Our outbound alert notifications are failing when attempting to send to external webhook endpoints. We’ve configured webhook integrations to forward critical alerts to our incident management system, but all outbound calls are being blocked with HTTP 403 errors.
The webhook configuration looks correct:
POST /notification2/subscriptions
{
"subscription": "webhook_alerts",
"subscriptionFilter": {"apis": ["alarms"]},
"context": {"url": "https://external-system.company.com/api/alerts"}
}
Checking the audit logs shows ‘Outbound connection blocked by security policy’ entries. I’ve verified the external endpoint is reachable from our network, and the webhook worked fine in our test environment. Is there a specific security policy configuration in Cumulocity that controls outbound webhook connections? We’re running version 1018.0.5 in a private cloud deployment. The security team hasn’t made any recent firewall changes on their end.
In private cloud deployments, the outbound security policy is typically more restrictive than in public cloud. You need to configure the allowed destinations list through the tenant options API. Look for the ‘security.outbound.allowedDestinations’ option. This should contain a list of URL patterns or domains that are permitted for webhook integrations. Your external endpoint URL needs to match one of these patterns. Also check if there’s a ‘security.outbound.enabled’ flag that might be set to false, which would block all outbound connections regardless of the whitelist.
Yes, the audit log message ‘blocked by security policy’ specifically indicates Cumulocity’s internal security policy is rejecting the connection, not an external firewall. To update the allowed destinations, you need management tenant access or the appropriate role permissions. The configuration uses URL pattern matching, so you can either whitelist specific endpoints or use wildcards for broader access. Be careful with wildcards though - they can create security vulnerabilities if too permissive. Your security team should review any changes to the outbound policy.
Cumulocity has an outbound security policy feature that restricts which external endpoints can receive data from webhook subscriptions. This is controlled through the tenant options. Check if your tenant has ‘allowedDestinations’ configured in the security settings. By default, some deployments block all outbound connections unless explicitly whitelisted.