You are here:
Routing and Policies - Salesforce Edge Network Control
To improve global connectivity and security, enable the Salesforce Edge Network by configuring the "Route My Domain through Salesforce Edge Network" setting within the My Domain setup.
Control Name
Salesforce Edge Network
Recommended Configuration
Setup>My Domain>Routing & Policies>Use Salesforce Edge Network - Selected with Routing Method - Global or Regional (depending or the use case).
Control Overview
To improve global connectivity and security, enable the Salesforce Edge Network by configuring the "Route My Domain through Salesforce Edge Network" setting within the My Domain setup. This control makes sure that user requests are intelligently routed to the nearest Salesforce point of presence, reducing latency through edge-side TLS termination and static content caching while maintaining security on trusted Salesforce infrastructure managing Distributed Denial of Service (DDoS) attacks by using built-in Web Application Firewall (WAF).
Security Risk If Not Configured
Without Salesforce Edge Network enabled, all traffic must travel to a centralized data center for TLS termination and processing, significantly increasing latency and the risk of session timeouts or connection failures for global users. This delay in secure handshake processing leaves the company without the modern, edge-based network optimizations that provide enhanced resilience against performance-driven security bottlenecks.
Threat Scenarios
A malicious actor targets users in remote geographical regions with a man-in-the-middle or session-hijacking attack during the extended latency periods caused by long-distance data center routing. Because the connection lacks the rapid, edge-based TLS termination provided by the Salesforce Edge Network, the increased "time-to-first-byte" and prolonged handshake duration create a larger window of opportunity for attackers to intercept or disrupt sensitive user traffic.
Estimated CVSS Score Range
Critical (9.0–10.0).
Risk Impact Considerations
Risk depends on the data within the orgs instances.
Higher Risk When
Access to the org is not restricted by using IP ranges to trusted IP ranges or Login IP ranges.
Low or No Risk When
Enforcement of Login IP Ranges or Trusted IP ranges: By enforcing Login IP Ranges at the Profile level or Trusted IP Ranges at the Network Setup, to make sure that access is from a trusted network.
Business and Integration Considerations
When you enable Salesforce Edge Network, most of your My Domain URLs are routed through it. However, note these exceptions:
- URLs that contain your Salesforce instance name. See which My Domain URLs contain your instance name in My Domain URL Formats.
- URLs associated with custom domains, such as
https://www.example.com, that serve your org’s Salesforce Sites or Experience Cloud sites and don’t use the HTTPS option: Serve the domain with your HTTPS certificate on Salesforce servers. - Salesforce Sites and Experience Cloud sites with domains ending in
.force.com - URLs associated with Customer 360 Data Manager that end with
.admin.salesforce-hub.comand.my.salesforce-hub.com - URLs associated with Live Agent Chat that end with
.my.salesforcescrt.comor.my.salesforce-scrt.com - URLs associated with untrusted content domains
- URLs associated with orgs in Government Isolated Architecture (GIA) data centers
Recommended Remediation
Enable Salesforce CDN.
Security Health Review Guidance
Security Health Review identifies whether Salesforce Edge has been configured to help customers secure traffic to their orgs, as it routes user traffic to the closest and most optimal Salesforce data center based on real-time network conditions, improving performance and responsiveness. Additionally, it also protects Salesforce orgs from Distributed Denial of Service (DDoS) attacks by using built-in Web Application Firewall (WAF).
