In the OutSystems Cloud you can integrate with several external services. And sometimes, those services are behind a firewall or have strict access rules. To establish a connection, you'll need to whitelist the addresses of your OutSystems Cloud environments. This article guides on how to find the right IP addresses to allow on your network.
Connecting over the internet
Over the internet, OutSystems Cloud environments announce the public IP of the front-end that initiates the outgoing connection.
The OutSystems Cloud front-ends are AWS EC2 instances with elastic IPs. So, they have static public IPs that won't change over time and can be whitelisted on your network.
Obtaining the front-ends' public IPs
To get the public IPs of your environments front-ends execute these 2 steps in sequence:
Get the servers' hostnames.
In Service Center access Monitoring > Environment Health and note the Front-end Servers name. Take that value and add
.outsystemsenterprise.com. In the image below the end result would be
Resolve the hostnames to their respective public IPs.
You can use any method or tool such as, for example, this one.
It's important to whitelist all the IP addresses. If in Service Center (step 1) you have more than one Front-end Server you should resolve and whitelist all. Outgoing requests can originate from any of the front-end servers. And if they're not all whitelisted, some requests may be blocked.
When new front ends are added to an environment make sure to retrieve and whitelist its public IP. Existing integrations can be affected until you do so.
It's important not to use the IPs obtained when resolving the environment address. For example:
Some of your environments have load balancers (LB) and if you resolve
<my_production>.outsystemsenterprise.com what you'll get is the LB IPs.
In outgoing requests to external servers, the connection originates from the front-end servers. The load balancer isn't involved in the communication. It's only involved in incoming requests to the OutSystems environment.
Thus, the LB address isn't the correct one to whitelist. As a note, OutSystems Cloud LBs do not have static IP addresses.
Connecting via VPN
When the external servers are not publicly accessible, you can establish a VPN connection to the OutSystems Cloud. In that case, you'll need to whitelist the full private IP range of your OutSystems PaaS on your firewall.
The private IP addresses are not static so it's important to whitelist the entire range.