Common questions on API connectivity to Salesforce

1. What would be the actual SOAP endpoints? (e.g How many different endpoints, domain name and URLs) 

There are two types of Salesforce WSDL call endpoints, namely: 

• '/c' for enterprise endpoint, 

• '/u' for partner endpoint,

The WSDL document that you specify might contain a SOAP endpoint location that references an outbound port. 
For security reasons, Salesforce restricts the outbound ports you may specify to one of the following: 
80: This port only accepts HTTP connections. 
443: This port only accepts HTTPS connections
1024–66535 (inclusive): These ports accept HTTP or HTTPS connections. 

For more information on best practices please refer, Updating Hard-Coded References

2. Does the Salesforce.com domain name resolve to a single IP address or the whole range of IP addresses you have provided? How often does this range change?

The domain name resolves to the entire IP range. There is no specific time defined on when this range will change. The change will mostly occur when a new data center is added or an older data center is removed. Salesforce will communicate these changes in release notes or emails to org administrators.

3. Why does Salesforce recommend allowlisting the entire IP range? Can we allowlist just one IP address?

Due to the multi-tenant nature of Salesforce, we cannot guarantee that all API connections will occur from a single IP. In a disaster recovery or failover situation, the IP address will change. allowlisting a single IP address can expose your company to a longer downtime.