Connecting to third party apps and using Allowed IP addresses?

We’ve been trying to set up API connections with 2 separate third party tools. The first is a custom built program that syncs Keap with another CMS in real time and the second is AppointmentCore, a tool that provides better appointment booking interfacing for contacts.

The team working on the first tool only asked us to add a single allowed IP address for their tool to work but the onboarding team at AppointmentCore have been giving me more and more IP addresses to add to the list (about 10 or so in total) and it still isn’t working. We recently tried emptying the box and AppointmentCore was able to connect to Keap.

Is this a security risk? Should they be able to provide me with an IP address(s) that will allow the apps to connect to one another, is it best practise to do this?