[SalesForce] Whitelisting Salesforce IP In External Systems

I want to integrate with an external system.

They need to whitelist my IP for permission to use their services.

I looked at this post: https://help.salesforce.com/articleView?id=000321501&type=1&mode=1

to get all the possible IP that my request can have.

In the IP list inside the post above, I took just the RIPE area ( Europe, the Middle East and parts of Central Asia) which is my area, and I sent it to my external service to whitelist it.

The issue:

Just the RIPE section is including ~200K IP addresses.

Salesforce's recommendation is to whitelist ALL the IPs and not just your area which I guess will be like ~1M IP address.

The external service won't whitelist such a number (not even 200K) – They want only one IP Address which I guess is not possible.

We thought to share a key with value in the header request by the method HttpRequest request = new HttpRequest(); request.setHeader('Key',encrypt(Value)); and then, they will check the request by this key and not by this IP.

anyone can share their knowledge about these methods? Dose these recommended?

Is there a way to define one static IP address? even a paid way?

Other solutions will be greatly appreciated.


Best Answer

You should not send a key as such in request. Here is how you can do it:

You can use Crypto Class for this scenario. Crypto is an industry standard key creation class.


  1. Use EncodingUtil.base64Encode(Crypto.generateAesKey(256)) to generate a unique key. You can save this key in Custom Metadata type and also should be given to your client. Remember that all the further transactions/callouts will happen by using this CryptoKey.

  2. You can encrypt the data using the above key. For this, you have to get the key from metadata-type and then use Crypto.encryptWithManagedIV('AES256', cryptoKey, data); . cryptoKey is the key you saved in metadata-type and data is the sensitive data (in string) you want to send in request-body. After setting the end-point (by using named-credentials) and other headers needed, you can send request.

  3. Client should be able to decrypt the body using a method similar to Crypto.decryptWithManagedIV('AES256', cryptoKey, encryptedData);. Here, cryptoKey is the one which you share with client. You and client will have same key. Without this key, its not possible to decrypt the data. This method is signature in apex but similar method is available in all server languages.

I have used this and perfectly suitable for secure external communication.

For your reference:

Blob cryptoKey = Crypto.generateAesKey(256);
System.debug(EncodingUtil.base64Encode(cryptoKey));  //5id1mTSdc4obMHI1FRf13H3Jgr8YDj8Xl2dP1Teugwk=
Blob data = Blob.valueOf('this is some random text being tested in crypto encrypt');
Blob encrypted = Crypto.encryptWithManagedIV('AES256', cryptoKey, data);
System.debug(EncodingUtil.base64Encode(encrypted));  // 2dqglmXpvpwAfuAH6+GSuxOvhthM69awr+SnrUrGx4qHvRoiNy1tS7rSZFZjFQAsOpBHKlyePmtelHprlMcnWf3SFfvpvKYB/EB0MqXqSaA=
Blob decrypted = Crypto.decryptWithManagedIV('AES256', cryptoKey, encrypted);
String decryptedString = decrypted.toString();
System.debug(decryptedString);  // this is some random text being tested in crypto encrypt
Related Topic