When integrating with external services, if those are behind a firewall or with strict access rules, you will need to whitelist the addresses of your OutSystems PaaS environments. This article will guide you on how to find the right IP addresses to allow on your network.
Connecting via VPN
When the servers you are trying to integrate with are on a network that has a VPN connection establish to your OutSystems PaaS, you'll need to whitelist full private IP range of your OutSystems PaaS on your firewall.
The private IP addresses are not static so it's important to whitelist the entire range.
Connecting over the internet
When using this type of connection, the PaaS environments will be announcing the public IP addresses of the front-end that is establishing the connection.
The OutSystems PaaS front ends are AWS EC2 instances with elastic IPs. Therefore, they have static public IPs that won't change over time and can be safely whitelisted on your network.
Obtaining the front ends public IPs
To obtain the public IPs of your environments front-ends execute these 2 steps in sequence:
Obtain the servers' hostnames.
In Service Center access Administration > Servers and note the Name. Take the Name value and add
.outsystemsenterprise.com. In the image below the end result would be
Resolve the hostnames to their respective public IPs
You can use any method or tool that can resolve a public hostname to an IP such as, for example this one.
It's important that you whitelist all the servers IP addresses. If in Service Center (step 1) you have more than one Name you should resolve and whitelist all of them. Outgoing requests can originate from any of the front-end servers so if they are not all whitelisted, some requests may be blocked.
When new front ends are added to an environment make sure to retrive and whitelist its public IP as not to affect any existing integrations.
It's important that you don't use the IPs that are obtained when resolving your environment address such as
Some of your environments may have load balancers (LB) in front of the front-end servers and if you try to resolve
<my_production>.outsystemsenterprise.com what you'll obtain is the LB address.
When performing outgoing requests to external servers, the connection originates directly from the front-end servers and the LB is not involved. A load balancer is only involved in incoming requests to the OutSystems environment.
Therefore, the LB address is not the correct one to whitelist. As an additional note, OutSystems PaaS LBs do not have static IP addresses.