Loading

Preferred Alternatives to IP Allowlisting on Hyperforce

Publiceringsdatum: Apr 22, 2026
Beskrivning

At Salesforce, Trust is our #1 value. We understand that our customers need to be confident that they are communicating with Salesforce in a secure environment. Since Hyperforce runs in the cloud, and cloud infrastructure is ephemeral by nature, IP addresses are subject to regular change. If you're using Hyperforce, maintaining IP allowlists can be time-consuming because cloud infrastructure changes frequently. Below are more reliable alternatives.

Customers who use IP allowlists must allow all of the official Hyperforce IP ranges, which can be found in JSON format at the URL https://ip-ranges.salesforce.com/ip-ranges.json. For a full explanation and best practices, read Hyperforce IPs to Allow - Sales, Service, Industries, and Tableau Clouds.

Included Services

The JSON list includes IPs for inbound connections to Hyperforce from external sources, including some for Salesforce Edge, as well as IPs for outbound connections from Hyperforce to the customer’s network. These addresses are for products built on the Salesforce platform including Sales, Service, Industries, and Tableau Clouds, and for the MuleSoft Anypoint Platform.

Excluded Services

The JSON list excludes IP addresses for these services: Email, Marketing Cloud, Commerce Cloud, and Slack. 

If you are a Government Cloud Plus customer, see IP Addresses to Allow for Government Cloud Plus.

Lösning

These best practices are the supported means of securing connectivity for Hyperforce.

Bi-Directional connection protection

For connections from the customer network to Salesforce


Read further for detailed explanations of the benefits of each of these practices.

Bi-Directional Connection Protection

Implement Mutual TLS (mTLS)

Transport Layer Security (TLS) is an encryption-based connection protocol that establishes secure links from a client to a server. Mutual TLS (mTLS) goes a step further, and also establishes secure links from the server to the client. By validating the certificates of both entities before establishing a connection, mTLS provides enhanced security. Customers who implement mTLS can be absolutely sure that they are connecting to Salesforce, and vice versa.  mTLS can be used as an alternative to, or in combination with domain- and IP-based allowlisting. 

Resources

 

Use Salesforce Private Connect

Customers who want to avoid using the public internet for communication between Salesforce and their Amazon Web Services (AWS) instance have the option to purchase Salesforce Private Connect. Salesforce Private Connect is a networking service that provides customers with a fully-managed, bi-directional, private connection between their Salesforce org and their AWS account. Customers can easily connect their Salesforce org to resources in their Virtual Private Clouds (VPCs) running on AWS by using Amazon’s PrivateLink, for more secure API integrations. All traffic is routed over a dedicated connection without any traffic or customer VPCs ever being exposed to the public internet.

Private Connect is more secure than IP allowlisting because it guarantees that only Salesforce is calling into the customer’s endpoint. A common analogy for understanding Private Connect is to consider a telephone vs. a walkie-talkie. Anyone can call a telephone, so preventing spam calls requires constant attention and adjustment to allowed and blocked callers. This strategy is similar to maintaining an IP allowlist. With a walkie-talkie, the 2 handsets have a dedicated connection, so there are no lists to manage. Private Connect is similar to using a walkie-talkie, where only a specific caller, identified by an unchanging AWS ID called an Amazon Resource Name (ARN), is allowed to connect.

Private Connect is available for Sales Cloud, Service Cloud, CRM Analytics, and Data Cloud.

Resources

 

Connecting From the Customer Network to Salesforce

 

Allowlist Domains

Domain allowlisting isn’t supported for connections originating from Salesforce and going into the customer’s network. 

For connections from the customer's network into Salesforce, instead of allowlisting IPs, customers can allowlist Salesforce domain names such as *.force.com. Domain name allowlisting is generally easy to implement, and domain names rarely change.

Resources


Use Service Name Indication (SNI)

Service Name Indication extends the Transport Layer Security (TLS) protocol by allowing a client or browser to specify the hostname to which it wants to connect. This is important because a server might present multiple certificates on the same IP address. A common analogy for understanding SNI is sending a package to someone who lives in an apartment building. TLS guarantees that the package is sent to the right address, and SNI guarantees that the package is sent to the right apartment at that address.

In Hyperforce, each Salesforce domain has a separate HTTPS certificate. In the absences of SNI, Hyperforce returns a default certificate that supports all *.my.salesforce.com and *.sandbox.my.salesforce.com domains, but to address any other domains, web browsers and API callers must specify the desired domain by including SNI in their ClientHello message. Even when addressing default domains, sending SNI is recommended. (Read more in Resolve HTTPS/SSL connection errors in Hyperforce with SNI.)

To establish secure connections from the customer’s network into Hyperforce, we recommend that customers investigate whether their network infrastructure supports SNI header inspection. By inspecting the SNI header, the customer can ensure that they direct traffic into their own Salesforce environment.

SNI provides the following benefits

  • Accuracy: Guarantees that all traffic is routed to the correct destination
  • Simplicity: Customers add an extension to a common protocol
  • Scalability: Expands the number of connections a customer can make, especially if they use IPv4
  • Security: Connections are based on TLS, which is more secure than IP allowlists.


Resources

 

Use an Authentication Provider (Optional)

For customers who want to use an authentication provider such as Github or Okta to access their Salesforce environment, Salesforce will manage the authentication app for them.

This option provides customers with choice and control over their authentication process, but is not a Salesforce requirement.

Resources

 

 Use Connected Apps

If you need to access Salesforce from external Applications, use Connected Apps. The connected app framework enables external applications to integrate with Salesforce using APIs and standard protocols, such as Security Assertion Markup Language (SAML), OAuth, and OpenID Connect. Connected apps use these protocols to authorize, authenticate, and provides single sign-on (SSO) for external apps. Connected apps can securely access data with API integration, integrate service providers with Salesforce, provide authorization for external API gateways, and manage access to 3rd party apps.
 

Resources


See Also

Ytterligare resurser

 

Knowledge-artikelnummer

000394078

 
Laddar
Salesforce Help | Article