Skip to main content
OutSystems

Mobile App Builder Service connectivity requirements

Overview

The Mobile App Builder Service is the part of the OutSystems platform which builds the Mobile applications delivered on OutSystems 10. This service takes away from the customer the sometimes complicated requirements and logistics associated with building mobile applications (e.g. having to have a Mac with XCode for building iOS Applications) so that our customers can focus on what's important, building their application.

The Mobile App Builder Service is made available through the following hostname: nativebuilder.api.outsystems.com . This service is available 24x7 to all of our customers, who expect low latency from all over the world. It also needs to be scalable and redundant. In order meet these requirements OutSystems has built this service over Amazon CloudFront and other Amazon technologies. 

We understand that some of our customers may have security policies in place and want to limit as much as possible access to outside resources and APIs. This document explains several alternatives to meeting this requirement while complying with these security policies.

Challenges

Amazon CloudFront is a distributed service which is not guaranteed to have the same IP address for a specific endpoint over time. Most customers are used to allowing access to an external service to their organization by opening an exception to a specific IP in their firewall. This approach is not viable when dealing with Amazon CloudFront.

Use a proxy to limit access

The simplest and potentially most secure way to meet this requirement is to have a proxy which is used by the application servers to mediate access with the internet and allows access to the nativebuilder.api.outsystems.com URL and any other URL it might require from the Internet for normal functioning.

Use a firewall to limit access to domain

If you have a firewall which allows you to limit access by domain, you can use this functionality to limit access to the Mobile Apps Builder Service domain. This way you are sure to only be opening your infrastructure to access the IPs which are currently being used by Cloud Front to deliver this API.

Use a firewall to limit access to IPs

If you do not have a proxy or a firewall which allows you to restrict access to a specific domain, you will need to actually get a list of all the IPs used by Amazon in their CloudFront service and allow access to it on your firewall.

Amazon provides a JSON with the list of ip ranges used by their services which you can find here. This list comes in JSON format and you would only need to provide access to the ones used by the CloudFront service (search in the JSON for CLOUDFRONT, as mentioned here). At the time of this writing, this equates to 20 ip ranges.

Use a single machine to make builds

You may want to limit the amount of servers you are granting access to this API. In this scenario our recommendation is for you to do this on the Deployment Controller machine, which in this case must also be a Front-End. You can use any of the above techniques to limit access to the API on the Deployment Controller machine as long as you guarantee the following conditions:

  1. the Internal Address for this environment in LifeTime is specifically this server.
  2. Users launching mobile application builds through the IDE must be connected to this server
  3. Users launching mobile application builds through Service Center must be connected to this server

Final remarks

For added security you can obviously combine some of these approaches. For example, using a proxy server to mediate access to the API and in that server control access to the API via Firewall. The final solution you reach will depend on your infrastructure and restrictions. If you have any questions on whether a specific approach would work in your case, feel free to reach out to OutSystems Support.

  • Was this article helpful?