Skip Navigation
Show nav
Heroku Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log inorSign up
View categories

Categories

  • Heroku Architecture
    • Dynos (app containers)
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Platform Principles
  • Command Line
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery
    • Continuous Integration
  • Language Support
    • Node.js
    • Ruby
      • Working with Bundler
      • Rails Support
    • Python
      • Background Jobs in Python
      • Working with Django
    • Java
      • Working with Maven
      • Java Database Operations
      • Working with the Play Framework
      • Working with Spring Boot
      • Java Advanced Topics
    • PHP
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Getting Started
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
    • Heroku Data For Redis
    • Apache Kafka on Heroku
    • Other Data Stores
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
    • Compliance
  • Heroku Enterprise
    • Private Spaces
      • Infrastructure Networking
    • Enterprise Accounts
    • Enterprise Teams
    • Heroku Connect (Salesforce sync)
      • Heroku Connect Administration
      • Heroku Connect Reference
      • Heroku Connect Troubleshooting
    • Single Sign-on (SSO)
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Integrating with Salesforce
  • Heroku Enterprise
  • Private Spaces
  • Infrastructure Networking
  • Establishing a Trusted Connection Between Private Spaces and Salesforce

Establishing a Trusted Connection Between Private Spaces and Salesforce

English — 日本語に切り替える

Last updated April 19, 2022

Table of Contents

  • Salesforce → Heroku apps
  • Heroku apps → Salesforce
  • Combine with other techniques

When using Heroku and Salesforce together, security posture may be improved with an exclusive trust relationship, preventing undesired traffic from the public internet. Using IP restrictions, exclusive trust may be established between Heroku Private Spaces and Salesforce. The two directions of traffic may be configured independently.

Requirements:

  • a Heroku Private Space
  • a Salesforce org not on Hyperforce

Salesforce no longer publishes IP addresses for Hyperforce customers. You can’t use Heroku’s Trusted IPs feature to allow incoming Salesforce traffic to your Heroku apps if you’re on Hyperforce.

Salesforce → Heroku apps

Frequently, apps running on Heroku should be accessible only to Salesforce. A popular use-case is a Heroku app providing HTTP/REST query interfaces to custom Apex or Lightning components. If an API is not intended for public consumption, then best to block public access.

Allow incoming Salesforce traffic

Set all Salesforce IP ranges as Trusted IP ranges for the Private Space. Reference the Salesforce IP Addresses & Domains knowledge article for a list of all CIDR blocks to trust.

This IP restriction is not specific to individual Salesforce orgs. It allows traffic from any Salesforce instance. IP restrictions cannot be used to limit access from a specific Salesforce instance, because of regular site switching and infrastructure maintenance.

Prevent public traffic

Remember to remove the default entry 0.0.0.0/0 from the Trusted IP ranges for the Private Space. This will block all traffic from the public internet that is not explicitly allowed.

Heroku apps → Salesforce

By default, Salesforce allows login from anywhere on the public internet. Risk of malicious login activity can be minimized through IP address restrictions.

Limit direct user login

Setup Salesforce Login IP restrictions for the integration user.

Limit connected app (OAuth) access

Configure an IP Range for a connected app, to block public access to a connected app’s OAuth provider.

All traffic from a Private Space egresses through its stable outbound IP addresses. The space’s list of addresses may be used for this restriction.

Combine with other techniques

IP restrictions are just one security tool, not a magic bullet. Layering more security strategies together will further decrease risks: SSL/TLS certificates, request authentication, and proactive penetration testing are all crucial to developing a trustworthy app.

Keep reading

  • Infrastructure Networking

Feedback

Log in to submit feedback.

Site-to-site VPN Connections to Google Cloud Platform Private Space Peering

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Podcasts
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing

Subscribe to our monthly newsletter

Your email address:

  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Heroku Podcasts
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Facebook
  • Instagram
  • Github
  • LinkedIn
  • YouTube
Heroku is acompany

 © Salesforce.com

  • heroku.com
  • Terms of Service
  • Privacy
  • Cookies
  • Cookie Preferences