The Mobile App Builder Service is the part of the OutSystems platform which builds the Mobile applications delivered on OutSystems 10. This service takes away from the customer the sometimes complicated requirements and logistics associated with building mobile applications (e.g. having to have a Mac with XCode for building iOS Applications) so that our customers can focus on what's important, building their application.
The Mobile App Builder Service is made available through the following hostname: nativebuilder.api.outsystems.com . This service is available 24x7 to all of our customers, who expect low latency from all over the world. It also needs to be scalable and redundant. In order meet these requirements OutSystems has built this service over Amazon CloudFront and other Amazon technologies.
We understand that some of our customers may have security policies in place and want to limit as much as possible access to outside resources and APIs. This document explains several alternatives to meeting this requirement while complying with these security policies.
Which servers in an environment access MABS?
Any server with the Front-End role needs to have access to MABS. As part of the distributed architecture of the platform, it is not possible to control which Front-End will access MABS in a specific moment.
Amazon CloudFront is a distributed service which is not guaranteed to have the same IP address for a specific endpoint over time. Most customers are used to allowing access to an external service to their organization by opening an exception to a specific IP in their firewall. This approach is not viable when dealing with Amazon CloudFront.
Use a proxy to limit access
The simplest and potentially most secure way to meet this requirement is to have a proxy which is used by the application servers to mediate access with the internet and allows access to the nativebuilder.api.outsystems.com URL and any other URL it might require from the Internet for normal functioning.
Use a firewall to limit access to domain
If you have a firewall which allows you to limit access by domain, you can use this functionality to limit access to the Mobile Apps Builder Service domain. This way you are sure to only be opening your infrastructure to access the IPs which are currently being used by Cloud Front to deliver this API.
Use a firewall to limit access to IPs
If you do not have a proxy or a firewall which allows you to restrict access to a specific domain, you will need to actually get a list of all the IPs used by Amazon in their CloudFront service and allow access to it on your firewall.
Amazon provides a JSON with the list of ip ranges used by their services which you can find here. This list comes in JSON format and you would only need to provide access to the ones used by the CloudFront service (search in the JSON for CLOUDFRONT, as mentioned here). At the time of this writing, this equates to 20 ip ranges.
For added security you can obviously combine some of these approaches. For example, using a proxy server to mediate access to the API and in that server control access to the API via Firewall. The final solution you reach will depend on your infrastructure and restrictions. If you have any questions on whether a specific approach would work in your case, feel free to reach out to OutSystems Support.