The outgoing IP addresses don’t change that often, but are subject to change.
Mendix will notify you of changes 48h in advance, see https://docs.mendix.com/developerportal/deploy/mendix-ip-addresses
Whether limiting the access based on the outgoing IP addresses is a sound idea is up to you, but as the different apps in one of the clouds all use the same address for the outgoing connection (see documentation) this doesn’t seem to be a secure solution to me. I would setup authentication and or certificates to secure these REST services.