From which IP addresses Heroku sends logs to a log drain?

Issue

I would like to restrict access to my log drain to only allow Heroku to send logs.

Resolution

Unfortunately, it is practically impossible.

As of writing this, Heroku's Logplex forwards logs through infrastructure running in AWS's us-east-1 region. The log drain sees some of the IP addresses assigned for AWS's EC2 instances in the region as the source IP addresses.

For customers who have Shield Private Spaces, Private Space Logging is available. For an app in the Shield Private Space with Private Space Logging enabled, router logs and app logs are directly sent from the server where the dyno is. The log drain sees some of the IP addresses assigned for AWS's EC2 instances for the region where the Shield Private Space is as the source IP addresses, in addition to logs around the platform API which are sent from those in us-east-1.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support