Happy Business Starts Here

Community Manager

As part of our ongoing commitment to ensure the highest availability and optimal security of our services we are making some updates to the way our services are made available. For any new integration, Zuora will no longer support static IP addresses for customers to whitelist. For existing integrations, this change will take effect on below listed dates.  This change is being made after thorough assessment of evolving security risks and will allow us to take full advantage of latest cloud technologies to provide greater availability and resiliency for you as our customer.

 

Sandbox and PT1: 16 January, 2019

(Impacted endpoints: apisandbox.zuora.com, apisandboxstatic.zuora.com, rest.apisandbox.zuora.com, apisandbox-api.zuora.com, rest.pt1.zuora.com, and pt1.zuora.com

 

Production: 16 February, 2019

(Impacted endpoints: www.zuora.com, rest.zuora.com, api.zuora.com, and static.zuora.com, gateway.prod.auw2.zuora.com)

 

 

Actions you need to take:

If you use IP whitelisting to connect Zuora services, please remove IP whitelists to lift any restriction on IP addresses to connect to Zuora services.

 

Other actions you can take for secure integration:
If egress traffic filtering is a key security control for you, one or multiple of the below traffic filtering approaches can be used as alternative.

  • Domain name based filtering: You may use domain name based filtering to whitelist *.zuora.com
  • Access Control List using Proxy: You may use forward proxy and restrict proxy to allow only *.zuora.com domain.
  • Tenant IP Access Control List: Use IP Whitelisting within your tenant configuration to restrict access from origin IP addresses authorized by you.

How Zuora ensures security of your integration:

  • Encryption in transit: Zuora ensures latest and secure TLS protocols are used to encrypt all traffic to Zuora in transit.
  • Authentication: Zuora enforces strong authentication for all APIs used during integration.
  • Threat Detection: Zuora uses multiple state-of-the-art security tools to detect and mitigate any threat to Zuora services and customer data round the clock.
18 Comments
Tutor

Hello Bibek,

 

Does it affect outbound (from Zuora) connections too or inbound (to Zuora) only? I.e. will Zuora make outbound API calls from the predefined IP list still?

Community Manager

That is correct @dmitry. No change with respect to outbound IP addresses Zuora use for callouts. 

Valued Scholar

Hello Bibek,

 

Does this announcement mean that the following functions can not be used anymore?
Administration > Manage User Roles > Allowable Login IP Address Ranges

Community Manager

@kimura-tomohiro - You can continue to use IP Access List within Zuora product. This feature is a good way to secure access to your tenant. With respect to this announcement, we are only lifting IP address limitations, Zuora services use or resolve to. 

Community Manager

We are delaying implementation of this change for existing integrations. Zuora will no longer support static IP addresses to whitelist for any new integration. We will soon update this article with schedule when this feature will be removed for existing integrations. However if you have already removed IP restrictions for traffic to Zuora, you are all set and will not be impacted by this change. 

Community Manager

Hello Everyone,

 

We have updated the original post with the deployment schedule for this change: 

 

Sandbox and PT1: 19 December, 2018

(Impacted endpoints: apisandbox.zuora.com, apisandboxstatic.zuora.com, rest.apisandbox.zuora.com, apisandbox-api.zuora.com, rest.pt1.zuora.com, and pt1.zuora.com

 

Production: 19 January, 2019

(Impacted endpoints: www.zuora.com, rest.zuora.com, api.zuora.com, and static.zuora.com, gateway.prod.auw2.zuora.com)

 

Thanks

Bibek

Community Manager

Hello Everyone,

 

Due to holiday change freeze and avoid change conflicts, we are pushing out implemetation of this change to new dates. The original post has been updated with new deployment schedule for this change: 

 

Sandbox and PT1: 16 January, 2019

(Impacted endpoints: apisandbox.zuora.com, apisandboxstatic.zuora.com, rest.apisandbox.zuora.com, apisandbox-api.zuora.com, rest.pt1.zuora.com, and pt1.zuora.com

 

Production: 16 February, 2019

(Impacted endpoints: www.zuora.com, rest.zuora.com, api.zuora.com, and static.zuora.com, gateway.prod.auw2.zuora.com)

 

Thanks

Bibek

Tutor

@bibek- Does this change affects Production Copy Sandboxes running on services*.zuora.com?

Zuora Support Moderator

@skatdare

Per the announced endpoints, it does not impact production copy (services*.zuora.com) environments

Hi Bibek,

                 I have a  question. Does it mean whitelisting the IPs mentioned on https://knowledgecenter.zuora.com/BB_Introducing_Z_Business/Policies/Inbound_and_Outbound_IP_Address... is no longer required? Still can we whitelist IPs (like salesforce IP ranges) in Zuora environment?

 

 

Thanks,

Chandra

Zuora Support Moderator

Hi @mcsreddy86

Inbound whitelisting was never a requirement by Zuora.  This was something commonly done by security or firewall administrators to restrict inbound (API calls sent to Zuora) traffic to specific IP ranges which (as per this article and our KC) is no longer supported. 

Thanks @BScott.

Honor Student

Hi ,

 

Doest this changes impact users login where we have whitelisted the IP's under Standard Plateform role?

How to test these changes for integration prospectives.

 

Thanks,

Gayatri

 

Community Manager

Hello @gatarane

 

This change does not impact IP Access List feature within Zuora Platform. You can continue to use the feature and we highly recommend use of this feature based on your need. The change is active in Sandbox environment for you to validate. 

 

Thanks

Bibek

Tutor

Did this get implemented in Sandbox or any change of dates? Please confirm

Community Manager

@skatdare - Yes, the change was implemented on 1/16 per plan and schedule for production is on target for 2/16.

 

Thanks

New Student

Apology Bibek for asking again but it appears that I am little confused

Outbound IP (e.g. Callout) from Zuora is still SUPPORTED (IP here).

Incoming IP to Zuora is NOW NOT SUPPORTED as per this article.

 

We are interested in receiving a call from Zuora to our API where we like to IP whitelist.

Community Manager

@avyas - your understanding is absolutely correct. No impact to IP whitelisting for callouts from Zuora. If this is the only IP whitelisting you are using, you will not be impacted by this change.