Skip to main content

Inbound and Outbound IP Addresses

Zuora

Inbound and Outbound IP Addresses

Some organizations limit outbound communication to the Internet from internal resources for security purposes. This article discusses Zuora IP address whitelist, new Zuora IP addresses, and how to test connectivity. See Full Certification Chain for more information on Zuora's full certification chain for Production and API Sandbox.

Whitelist

A whitelist is a list of your trusted inbound and outbound connections. If your firewalls whitelist outbound connections, you will need to add the Zuora IP addresses to your whitelist.  

Inbound IP Addresses to Zuora

As part of our ongoing commitment to ensure the highest availability and optimal security of Zuora services we leverage next-generation cloud technologies. Due to the dynamic nature of public cloud infrastructure, Zuora services are not hosted on a fixed set of IP Addresses. If you need to whitelist Zuora traffic, we recommend you use DNS based whitelisting for Zuora integrations.  

IP Addresses to US Services Environments

DNS based whitelisting is preferred because the registered service name will stay the same when the service expands to use more IP addresses. 

Please be advised that due to the dynamic nature of public cloud infrastructure that Zuora's Service Environments are deployed on we discourage our customers from implementing outbound whitelisting capability based on IP address restrictions.  IP addresses are subject to change without advance notice as new server instances are created to handle the load.

Outbound IP Addresses from Zuora

When our application (from production or apisandbox) sends out an email or makes an outbound API call (for example, Paypal, Salesforce.com, or the callout/email notification feature), it comes from the following IP addresses.

US Environment IP Address

Production

64.79.155.192
207.218.90.0/24
64.79.155.205
64.79.155.206
35.165.76.151
52.26.221.151
52.10.190.82
34.215.104.144

The following IP addresses are effective from November 13, 2021. For more information, see System maintenance.

18.236.40.242
34.210.245.35
35.160.63.94
35.161.181.38
35.164.127.86
35.165.76.151
35.167.158.34
35.81.156.101
35.83.221.34
35.84.156.230
44.234.136.203
44.236.125.171
44.236.56.93
44.237.224.86
44.239.189.88
50.112.203.250
52.10.190.82
52.10.67.173
52.13.207.94
52.26.221.151
52.27.42.223
52.42.44.126
54.149.112.185
54.185.46.144
54.213.141.145
54.213.20.246
54.71.89.113

API Sandbox

34.214.21.228
35.167.166.140
35.167.14.110
35.166.5.14
44.236.25.108
54.188.210.74
44.228.154.215
44.231.196.100
44.233.16.146
44.235.104.146
44.233.46.53
44.241.178.154
54.213.20.246
44.236.56.93
18.236.40.242
34.215.104.144

Production Copy Environment

54.201.65.13

Performance Test Environment

44.235.40.32
44.235.0.234
54.213.78.60
44.236.150.62
54.189.69.15
54.148.216.192
35.163.118.31
44.228.189.54
52.40.163.152
54.213.20.246
44.236.56.93
18.236.40.242

EU Environment IP Address
Production 18.157.243.190 
18.156.89.250 
3.70.123.177 
35.156.85.164
35.158.4.224
35.158.5.48
35.157.188.111
52.28.148.125
52.28.205.34
52.29.201.183
52.57.34.185
52.58.92.91
52.58.160.52
64.79.155.192
64.79.155.205
64.79.155.206
207.218.90.122
API Sandbox 18.157.243.190 
18.156.89.250 
3.70.123.177 
35.156.172.83
35.157.94.91
35.157.220.207
35.158.2.118
52.28.148.125
52.28.205.34
52.29.186.45
52.29.201.183
52.57.34.185
52.59.5.76
64.79.155.192
64.79.155.205
64.79.155.206
207.218.90.122
Central Sandbox

18.194.108.226
3.127.146.24
3.122.143.238
54.93.154.116
3.127.158.177
52.29.90.76
35.156.187.236
3.127.159.121
3.121.119.183
18.194.155.82
18.196.250.84
3.127.2.23
52.29.239.102
3.120.95.189
35.157.224.168
54.93.45.29
35.156.185.166
52.57.75.132
18.195.2.104
3.122.213.21
3.126.171.17
18.195.247.228
35.158.159.52
3.127.133.33
52.58.61.248
18.195.112.221
35.157.20.116
18.195.79.94
3.127.169.60
3.127.123.122

US Cloud Environment IP Address

Production

34.208.232.20
34.216.115.50
52.24.103.254
52.24.220.133
52.24.39.154
52.27.242.83
52.42.20.82
52.88.164.240
52.89.34.22

API Sandbox

34.208.94.64
34.210.117.165
34.216.167.239
52.26.0.121
52.26.187.179
52.26.227.175
52.42.83.24
52.89.160.170
52.89.30.110

Central Sandbox

52.37.150.86
54.148.37.37
52.37.133.180
52.43.15.114
100.20.99.125
35.164.47.146
52.34.236.193
100.21.153.177
52.42.235.252
100.20.124.63
100.21.81.22
35.160.65.100
100.21.181.206
100.21.181.225
52.43.70.243
52.88.249.9

It is important to Payment Gateways which IP Whitelist our traffic or customers who have to configure inbound firewall rules to all HTTPS notification calls from Zuora. Usually, there is no impact on the ability of customers to receive emails from Zuora application.

Inbound and Outbound IP Addresses for Collections, Workflow, Commerce, and Marketplace 

If you want to receive emails, SFTP connection requests, or API calls from Zuora Collections, Zuora Workflow, Zuora Commerce, or Marketplace (formerly known as Connect), you need to add the following IP addresses to your whitelist: 

  • 52.39.100.104
  • 52.37.233.34
  • 52.26.252.153
  • 54.71.138.87
  • 54.68.23.116
  • 52.89.135.4
  • 52.40.19.141
  • 52.35.247.230
  • 52.33.107.0
  • 35.155.216.3
  • 34.218.15.157
  • 4.71.24.46 (this IP address is for testing SFTP connections with bank servers)

Network Connectivity Tests

There are two tests required to validate connectivity:

Test Description
Network Connectivity Test This test validates that application servers can communicate to TCP port 443 for all Zuora Akamai IP addresses listed above.
Certificate Verification Test This test validates that the certificates were imported correctly and customer application’s can establish SSL connections based on the new EV SSL certificates.

Test Network Connectivity

If you whitelist outbound communication, perform the following steps to verify that your systems can connect to all of the new Zuora servers.

  1. Using a Windows or UNIX system, telnet to TCP port 443 on each IP address listed above.

  2. If the telnet connection is successful to all IP addresses listed above, then connectivity has been verified.  

  3. If a connection cannot be established to any of the IP addresses listed above, then your network team must add those specific IP addresses to the whitelist.

Test the Certificate Import

  1. Identify the certificate store that your application uses.
  2. Use the appropriate tool for your environment (keytool, openssl, Windows Certificate Manager, etc) and verify that the Root Certificate labeled “VeriSign Class 3 Public Primary Certification Authority - G5” exists in the store and is trusted.