Heroku Private Space Trusted IP Range Configuration

Context

Heroku Private Space users have access to Trusted IP Range restrictions. Used with Expedited WAF, this enables a configuration where all traffic is forced to connect through the WAF, where security filtering and rules are applied.

Attackers deliberately trying to circumvent the WAF and directly access an application are executing what's generally called a "WAF Bypass Attack."

The Trusted IP Range restriction removes the possibility of this type of attack.

What IP address ranges?

The following IP ranges encompass all of the IPs that the Expedited WAF network will use to make requests of your Heroku Application.

These IP ranges are:

192.88.134.0/23

185.93.228.0/22

66.248.200.0/22

208.109.0.0/22

How often are these ranges updated?

They're essentially never updated (no changes to the list in the last five years).

If we add a range in the future, we will contact all of our customers months in advance to alert them to the need to update their Trusted IP ranges.

Important Considerations

All or Nothing Trusted IP Range Setting

The Trusted IP range setting affects all of the apps in the Private Space, so you may need to either add additional WAFs or move apps around between spaces to accommodate that restriction.

Put another way, you can't have APP-A in the the Private Space with a WAF and APP-B in the WAF without a WAF and the Trusted IP setting active.

SSL/TLS Certificate Management

Enabling Trusted IP ranges in a Private Space disables Heroku Automatic Certificate Management.

To assist with this, we provide generated certificates that will encrypt the connection from the WAF egress points to the Heroku app

This ensures that your application's connections are fully encrypted from client to app.

Note: these certificates only need to be installed one time and function similarly to self signed certificates in that they don't expire and don't require annual updating.

How to start the process?

Please contact support@expeditdsecurity.com to start the process of enabling Trusted IP ranges for your Private Space.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.