Database Firewall rules allow you to control access to your server-based databases.
Understanding CPQ Firewall Rules
Some customers use the optional database tables to store sensitive or large tables. To keep that data more secure, no external system can read or write to the database unless two requirements are met:
- The connection is authenticated using a valid username/password.
- The connection comes from an IP address which is allowed by the Firewall Rules.
For example, your integration/ETL tool (like Informatica) or your reporting tool (like Grow) may want to write to your database tables. Or your company administrator may want to look at just one table to investigate an issue from their own laptop. It doesn't matter the size or the purpose: if you want to access your database tables through another computer, the connection must be authenticated and allowed.
Determining the Need for a CPQ Firewall Rule
The firewall settings are NOT required for
- users or company administrators accessing Epicor CPQ through their web browser.
- web service calls.
Firewall settings are only required for specific IP addresses using port 1433, such as:
- The address of the workstation for the occasional company administrator, tasked to manually perform CRUD operations on a database table or view through MSSMS, Data Studio, or a similar database tool over this port.
- The address of the server running a data integration tool, tasked to automatically performing CRUD operations to maintain or migrate data over this port.
- The address of certain integrated platforms, such as Epicor Kinetic, that access this port to share information required by the integration.
All other customers, administrators, web service endpoints, or other systems using the Epicor CPQ system do not need to be added to the firewall’s allowlist, as they are not interacting directly with the database on a special port. They are simply using web services over HTTPS port 8080, which CPQ's firewall allows.
Finding the Addresses for a Firewall Rule
How do you know what address to add to the allow list?
- If you are at the computer you wish to add to the allow list, you can google "what is my IP" from that same computer to see its public IP address. If this computer is your own workstation and not a server, remember that your IP address can change depending on your location, or even the time of day.
- If you are remote controlling the computer you wish to allow, then perform the same task above but from the controlled computer's own browser.
- If you want to grant access to a system you cannot control, such as a cloud-computing resource, see the settings or documentation for that system to find its public IP address or hostname. In many cases, using the hostname of a cloud-computing resource is more reliable than using an IP address, because IP addresses within cloud-based systems can change.
Allowing Access Through the CPQ Firewall
Listing all Firewall Rules
In the Epicor CPQ admin portal under Infrastructure > Database Firewall, a list of existing firewall rules appears.
Adding a Firewall Rule
Select the Add button and enter the following information:
| Property | Description |
|---|---|
| Name | The name of your range. We suggest giving it a specific name that will help you review the list for unused or unnecessary entries later. |
| Begin IP | The lower end of the IP range you want to define. |
| End IP | The higher end of the IP range you want to define. You can set these two IP addresses the same, which will create a very narrow range of just one address. |
Deleting a Firewall Rule
Select the "Delete" link next to the range you no longer want.
Editing a Firewall Rule
Rules cannot be edited. Instead, delete the old range and then add a new replacement for it with the updated properties.
Allowing Access Through Your Firewall
The instructions above only describe connections through our firewall. Chances are, you may need to allow connections through your own company firewall. Add the following to your corporate allow list:
| Setting | Description |
|---|---|
| Port | 1433 |
| IP Address | Instead of an IP address, we suggest using the database hostname provided to you when you requested your CPQ database access. |
Why a hostname instead of an IP address?
Epicor CPQ is a cloud-based service based on Microsoft Azure. The IP addresses are dynamic, and subject to change without warning. While a ping from the command line shows the IP address at any one time, that IP address might change in the future. Only a hostname that resolves through DNS will always remain up-to-date. For more details, see Microsoft's instructions on accessing Azure resources by hostname or "portal URL".