.pyck.cloudfor inbound connections on port 443
Troubleshooting
Connection Timeouts
If experiencing connection timeouts:
Verify load balancer timeout settings (should be 10+ minutes)
Check that WebSocket upgrades are not being blocked
Ensure HTTP/2 is enabled for gRPC traffic
IP Address Changes
If callbacks from pyck.cloud are being blocked:
Re-query
ips.pyck.cloudto get the latest IP listVerify your DNS cache respects TTL values
Check firewall logs for blocked connection attempts
Update whitelist rules with the current IP addresses
Protocol Issues
If specific features are not working:
Verify HTTP/2 support is enabled (required for gRPC)
Check that WebSocket protocol upgrades are allowed
Ensure TLS 1.2 or higher is supported
Confirm no middleboxes are blocking or modifying traffic
Last updated
Was this helpful?