Establishing a Trusted Connection Between Private Spaces and Salesforce
Last updated July 09, 2024
When using Heroku and Salesforce together, security posture may be improved with an exclusive trust relationship, preventing undesired traffic from the public internet. Using IP restrictions, exclusive trust may be established between Heroku Private Spaces and Salesforce. The two directions of traffic may be configured independently.
Requirements:
For Salesforce Hyperforce External IPs, see this document.
Salesforce → Heroku apps
Frequently, apps running on Heroku should be accessible only to Salesforce. A popular use-case is a Heroku app providing HTTP/REST query interfaces to custom Apex or Lightning components. If an API is not intended for public consumption, then best to block public access.
Allow incoming Salesforce traffic
Set all Salesforce IP ranges as Trusted IP ranges for the Private Space. Reference the Salesforce IP Addresses & Domains knowledge article for a list of all CIDR blocks to trust.
This IP restriction is not specific to individual Salesforce orgs. It allows traffic from any Salesforce instance. IP restrictions cannot be used to limit access from a specific Salesforce instance, because of regular site switching and infrastructure maintenance.
Prevent public traffic
Remember to remove the default entry 0.0.0.0/0
from the Trusted IP ranges for the Private Space. This will block all traffic from the public internet that is not explicitly allowed.
Heroku apps → Salesforce
By default, Salesforce allows login from anywhere on the public internet. Risk of malicious login activity can be minimized through IP address restrictions.
Limit direct user login
Setup Salesforce Login IP restrictions for the integration user.
Limit connected app (OAuth) access
Configure an IP Range for a connected app, to block public access to a connected app’s OAuth provider.
All traffic from a Private Space egresses through its stable outbound IP addresses. The space’s list of addresses may be used for this restriction.
Best Practices for Hyperforce
Salesforce discourages IP allowlisting because Hyperforce runs in the cloud, and IPs are updated frequently in Hyperforce, outside of Salesforce’s control. Updating IPs can cause connection interruptions such as with Heroku Connect configurations. For best practices on connecting to Hyperforce, see Preferred Alternatives to IP Allowlisting on Hyperforce.
Combine with other techniques
IP restrictions are just one security tool, not a magic bullet. Layering more security strategies together will further decrease risks: SSL/TLS certificates, request authentication, and proactive penetration testing are all crucial to developing a trustworthy app.