Request a Firewall Rule to Allow Outgoing Connections to Third Party Services for B2C Commerce

1. Customer confirms whether a new firewall rule is needed.
2. If a new firewall rule is needed, the customer should open a Support Case and include the IP:Port combination/s.
3. B2C Commerce adds the new firewall rule and confirms this in the Support case.
4. Once the customer validates these changes, the case can be prepared for closure.

Is there a limit to the number of IP:Port pairings B2C Commerce will open for a particular external integrations?
Per standard security best practices, firewall rules should be restrictive as possible; therefore, B2C Commerce recommends a limit of five IP:Port pairs for any one realm. B2C Commerce policy will allow customer realms to have a maximum of up to ten IP:Port pairs if there is a particular need. This means that a request to open an entire C class network -- for example, "Please open 132.30.40.0/24 for port 99999" -- would be denied. Any request for more than ten IP:Port pairs per realm will require an approved Security Assessment.

Can B2C Commerce copy firewall rules from one realm to another?
For PODs greater than POD45, we are now able to acquire the list of firewall rules per customer.  For any pod less than POD45, an exact list of IPs and ports needs to be provided. 

Can Firewall Rules use Domains instead of IPs?
Firewall rules must only use IP addresses and not domains. When firewall rules get added they use an explicit IP:port pairing, so replacing a domain for an IP would not be accepted.

What is the difference between Outbound and Inbound connections?
Outbound means you initiate the connection and the traffic starts flowing outward of your computer to the destination you intended, such as a server.  Inbound means someone else from outside of your computer initiates the connection to your computer so the traffic starts flowing inward to your machine, such as a server gets requests from people.  This doesn't mean the actual dataflow. Inbound doesn't mean always inward traffic and outward doesn't mean always outward traffic because ports like TCP need both directions in order to establish the connection.

How do I request Firewall Rules for an On-Demand Sandbox?
We do not currently firewall outgoing traffic but you might need to allowlist On-Demand Sandbox IP addresses on other systems or firewalls to communicate with On-Demand Sandboxes. For more information refer to  Allowlist On-Demand Sandbox IP Addresses.

​​​​​​How do I allowlist for an On-Demand Sandbox?
We do not restrict On-Demand Sandbox outbound data. If your receiving systems reside within the same VPN or an unrestricted network, allowlisting the On-Demand Sandbox IP addresses is unnecessary. For details, see the following documentation: Allowlist On-Demand Sandbox IP Addresses

Are there any IP addresses or Ports we can't request allowlisting for?
Requests for allowlisting to reserved IP addresses will be denied. This includes, but is not limited to, the following IP address ranges, which are reserved for private networks. They are not publicly accessible from outside of the internal network they're on.

All ports between 1024 and 65,536 (well known ports) are eligible for requesting policy on the Firewall permitting outgoing connections. Ports below 1024 cannot be opened, with the exception of port 21.