What is happening?
We are migrating our payments platform to the cloud, hosted by Amazon Web Services (AWS) on 24th November 2020.
Why are you migrating to AWS?
This investment in our technology will ensure our solution is even more robust and future-proof.
What is changing technically?
We are adding an additional data centre to our payment gateway network. This means there will be new IP addresses that your e-commerce platform needs to connect to in order to process payments.
The following domains currently resolve to one or more IP addresses in these CIDR ranges: 220.127.116.11/24 or 18.104.22.168/24. From 24th November, these domains may also start to resolve to an IP address in the CIDR range 22.214.171.124/26:
The range of IP addresses used by Trust Payments can always be found here:
What is a CIDR range?
CIDR (Classless Inter-Domain Routing) is a notation to indicate a network range of one or more IP addresses. For example, the ranges Trust Payments uses are:
- 126.96.36.199/24 representing all IP addresses from 188.8.131.52 to 184.108.40.206 inclusive.
- 220.127.116.11/24 representing all IP addresses from 18.104.22.168 to 22.214.171.124 inclusive.
- 126.96.36.199/26 representing all IP address from 188.8.131.52 to 184.108.40.206 inclusive.
Do I need to do anything?
Maybe. If your e-commerce platform includes any restrictions on which computers/networks it is permitted to connect to (or receive connections from) then you will need to verify each of your services that use Trust Payments are not prevented from accessing the new IP address range. If you have no restrictions in place then this change will not affect you.
How do I remove restrictions to the new IP addresses?
If your e-commerce platform offers a management console, it may include a section for managing inbound/outbound connections (this may be listed under network settings, firewalls, IP whitelists etc). Check with your system administrator or tech team if you are unsure.
If restrictions are based on the domain name (rather than individual or ranges of IP addresses) you should not need to make any changes.
Otherwise, you will need to allow the new range 220.127.116.11/26 for whichever services you use. Your settings should currently allow access to IP addresses in the ranges 18.104.22.168/24 and 22.214.171.124/24 so in most cases you can add the new range in the same way the two previous ranges are allowed.
When do I need to make these changes?
You can start to make the changes immediately. The new CIDR range 126.96.36.199/26 is entirely owned by the Trust Payments platform so allowing connections to/from these IP addresses is safe to do even before the gateway service is in use.
You must make the changes before 24th November 2020 to ensure your payments are unaffected.
Does this affect TCP or UDP?
These changes affect HTTP(s) requests so TCP is required. However, new draft specifications for HTTP/3 will use UDP so you may optionally choose to allow UDP on these connections for future-proofing.
What TCP port(s) need to be allowed?
In most cases just TCP port 443 to allow TLS/HTTPS access. Some services will require additional ports (for example, the Java STAPI service requires port 80 too). Consult the documentation for your API.
Are the domain names changing?
No, the domain names will stay the same. Only the IP address the domains resolve to will be updated.
Are there any changes to the existing IP ranges?
No, the existing IP addresses will continue to be used for the foreseeable future so any settings for the existing CIDR ranges (188.8.131.52/24 and 184.108.40.206/24) should remain unchanged.
What happens if I don’t make the necessary changes?
Your e-commerce platform may be unable to connect to the new data centre to process payments, or it may not receive notifications of transactions from the new data centre. When the new IP addresses start to be put into rotation this could result in intermittent failures of payments at a rate of approximately 1 in 3.
What are the technical details about the changes?
When your server tries to connect to one of our services (for example, webservices.securetrading.net), it will first perform a DNS lookup to find the IP address of our server. The response will currently be an address either in the range 220.127.116.11 –> 18.104.22.168 or the range 22.214.171.124 –> 126.96.36.199, both of which your server is already able to connect to.
From 24th November, we will introduce additional IP addresses into the list of responses, in the range 188.8.131.52 –> 184.108.40.206, and your server will then attempt to connect to these new addresses. If your e-commerce platform does not allow connections to those addresses, your application will appear to hang until it retries the DNS lookup and eventually receives an IP address in one of the original ranges again.
Similarly, if our gateway sends a notification of any transaction to your server (for example, a URL notification configured in the MyST Rule Manager) it will originate from an IP address in our ranges. If your system restricts connections to your notification services from the existing ranges, it will need to accept connections from the new range too.
Who can I contact for more help?
Your technical team should be able to complete the necessary work. If you require further information, please contact our Support Team.