Some organizations limit outbound communication to the Internet from internal resources for security purposes. This article discusses Zuora IP address whitelist, new Zuora IP addresses, and how to test connectivity. See Full Certification Chain for more information on Zuora's full certification chain for Production and API Sandbox.
A whitelist is a list of your trusted inbound and outbound connections. If your firewalls whitelist outbound connections, you will need to add the Zuora IP addresses to your whitelist.
Inbound IP Addresses to Zuora
As part of our ongoing commitment to ensure the highest availability and optimal security of Zuora services we leverage next-generation cloud technologies. Due to the dynamic nature of public cloud infrastructure, Zuora services are not hosted on a fixed set of IP Addresses. If you need to whitelist Zuora traffic, we recommend you use DNS based whitelisting for Zuora integrations.
IP Addresses to US Services Environments
DNS based whitelisting is preferred because the registered service name will stay the same when the service expands to use more IP addresses.
Please be advised that due to the dynamic nature of public cloud infrastructure that Zuora's Service Environments are deployed on we discourage our customers from implementing outbound whitelisting capability based on IP address restrictions. IP addresses are subject to change without advance notice as new server instances are created to handle the load.
Outbound IP Addresses from Zuora
When our application (from production or apisandbox) sends out an email or makes an outbound API call (for example, Paypal, Salesforce.com, or the callout/email notification feature), it comes from the following IP addresses.
- The US Cloud 1 environments are hosted in the US Cloud Data Center 1.
|US Cloud 1 Environment||IP Address|
- The US Cloud 2 environments are hosted in the US Cloud Data Center 2.
|US Environment||IP Address|
Production Copy Environment
Performance Test Environment
- The EU environments are hosted in the EU Cloud Data Center.
|EU Environment||IP Address|
It is important to Payment Gateways which IP Whitelist our traffic or customers who have to configure inbound firewall rules to all HTTPS notification calls from Zuora. Usually, there is no impact on the ability of customers to receive emails from Zuora application.
Inbound and Outbound IP Addresses for Collections, Workflow, Commerce, and Marketplace
If you want to receive emails, SFTP connection requests, or API calls from Zuora Collections, Zuora Workflow, Zuora Commerce, or Marketplace (formerly known as Connect), you need to add the following IP addresses to your whitelist:
- 126.96.36.199 (this IP address is for testing SFTP connections with bank servers)
Network Connectivity Tests
There are two tests required to validate connectivity:
|Network Connectivity Test||This test validates that application servers can communicate to TCP port 443 for all Zuora Akamai IP addresses listed above.|
|Certificate Verification Test||This test validates that the certificates were imported correctly and customer application’s can establish SSL connections based on the new EV SSL certificates.|
Test Network Connectivity
If you whitelist outbound communication, perform the following steps to verify that your systems can connect to all of the new Zuora servers.
Using a Windows or UNIX system, telnet to TCP port 443 on each IP address listed above.
If the telnet connection is successful to all IP addresses listed above, then connectivity has been verified.
If a connection cannot be established to any of the IP addresses listed above, then your network team must add those specific IP addresses to the whitelist.
Test the Certificate Import
- Identify the certificate store that your application uses.
Use the appropriate tool for your environment (keytool, openssl, Windows Certificate Manager, etc) and verify that the Root Certificate labeled “VeriSign Class 3 Public Primary Certification Authority - G5” exists in the store and is trusted.