Happy Business Starts Here

End of Support for Zuora Firewall IP Whitelist

Community Manager

As part of our ongoing commitment to ensure the highest availability and optimal security of our services we are making some updates to the way our services are made available. For any new integration, Zuora will no longer support static IP addresses for customers to whitelist. For existing integrations, this change will take effect on below listed dates.  This change is being made after thorough assessment of evolving security risks and will allow us to take full advantage of latest cloud technologies to provide greater availability and resiliency for you as our customer.

 

Sandbox and PT1: 16 January, 2019

(Impacted endpoints: apisandbox.zuora.com, apisandboxstatic.zuora.com, rest.apisandbox.zuora.com, apisandbox-api.zuora.com, rest.pt1.zuora.com, and pt1.zuora.com

 

Production: 16 February, 2019

(Impacted endpoints: www.zuora.com, rest.zuora.com, api.zuora.com, and static.zuora.com, gateway.prod.auw2.zuora.com)

 

 

Actions you need to take:

If you use IP whitelisting to connect Zuora services, please remove IP whitelists to lift any restriction on IP addresses to connect to Zuora services.

 

Other actions you can take for secure integration:
If egress traffic filtering is a key security control for you, one or multiple of the below traffic filtering approaches can be used as alternative.

  • Domain name based filtering: You may use domain name based filtering to whitelist *.zuora.com
  • Access Control List using Proxy: You may use forward proxy and restrict proxy to allow only *.zuora.com domain.
  • Tenant IP Access Control List: Use IP Whitelisting within your tenant configuration to restrict access from origin IP addresses authorized by you.

How Zuora ensures security of your integration:

  • Encryption in transit: Zuora ensures latest and secure TLS protocols are used to encrypt all traffic to Zuora in transit.
  • Authentication: Zuora enforces strong authentication for all APIs used during integration.
  • Threat Detection: Zuora uses multiple state-of-the-art security tools to detect and mitigate any threat to Zuora services and customer data round the clock.
7 Comments
Tutor

Hello Bibek,

 

Does it affect outbound (from Zuora) connections too or inbound (to Zuora) only? I.e. will Zuora make outbound API calls from the predefined IP list still?

Community Manager

That is correct @dmitry. No change with respect to outbound IP addresses Zuora use for callouts. 

Valued Scholar

Hello Bibek,

 

Does this announcement mean that the following functions can not be used anymore?
Administration > Manage User Roles > Allowable Login IP Address Ranges

Community Manager

@kimura-tomohiro - You can continue to use IP Access List within Zuora product. This feature is a good way to secure access to your tenant. With respect to this announcement, we are only lifting IP address limitations, Zuora services use or resolve to. 

Community Manager

We are delaying implementation of this change for existing integrations. Zuora will no longer support static IP addresses to whitelist for any new integration. We will soon update this article with schedule when this feature will be removed for existing integrations. However if you have already removed IP restrictions for traffic to Zuora, you are all set and will not be impacted by this change. 

Community Manager

Hello Everyone,

 

We have updated the original post with the deployment schedule for this change: 

 

Sandbox and PT1: 19 December, 2018

(Impacted endpoints: apisandbox.zuora.com, apisandboxstatic.zuora.com, rest.apisandbox.zuora.com, apisandbox-api.zuora.com, rest.pt1.zuora.com, and pt1.zuora.com

 

Production: 19 January, 2019

(Impacted endpoints: www.zuora.com, rest.zuora.com, api.zuora.com, and static.zuora.com, gateway.prod.auw2.zuora.com)

 

Thanks

Bibek

Community Manager

Hello Everyone,

 

Due to holiday change freeze and avoid change conflicts, we are pushing out implemetation of this change to new dates. The original post has been updated with new deployment schedule for this change: 

 

Sandbox and PT1: 16 January, 2019

(Impacted endpoints: apisandbox.zuora.com, apisandboxstatic.zuora.com, rest.apisandbox.zuora.com, apisandbox-api.zuora.com, rest.pt1.zuora.com, and pt1.zuora.com

 

Production: 16 February, 2019

(Impacted endpoints: www.zuora.com, rest.zuora.com, api.zuora.com, and static.zuora.com, gateway.prod.auw2.zuora.com)

 

Thanks

Bibek