When self-hosting the Transcend Security Gateway (AKA "Sombra"), you can allowlist ingress traffic from Transcend to be from the list of IP addresses found here. Note all IP addresses need to be allowed.
If you are not self-hosting the security gateway, you may want to add IP-restriction on all incoming webhooks and database connections. All traffic will originate from
https://multi-tenant.sombra.transcend.io from the following set of IPs:
Restricting IP ranges for receiving a webhook is always a great idea; however, you should only use this as a secondary form of authentication. It is crucial that you always verify the incoming webhook signature. Please refer to this guide for information on verifying the webhook signature.