Salesforce API and Trusted IP Ranges: Static IPs for Serverless Integrations

Salesforce lets admins restrict API access to a set of Trusted IP Ranges. This is a common security control, especially in orgs that handle sensitive customer data. If your connected app or integration calls the Salesforce API, and the org has Trusted IP Ranges configured, your requests need to come from an IP address in that list.

If your integration runs on Heroku, Lambda, Cloud Functions, or any serverless platform, you don't have a predictable IP to add to that list. Your requests come from rotating addresses. Some will be in the trusted range by coincidence. Most won't.

How Salesforce Trusted IP Ranges Work

Salesforce admins can configure Trusted IP Ranges in two places:

Org-wide Network Access. Under Setup, Network Access defines IP ranges that are trusted for all users and API access. Requests from outside these ranges may trigger additional authentication challenges or be blocked entirely depending on the org's session settings.

Connected App IP Relaxation. Each connected app has an IP relaxation setting. When set to "Enforce IP restrictions," the connected app can only make API calls from IPs in the org's Trusted IP Ranges. When set to "Relax IP restrictions," any IP is allowed. Many security-conscious orgs keep this set to enforce.

Profile-level Trusted IP Ranges. Admins can also set IP ranges per profile, restricting which IPs users (and API integrations running as those users) can log in from.

When your integration's IP isn't in the trusted range, Salesforce may return an authentication error, require identity verification, or block the request outright. The exact behavior depends on the org's configuration, but the result is the same: your integration fails intermittently or completely.

The Serverless Problem

If your Salesforce integration runs on Lambda, it might use a different IP every invocation. Heroku dynos rotate IPs when they restart. Cloud Functions use shared pools. You can't add these IPs to Salesforce's Trusted IP Ranges because you don't know what they'll be, and they change constantly.

Some teams ask the Salesforce admin to set the connected app to "Relax IP restrictions." This works but removes a security control. For orgs with compliance requirements or sensitive data, relaxing IP restrictions isn't acceptable.

The Fix

Route your Salesforce API calls through QuotaGuard. Your integration gets two dedicated static IPs. The Salesforce admin adds those two IPs to the org's Trusted IP Ranges. Done.

Python

import os
import requests

proxy_url = os.environ.get('QUOTAGUARD_URL')
proxies = {'http': proxy_url, 'https': proxy_url}

# Salesforce OAuth token request
auth_response = requests.post(
    'https://login.salesforce.com/services/oauth2/token',
    data={
        'grant_type': 'password',
        'client_id': os.environ['SF_CLIENT_ID'],
        'client_secret': os.environ['SF_CLIENT_SECRET'],
        'username': os.environ['SF_USERNAME'],
        'password': os.environ['SF_PASSWORD']
    },
    proxies=proxies
)

token = auth_response.json()['access_token']
instance_url = auth_response.json()['instance_url']

# Salesforce API call
response = requests.get(
    f'{instance_url}/services/data/v59.0/sobjects/Account/',
    headers={'Authorization': f'Bearer {token}'},
    proxies=proxies
)

Both the OAuth token request and the subsequent API calls should go through the proxy. Salesforce checks the IP at authentication and may check it again on API requests depending on session settings.

Node.js

const { HttpsProxyAgent } = require('https-proxy-agent');
const jsforce = require('jsforce');

const agent = new HttpsProxyAgent(process.env.QUOTAGUARD_URL);

const conn = new jsforce.Connection({
  loginUrl: 'https://login.salesforce.com',
  httpProxy: process.env.QUOTAGUARD_URL
});

await conn.login(process.env.SF_USERNAME, process.env.SF_PASSWORD);

const accounts = await conn.query('SELECT Id, Name FROM Account LIMIT 10');

jsforce supports proxy configuration natively through the httpProxy option.

Heroku Connect and Heroku-Specific Notes

If you're using Heroku Connect for Salesforce data sync, that's a managed service with its own IP handling. But if you're running custom Salesforce API integrations on Heroku dynos alongside Heroku Connect, those custom integrations still need static IPs for Trusted IP Range compliance.

Add QuotaGuard Static as a Heroku add-on. The QUOTAGUARDSTATIC_URL environment variable is set automatically. Use it in your Salesforce API calls.

What to Send the Salesforce Admin

When you sign up for QuotaGuard, you get two static IP addresses visible on the dashboard. Send those to the Salesforce admin with a request like:

"Please add these two IP addresses to the org's Trusted IP Ranges under Setup > Network Access. These are the static outbound IPs for our integration."

That's it. The admin adds them. Your integration works from any serverless platform because the outbound IP is always one of those two.

If the IPs ever change (they shouldn't under normal circumstances, but if you switch plans or regions), you'd update the Salesforce admin with the new addresses.

Bulk API and Data Loader

The same approach works for Salesforce Bulk API jobs and Data Loader operations. If you're running batch data imports or exports from serverless infrastructure, and the org enforces Trusted IP Ranges, route those API calls through the proxy.

Bulk API jobs are long-running, so make sure your proxy connection handles the longer request duration. QuotaGuard supports persistent connections and doesn't have request-level timeouts that would interrupt bulk operations.

Getting Started

Sign up for QuotaGuard Static. Add the two static IPs to your Salesforce org's Trusted IP Ranges. Set the proxy URL as an environment variable in your integration's runtime. Route Salesforce API calls through the proxy.

QuotaGuard Static starts at $19/month. If you're handling sensitive Salesforce data under HIPAA or PCI-DSS, QuotaGuard Shield starts at $29/month with SSL passthrough for end-to-end encryption.