REST and network access

When using Bitrix24 On-premise, network administrator must consider an option within the security policy to grant network access for REST-applications.

The following must be opened for Bitrix24:

Outbound requests to oauth.bitrix.info (for app mechanism).
*.bitrixsoft.com. The "Developers" section for creating integrations and webhooks is restricted without access to this resource.
Inbound requests from app servers (addresses depend from specific applications).

The following permissions must be granted for an app at the developer's server:

Outbound https requests to oauth.bitrix.info.
Outbound https requests to Bitrix24 Self-hosted server.
Inbound https requests from server group mp_actions.*, when app uses event mechanisms, automation rules or custom workflow actions.

Inbound http/s queries will be received from dynamic(scale-based) server group with different IP-addresses. List of these IP-addresses can be retrieved beforehand by querying the address https://dl.bitrix24.com/webhook/app-world.json.

Example of query using curl:

$ curl https://dl.bitrix24.com/webhook/app-world.json
{
 "nodes": ["3.217.33.54", "52.29.163.104"]
}

Use the retrieved list of nodes array's IP addresses to update firewall rules for inbound connections in the corporate network or self-hosted VM.

Sampling frequency: 1 per minute max, but preferable once each 5-10 minutes. VM pool scaling mechanism is designed to pre-list 5-10 minutes before retrieving webhooks from a new address.

Note: Previously Bitrix24 listed specific IPs to be opened for queries. But, due to these addresses changing, it's recommended to work with IP addresses with indicated resolved domain names.

Bitrix24 Applications