The Mobile App Builder Service is the part of the OutSystems platform which builds the Mobile applications delivered on OutSystems 10. This service takes away from the customer the sometimes complicated requirements and logistics associated with building mobile applications (e.g. having to have a Mac with XCode for building iOS Applications) so that our customers can focus on what's important, building their application.
The Mobile App Builder Service is made available through the following hostname: nativebuilder.api.outsystems.com . This service is available 24x7 to all of our customers, who expect low latency from all over the world. It also needs to be scalable and redundant. In order meet these requirements OutSystems has built this service over Amazon CloudFront and other Amazon technologies.
We understand that some of our customers may have security policies in place and want to limit as much as possible access to outside resources and APIs. This document explains several alternatives to meeting this requirement while complying with these security policies.
Amazon CloudFront is a distributed service which is not guaranteed to have the same IP address for a specific endpoint over time. Most customers are used to allowing access to an external service to their organization by opening an exception to a specific IP in their firewall. This approach is not viable when dealing with Amazon CloudFront.
Use a proxy to limit access
The simplest and potentially most secure way to meet this requirement is to have a proxy which is used by the application servers to mediate access with the internet and allows access to the nativebuilder.api.outsystems.com URL and any other URL it might require from the Internet for normal functioning.
Use a firewall to limit access to domain
If you have a firewall which allows you to limit access by domain, you can use this functionality to limit access to the Mobile Apps Builder Service domain. This way you are sure to only be opening your infrastructure to access the IPs which are currently being used by Cloud Front to deliver this API.
Use a firewall to limit access to IPs
If you do not have a proxy or a firewall which allows you to restrict access to a specific domain, you will need to actually get a list of all the IPs used by Amazon in their CloudFront service and allow access to it on your firewall.
Amazon provides a JSON with the list of ip ranges used by their services which you can find here. This list comes in JSON format and you would only need to provide access to the ones used by the CloudFront service (search in the JSON for CLOUDFRONT, as mentioned here). At the time of this writing, this equates to 20 ip ranges.
Use a single machine to make builds
You may want to limit the amount of servers you are granting access to this API. In this scenario our recommendation is for you to do this on the Deployment Controller machine, which in this case must also be a Front-End. You can use any of the above techniques to limit access to the API on the Deployment Controller machine as long as you guarantee the following conditions:
- the Internal Address for this environment in LifeTime is specifically this server.
- Users launching mobile application builds through the IDE must be connected to this server
- Users launching mobile application builds through Service Center must be connected to this server
For added security you can obviously combine some of these approaches. For example, using a proxy server to mediate access to the API and in that server control access to the API via Firewall. The final solution you reach will depend on your infrastructure and restrictions. If you have any questions on whether a specific approach would work in your case, feel free to reach out to OutSystems Support.