Knowledge Center

Knowledge Center > RBM Solutions > Policies > Inbound and Outbound IP Addresses

Inbound and Outbound IP Addresses

Some organizations limit outbound communication to the Internet from internal resources for security purposes. This article discusses Zuora IP address whitelist, new Zuora IP addresses, and how to test connectivity. See Full Certification Chain for more information on Zuora's full certification chain for Production and API Sandbox.

Whitelist

A whitelist is a list of your trusted inbound and outbound connections. If your firewalls whitelist outbound connections, you will need to add the Zuora IP addresses to your whitelist.  

Inbound IP Addresses to Zuora

IP Addresses to US Zuora Production Environment

If you choose to whitelist based on IP addresses, you must include all of the IP addresses, otherwise, you may experience an outage.

The following IP addresses must be whitelisted from your network to access to the Zuora production environment. Servers that need to communicate with Zuora’s Production SOAP or REST APIs need to communicate with these systems on TCP port 443.

104.69.108.76/32
184.31.220.93/32
2.17.184.110/32
2.19.165.171/32
2.21.146.120/32
2.22.133.171/32
23.13.165.171/32
23.13.21.171/32
23.15.149.171/32
23.207.141.35/32
23.211.169.19/32
23.34.197.171/32
23.34.213.171/32
23.34.229.171/32
23.35.101.171/32
23.35.165.171/32
23.35.21.171/32
23.35.213.171/32
23.35.37.171/32
23.35.5.171/32
23.35.53.171/32
23.35.85.171/32
23.37.133.171/32
23.37.165.171/32
23.37.181.171/32
23.37.37.171/32

23.38.21.171/32
23.38.85.171/32
23.4.181.171/32
23.4.37.171/32
23.4.53.171/32
23.41.133.171/32
23.41.149.171/32
23.41.69.171/32
23.42.21.171/32
23.42.5.171/32
23.43.133.171/32
23.43.149.171/32
23.43.5.171/32
23.43.69.171/32
23.44.149.171/32
23.44.245.171/32
23.46.101.171/32
23.46.117.171/32
23.46.37.171/32
23.46.69.171/32
23.47.21.171/32
23.47.229.171/32
23.47.245.171/32
23.49.117.171/32
23.49.133.171/32
23.49.149.171/32
23.49.69.171/32
23.49.85.171/32
23.5.245.171/32
23.5.5.171/32
23.5.69.171/32
23.50.101.171/32
23.50.149.171/32
23.50.181.171/32
23.50.197.171/32
23.50.69.171/32
23.50.85.171/32
23.51.117.171/32
23.51.21.171/32
23.51.229.171/32
23.51.245.171/32
23.51.37.171/32
23.52.149.171/32
23.52.21.171/32
23.52.53.171/32
23.52.85.171/32
23.53.101.171/32
23.53.149.171/32
23.53.181.171/32
23.53.85.171/32
23.54.101.171/32
23.54.133.171/32
23.54.181.171/32
23.54.229.171/32
23.54.85.171/32
23.55.149.171/32
23.56.149.171/32
23.57.101.171/32
23.57.213.171/32
23.57.229.171/32
23.58.165.171/32
23.58.37.171/32
23.59.133.171/32
23.60.133.171/32
23.61.181.171/32
23.61.69.171/32
23.62.233.171/32
23.62.245.171/32
23.63.133.171/32
23.64.165.171/32
23.64.85.171/32
23.65.133.171/32
23.65.5.171/32
23.7.133.171/32
23.7.69.171/32
23.9.117.171/32
23.9.85.171/32

IP Addresses to US Zuora API Sandbox

The following IP addresses must be whitelisted from your network for access to the Zuora API Sandbox environment.  Servers that need to communicate with Zuora’s API Sandbox environment for SOAP or REST APIs need to communicate with these systems on TCP port 443.

104.67.28.69/32

184.85.190.226/32

23.222.172.69/32

69.192.126.226/32

104.68.188.69/32

2.16.128.69/32

23.223.76.69/32

69.192.30.226/32

104.76.92.69/32

2.16.30.69/32

23.3.190.226/32

69.192.46.226/32

104.78.76.69/32

2.18.142.226/32

23.3.247.102/32

69.192.66.181/32

104.81.246.69/32

2.19.62.226/32

23.32.12.69/32

69.192.94.226/32

104.82.76.69/32

2.21.145.68/32

23.38.116.69/32

72.246.167.133/32

104.83.76.69/32

2.21.206.226/32

23.40.12.69/32

72.246.48.69/32

104.83.82.69/32

2.22.110.226/32

23.42.76.69/32

84.53.167.133/32

104.83.92.69/32

2.22.220.69/32

23.45.222.226/32

88.221.179.133/32

104.91.156.74/32

2.23.78.226/32

23.46.2.69/32

92.122.131.133/32

104.94.102.69/32

202.43.62.226/32

23.48.78.226/32

92.122.238.226/32

104.98.240.109/32

23.0.172.69/32

23.5.124.69/32

92.122.78.226/32

118.214.110.226/32

23.0.230.69/32

23.50.99.77/32

92.123.158.226/32

118.214.142.226/32

23.0.236.69/32

23.51.12.69/32

92.123.166.226/32

118.214.254.226/32

23.0.30.226/32

23.51.156.69/32

92.123.170.226/32

118.214.46.226/32

23.1.188.69/32

23.54.12.69/32

92.123.174.226/32

118.214.78.226/32

23.1.62.226/32

23.57.206.226/32

92.123.178.226/32

118.215.102.226/32

23.10.12.69/32

23.57.254.226/32

92.123.202.226/32

118.215.118.226/32

23.10.60.69/32

23.57.94.226/32

92.123.206.226/32

118.215.126.226/32

23.12.236.69/32

23.58.110.226/32

92.123.210.226/32

118.215.14.226/32

23.13.158.226/32

23.58.179.133/32

92.123.214.226/32

118.215.150.226/32

23.13.44.69/32

23.58.30.226/32

92.123.254.226/32

118.215.158.226/32

23.14.44.69/32

23.58.90.69/32

95.100.126.226/32

118.215.38.226/32

23.15.110.226/32

23.59.14.226/32

95.100.14.226/32

118.215.62.226/32

23.15.132.69/32

23.60.126.226/32

95.100.206.226/32

118.215.70.226/32

23.15.222.226/32

23.61.174.226/32

95.100.238.226/32

118.215.78.226/32

23.194.220.69/32

23.61.62.226/32

95.100.30.226/32

118.215.86.226/32

23.194.232.73/32

23.63.126.226/32

95.101.211.133/32

118.215.94.226/32

23.197.60.69/32

23.63.14.226/32

96.16.198.226/32

173.222.30.226/32

23.198.104.69/32

23.63.150.69/32

96.16.22.226/32

173.223.78.226/32

23.198.106.69/32

23.64.142.69/32

96.16.246.226/32

173.223.92.69/32

23.204.100.69/32

23.64.158.226/32

96.16.254.226/32

184.24.254.226/32

23.206.76.69/32

23.64.254.226/32

96.17.222.226/32

184.25.78.226/32

23.207.144.11/32

23.64.78.226/32

96.17.238.226/32

184.29.126.226/32

23.211.136.148/32

23.65.200.69/32

96.17.254.226/32

184.50.190.226/32

23.212.102.69/32

23.65.216.69/32

96.17.30.226/32

184.50.222.226/32

23.214.72.69/32

23.66.152.69/32

96.17.35.133/32

184.84.110.226/32

23.215.140.69/32

23.66.40.69/32

96.17.94.226/32

184.84.46.226/32

23.221.20.69/32

23.75.218.69/32

96.6.238.226/32

IP Addresses to US Services Environments

DNS based whitelisting is preferred because the registered service name will stay the same when the service expands to use more IP addresses. 

Please be advised that due to the dynamic nature of public cloud infrastructure that Zuora's Service Environments are deployed on we discourage our customers from implementing outbound whitelisting capability based on IP address restrictions.  IP addresses are subject to change without advance notice as new server instances are created to handle load.

Outbound IP Addresses from Zuora

When our application (from production or apisandbox) sends out an email or makes an outbound API call (for example, Paypal, Salesforce.com, or the callout/email notification feature), it comes from the following IP addresses.

US Environment IP Address

Production

64.79.155.192 (mapped to zgateway.zuora.com)
207.218.90.0/24 (fail-over IP)

Sandbox

64.79.155.192 (mapped to zgateway.zuora.com)
64.79.155.193

Performance Test Environment

207.218.90.81
207.218.90.121

Outgoing Public

207.218.90.192

 

EU Environment IP Address
Production

35.156.85.164
35.158.4.224
35.158.5.48
35.157.188.111
52.28.148.125
52.28.205.34
52.29.201.183
52.57.34.185
52.58.92.91
52.58.160.52

Sandbox

35.156.172.83
35.157.94.91
35.157.220.207
35.158.2.118
52.28.148.125
52.28.205.34
52.29.186.45
52.29.201.183
52.57.34.185
52.59.5.76

 

It is important to Payment Gateways which IP Whitelist our traffic or customers who have to configure inbound firewall rules to all HTTPS notification calls from Zuora. Usually, there is no impact on the ability of customers to receive emails from Zuora application.

Network Connectivity Tests

There two tests required to validate connectivity:

Test Description
Network Connectivity Test This test validates that application servers can communicate to TCP port 443 for all Zuora Akamai IP addresses listed above.
Certificate Verification Test This test validates that the certificates were imported correctly and customer application’s can establish SSL connections based on the new EV SSL certificates.

Test Network Connectivity

If you whitelist outbound communication, perform the following steps to verify that your systems can connect to all of the new Zuora servers.

  1. Using a Windows or UNIX system, telnet to TCP port 443 on each IP address listed above.

  2. If the telnet connection is successful to all IP addresses listed above, then connectivity has been verified.  

  3. If a connection cannot be established to any of the IP addresses listed above, then your network team must add those specific IP addresses to the whitelist.

Test the Certificate Import

  1. Identify the certificate store that your application uses.
  2. Use the appropriate tool for your environment (keytool, openssl, Windows Certificate Manager, etc) and verify that the Root Certificate labeled “VeriSign Class 3 Public Primary Certification Authority - G5” exists in the store and is trusted.

Last modified
17:34, 19 Sep 2017

Tags

Classifications

(not set)