Opportunity webhook delivery fails after cloud migration due to firewall rules

CRM Zendesk Sell
, , , , , , , ,
1

After migrating our Zendesk Sell instance to AWS cloud infrastructure, opportunity update webhooks stopped being delivered to our external integration endpoints. The webhooks worked perfectly in our previous data center environment. I’ve checked the webhook configurations in Zendesk Sell and they appear unchanged. Our integration service logs show no incoming requests from Zendesk Sell after the migration. I suspect this is related to cloud firewall egress rules or possibly webhook endpoint whitelisting requirements. The integration endpoints are hosted on our own servers outside AWS. Has anyone experienced webhook delivery failures after cloud migration? I need to understand what network configurations are blocking the outbound webhook calls.


Webhook Target: https://integrations.company.com/webhooks/opportunity
Zendesk Sell Cloud: AWS us-east-1
Error: Webhook delivery timeout (no response)
Integration Logs: No requests received
2

I’d also investigate whether you’re using AWS PrivateLink or VPC endpoints. If Zendesk Sell is trying to use a VPC endpoint for outbound calls but your integration is external, there could be routing conflicts. Make sure your webhook traffic is routed through the Internet Gateway, not through VPC endpoints that are meant for AWS service communication.

3

After reviewing all the potential issues, here’s the complete solution addressing the three critical configuration areas:

1. Cloud Firewall Egress Rules: Your AWS VPC must allow outbound HTTPS traffic. Configure these components:


# AWS CLI - Security Group egress rule:
aws ec2 authorize-security-group-egress \
  --group-id sg-0123456789abcdef0 \
  --ip-permissions IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges='[{CidrIp=0.0.0.0/0}]'

Also verify VPC route table has Internet Gateway route:

  • Destination: 0.0.0.0/0
  • Target: igw-xxxxx (your Internet Gateway)

Check Network ACLs for both inbound and outbound rules allowing HTTPS traffic. NACLs are stateless, so you need explicit rules in both directions.

2. Webhook Endpoint Whitelisting: The cloud migration changed your outbound IP addresses. Your integration endpoint’s firewall must whitelist the new source IPs. Here’s how to identify and configure them:


# Pseudocode - Get NAT Gateway Elastic IPs:
1. Navigate to AWS Console > VPC > NAT Gateways
2. Identify NAT Gateway in your Zendesk Sell subnet
3. Note the Elastic IP address(es) attached
4. Provide these IPs to integration endpoint firewall admin
5. Configure integration firewall to allow HTTPS from these IPs
6. Test connectivity: curl -I https://integrations.company.com/webhooks/opportunity

If using multiple availability zones, you’ll have multiple NAT Gateways with different Elastic IPs - whitelist all of them.

3. Network ACL Configuration: Configure stateless Network ACL rules for webhook traffic:


# Outbound rules (lower rule numbers = higher priority):
Rule 100: HTTPS (443) - 0.0.0.0/0 - ALLOW
Rule 110: Ephemeral Ports (1024-65535) - 0.0.0.0/0 - ALLOW

# Inbound rules (for return traffic):
Rule 100: Ephemeral Ports (1024-65535) - 0.0.0.0/0 - ALLOW

The ephemeral port rules are critical because webhook responses come back on random high ports.

Additional Configuration Steps:

DNS Resolution: Enable DNS in your VPC:


aws ec2 modify-vpc-attribute --vpc-id vpc-xxxxx --enable-dns-hostnames
aws ec2 modify-vpc-attribute --vpc-id vpc-xxxxx --enable-dns-support

CloudWatch Monitoring: Enable VPC Flow Logs to diagnose connection issues:


aws ec2 create-flow-logs \
  --resource-type VPC \
  --resource-ids vpc-xxxxx \
  --traffic-type REJECT \
  --log-destination-type cloud-watch-logs \
  --log-group-name /aws/vpc/zendesk-sell-webhooks

Review flow logs for REJECT entries to identify exactly where traffic is being blocked.

Webhook Configuration Verification: In Zendesk Sell, re-test webhook delivery:

  1. Navigate to Settings > Integrations > Webhooks
  2. Select your opportunity webhook
  3. Click “Test Webhook” button
  4. Monitor both Zendesk Sell logs and your integration service logs
  5. Verify successful delivery with 200 OK response

SSL/TLS Considerations: Ensure your integration endpoint uses a valid SSL certificate from a trusted CA. Self-signed certificates will cause webhook delivery failures. If you must use self-signed certs, configure Zendesk Sell to accept them (not recommended for production).

Troubleshooting Commands:


# Test connectivity from Zendesk Sell instance:
curl -v -X POST https://integrations.company.com/webhooks/opportunity \
  -H "Content-Type: application/json" \
  -d '{"test": "connectivity"}'

# Check DNS resolution:
nslookup integrations.company.com

# Verify routing:
traceroute integrations.company.com

Once all three areas are properly configured - egress rules, IP whitelisting, and Network ACLs - webhook delivery should resume. The key is ensuring complete bidirectional network path from your Zendesk Sell VPC through NAT Gateway to your external integration endpoint and back.

4

Don’t forget about DNS resolution issues. If your VPC doesn’t have DNS resolution enabled, the webhook service might not be able to resolve your integration endpoint hostname. Enable DNS hostnames and DNS resolution in your VPC settings. Also check if you need to configure custom DNS servers or use AWS Route 53 for reliable external DNS resolution.