On-premise inside private network, what endpoints to expose

We’re running sentry inside our own private network and that has worked well with internal services.

But now we’d like integrate support for our angularJS website, which would need to push events from outside the network.

We would prefer to not expose the entire sentry instance, so is there any documentation on what exactly are the endpoints we would need to whitelist?

^/api/\d/store/$

And it only needs to accept POST.