You are here:
Realm Security Rules for eCDN Zones
Realm Security Rules let you define Managed IP Address Lists and Custom Firewall Rules that control how trusted IP traffic is handled across your eCDN zones. These rules replace the legacy Trusted IP configuration.
Overview
Realm Security Rules provide two components that work together to manage trusted IP traffic:
- Managed IP Address Lists
- Named lists of IP addresses or CIDR ranges. You can scope a list to your entire realm (account level) or to a single zone (zone level). See Create and Manage Trusted IP Address Lists.
- Custom Firewall Rules
- Rules that reference your IP address lists and define a skip action, so traffic from trusted IPs bypasses selected security checks. See Create a Custom Firewall Rule for an eCDN Zone.
Accessing Realm Security Rules
To open the Realm Security Rules tab:
- In Business Manager, click the App Launcher, and then select .
- Locate the zone you want to configure and select Configure Zone
from the dropdown menu.
- Select the Security Rules tab.
- Select the Realm Security Rules sub-tab.
Realm Security Rules tab — account level
Custom Firewall Rule — skip action detail
Account-Level vs. Zone-Level Scope
Managed IP Address Lists and their associated Custom Firewall Rules can be scoped at two levels:
| Scope | Where it applies | Eligible zone types |
|---|---|---|
| Account (Realm) | Applies to all eligible zones in your realm, including development, staging, production, and sandbox instances. | Proxy, Legacy, Default Domain zones |
| Zone | Applies only to the specific zone you are configuring. Two zones in the same realm can have independent zone-level lists with the same name without conflict. | Proxy, Legacy, Default Domain zones |
Realm Security Rules tab — zone level
Zone Security Rules tab
Behavior: What Traffic Is Bypassed
When traffic originates from an IP address in a trusted list and matches a skip rule, the following security checks are bypassed:
- Custom firewall rules
- WAF managed rules
- Rate limiting rules
In addition, DDoS Layer 7 protections are automatically adjusted for accounts that have account-level trusted IP lists configured. This prevents false-positive challenges on legitimate high-volume traffic from trusted sources. No additional configuration is required for DDoS adjustments. For details on the specific managed rules that are overridden, see DDoS Layer 7 Override Details.
Permissions
| Action | Required Role |
|---|---|
| View Realm Security Rules and Lists (any instance) | eCDN Admin or eCDN Viewer |
| Create, edit, or delete Rules and Lists | eCDN Admin (Production instance only) |
On non-production instances (staging, development, sandbox), the Realm Security Rules tab is read-only. A blue information banner indicates: "Realm-level configuration is read-only on this instance. Use the Production instance to make changes."
On Production, an amber warning banner indicates: "Account-level changes affect all zones (development, staging, and production)."
- Create and Manage Trusted IP Address Lists
Create named lists of trusted IP addresses or CIDR ranges to use with Custom Firewall Rules that bypass security checks for trusted traffic. - About the Trusted IP Migration to web application firewall (WAF) Custom Rules
Learn how Salesforce automatically migrates your legacy Trusted IP configurations to WAF Custom Rules and Managed IP Address Lists, and how to verify your migrated configuration.
