Enhanced Security Controls with Heroku Private Spaces
Over the years I’ve built numerous apps that integrate with Salesforce through REST APIs, Heroku Connect, and other methods. Heroku is a great place to run these apps because it lets me use open source technologies like Node.js and Java. It also works great with my GitHub-centric workflow that uses Pull Requests and Heroku Pipelines to test changes and quickly get them to production. Best of all I’ve been able to stop worrying about the ops for my apps since Heroku makes sure that things stay up and running. So I love Heroku, but until now there was no way to have my own private Heroku.
Today Heroku announced that Heroku Private Spaces is now generally available as part of Heroku Enterprise and the Salesforce App Cloud. This provides me all of the usual benefits of Heroku, but in a “private space” just for me and my team. That means I can add additional security controls to my network topology and select which geographic region my app lives in. Lets walk through the kinds of security controls we can now put into place with Heroku Private Spaces and Salesforce.
Network Isolation for Cloud Services
In traditional network architectures, server access controls are handled by firewalls which prevent malicious attempts to reach a server. For instance, a web server that is available publicly will often talk to a database server that lives on an internal network and is unreachable from the public internet. The cloud is by definition publicly reachable from anywhere, but this presents a challenge for those wanting to have the same types of access controls they have in traditional network architectures.
Salesforce provides the ability for organizations to specify ranges of IP addresses on the public internet that are allowed access. This provides a hybrid between the cloud and traditional network isolation methods. You can look at this as a type of two-factor authentication for servers/apps. The first factor is the typical username/password and the second factor is the network the server/app is on.
Using Heroku Private Spaces with Salesforce
With Heroku Private Spaces, apps run in a managed environment that has a static set of IP addresses. This enables locking down Salesforce (and other services) so they only allow communication from trusted network locations. Private Spaces also allow you to pick from a variety of geographic locations for the apps to run providing better performance and reduced latency for users around the globe.
As usual with Heroku and Salesforce, this is all very easy to set up. First get the external IP addresses for your Private Space:
The IP restrictions for integrations should be applied to users’ profiles in Salesforce. In the case of machine-to-machine integrations there will typically be an integration user with an associated profile in Salesforce that should have the IP restrictions applied to it. For OAuth cases each user profile that will be allowed to use the Connected App should have the IP restrictions.
To add the Private Spaces IP restrictions to a profile, first select the profile from the list of user profiles:
In the “Login IP Ranges” section, add a new range that includes the IP addresses of your Private Space:
This simple network control adds an additional layer of security to your Salesforce organization helping to keep your data safe.