WAF and Outbound Connections

Overview

The Expedited WAF protects your application by filtering inbound HTTP/HTTPS traffic — requests from visitors and clients coming to your domain. It does not affect outbound connections — requests your application makes to external services.

How Traffic Flows

``` Inbound (protected by WAF): Visitor → WAF Edge Network → Your Heroku App

Outbound (not affected by WAF): Your Heroku App → External API / Database / Service ```

Inbound Traffic

All HTTP/HTTPS requests to your custom domain pass through the WAF. The WAF inspects each request, applies security rules, and either allows or blocks it before it reaches your Heroku application.

Outbound Traffic

When your application makes requests to external services — calling a payment API, querying an external database, sending data to a third-party integration — those requests go directly from your Heroku dyno to the destination. They do not pass through the WAF.

This means the WAF:

• Does not filter or inspect outbound API calls
• Does not block your app from reaching external services
• Does not add latency to outbound requests
• Does not appear as the source IP for outbound connections (Heroku’s IP ranges are the source)

Common Questions

“Will the WAF block my app from calling an external API?”

No. The WAF only processes inbound traffic. Your app’s outbound HTTP requests, database connections, and external API calls are unaffected.

“An external service says my requests come from an unexpected IP. Is that the WAF?”

No. Outbound requests from your app come from Heroku’s IP ranges, not the WAF. Heroku uses dynamic IP addresses for outbound connections. If an external service needs to allowlist your app’s IP, you will need to use a Heroku add-on that provides a static outbound IP (such as Fixie or QuotaGuard).

“My app can’t connect to an external service. Could the WAF be the cause?”

No. Since outbound traffic does not pass through the WAF, the WAF cannot be the cause of outbound connection failures. Check your Heroku app logs for connection errors, DNS resolution issues, or firewall rules on the destination service’s side.

Need Help?

If you are troubleshooting connectivity issues and are unsure whether the WAF is involved:

• Contact us at support@expeditedsecurity.com
• Book a Call at https://app.harmonizely.com/expedited/30-min