When integrating with external services, if those are behind a firewall or with strict access rules, you'll need to whitelist the addresses of your OutSystems cloud environments. This article guides on how to find the right IP addresses to allow on your network.
Connecting over the internet
When using this type of connection, the OutSystems cloud environments announce the public IP addresses of the front-end that's establishing the connection.
The OutSystems cloud front ends are AWS EC2 instances with elastic IPs. Therefore, they have static public IPs that won't change over time and can be safely whitelisted on your network.
Obtaining the front ends public IPs
To obtain the public IPs of your environments front-ends execute these 2 steps in sequence:
Obtain the servers' hostnames.
In Service Center access Monitoring > Environment Health and note the Front-end Servers name. Take that value and add
.outsystemsenterprise.com. In the image below the end result would be
Resolve the hostnames to their respective public IPs.
You can use any method or tool that can resolve a public hostname to an IP such as, for example this one.
It's important to whitelist all the servers IP addresses. If in Service Center (step 1) you have more than one Front-end Server you should resolve and whitelist all of them. Outgoing requests can originate from any of the front-end servers so if they're not all whitelisted, some requests may be blocked.
When new front ends are added to an environment make sure to retrive and whitelist its public IP as not to affect any existing integrations.
It's important that you don't use the IPs that are obtained when resolving your environment address such as
Some of your environments may have load balancers (LB) in front of the front-end servers and if you try to resolve
<my_production>.outsystemsenterprise.com what you'll obtain is the LB address.
When performing outgoing requests to external servers, the connection originates directly from the front-end servers and the LB isn't involved. A load balancer is only involved in incoming requests to the OutSystems environment.
Therefore, the LB address isn't the correct one to whitelist. As an additional note, OutSystems cloud LBs do not have static IP addresses.
Connecting via VPN
When the servers you are trying to integrate with are on a network that has a VPN connection establish to your OutSystems cloud, you'll need to whitelist full private IP range of your OutSystems PaaS on your firewall.
The private IP addresses are not static so it's important to whitelist the entire range.