I need to add Heroku dynos (e.g. on a corporate firewall, on AWS RDS) to our IP allowlist - what are IP address ranges in use at Heroku?
Heroku Common Runtime Dynos use a subset of the IP range of the underlying AWS EC2 instances.
The underlying AWS region for your app can be found as the
provider.region field in the output of this CLI command:
heroku regions --json
The IPs in use by Heroku at any given time are highly dynamic, meaning that the published ranges may cover other IP addresses not currently in use by Heroku. This means that it is often not desirable to open up your firewall to the whole of the AWS region for security reasons. If you wanted to do this regardless you can find the published IP ranges from AWS here: http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
For apps in the Common Runtime a better approach would be to use an add-on to provide a static outbound IP address https://elements.heroku.com/addons/categories/network or to rely on secure communication via TLS.
For Private Spaces apps, these can use the static outbound IPs for your space. You can find details of these using these instructions https://devcenter.heroku.com/articles/private-spaces#view-information-about-a-private-space