Firewall configuration

In this section

You must read this entire section to ensure that you configure your firewall correctly.

We recommend adding the appropriate URLs and IP addresses to any firewall rules that restrict employee access, and we request that you treat Vonage Contact Center as a business critical application. By this, we mean optimizing and prioritizing IP traffic to Vonage Contact Center over other non-critical traffic. This is to ensure real-time responses to agent requests (call steering buttons, call transfers, hold requests, and so on).

You should also review any IP packet inspection or local caching policies to optimize the user experience.

All inbound and outbound traffic requires port 443 (HTTPS). SFTP access to call recordings requires port 22.

Using URL allowlisting (recommended)

Add the following URLs to your allowlist:

*.newvoicemedia.com
*.api.newvoicemedia.com
*.contact-world.net
api.amplitude.com
bam.nr-data.net
js-agent.newrelic.com

You must also add the IP addresses specified in the following sections to your allowlist:

Inbound VCC traffic

Inbound IP addresses are used when Vonage Contact Center interacts with an external system where IP allowlisting is in place.
Such systems include Salesforce; a customer-owned or managed server or service; and other cloud provider services.

VCC home region	IP addresses (inbound)
EMEA	3.10.100.255 35.177.29.140 3.126.229.159 18.184.245.197
NAM	3.222.22.251 3.210.155.126 35.86.33.112 54.68.201.219
APAC	54.252.173.50 54.252.187.75 54.254.137.133 54.254.157.106 13.54.78.128 ^(new) 54.79.123.45 ^(new) 54.169.14.70 ^(new) 13.250.67.212 ^(new)

^*new — must be added to your allowlist by August 7, 2023

To make our WebRTC solution more resilient, we use two WebRTC providers. You must configure your firewall for both providers.

Adding an IP address to your outbound firewall enables both inbound and outbound WebRTC traffic so you do not need to add the IP address to your inbound firewall too.

Vonage WebRTC provider
When using WebRTC, you must use IPv4 over IPv6 in prefix policies.
Purpose Protocol Source IP Source port Destination port Destination IP
Signalling/presence TCP Your local network addresses *Ephemeral range 443 See Destination IP addresses.
Media UDP *Ephemeral range
*Ephemeral Range: The application will select any available port from a range depending on the operating system. On most machines, the port range is 1,024 to 65,535, with source ports generally up to 20,000 and destination ports generally over 50,000.

Destination IP addresses
Your firewall settings should allow outbound traffic as specified in the following list:
Backup WebRTC provider
Add all the IP addresses listed in the following pages to your allowlist:
- https://www.twilio.com/docs/stun-turn/regions
- https://www.twilio.com/docs/voice/client/javascript/voice-client-js-and-mobile-sdks-network-connectivity-requirements

If your agents use VPN clients, you must also add *.nexmo.com to your allowlist; failure to do so may result in agents not being able to use WebRTC.

Where relevant, you must also add *.nexmo.com to the VPN's proxy bypass list and then restart your agents' clients.

Using IP allowlisting

If your firewall does not support URL or DNS allowlisting, add the following IP addresses for your region to any existing firewall permissions.

Outbound VCC traffic

Outbound IP addresses

Outbound IP addresses are used for standard web access, for example, agents and supervisors accessing Vonage Contact Center applications. All customers will need to allow this.

If your firewall does not support URL/DNS allowlisting, add the following IP addresses for your region to any existing firewall permissions:

VCC Region	IP addresses (outbound)
EMEA	194.140.251.0/24 194.140.252.0/24 35.178.30.136 3.11.193.198 3.126.22.243 3.121.175.40
USA	107.23.216.122 18.208.11.69 54.176.97.247 54.176.165.234
APAC	13.236.101.83 13.55.214.98 52.74.111.52 52.77.102.86

--Amazon Web Services (AWS)

Most of VCC uses Amazon Web Services (AWS).

Add the IP addresses for your region as described in the following page: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.

This list of addresses is subject to change.

There might be multiple AWS regions associated with your VCC region:

VCC region	AWS Region ID	AWS Region Name
EMEA
	eu-central-1	Frankfurt
	eu-west-1	Dublin
	eu-west-2	London
USA
	us-east-1	North Virginia
	us-west-1	North California
	us-west-2	Oregon
APAC
	ap-southeast-1	Singapore
	ap-southeast-2	Sydney

Inbound VCC traffic

Inbound IP addresses are used when Vonage Contact Center interacts with an external system where IP allowlisting is in place.
Such systems include Salesforce; a customer-owned or managed server or service; and other cloud provider services.

VCC home region	IP addresses (inbound)
EMEA	3.10.100.255 35.177.29.140 3.126.229.159 18.184.245.197
NAM	3.222.22.251 3.210.155.126 35.86.33.112 54.68.201.219
APAC	54.252.173.50 54.252.187.75 54.254.137.133 54.254.157.106 13.54.78.128 ^(new) 54.79.123.45 ^(new) 54.169.14.70 ^(new) 13.250.67.212 ^(new)

^*new — must be added to your allowlist by August 7, 2023

Amplitude

Add the IP addresses specified in the following page to any existing firewall permissions:

https://help.amplitude.com/hc/en-us/articles/360024419152

Cloudfront

Add the IP addresses specified in the following page to any existing firewall permissions:

http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips. Note that this list of addresses is subject to change.

NewRelic

Add this range of IP addresses—162.247.240.0/22—to any existing firewall permissions:

To make our WebRTC solution more resilient, we use two WebRTC providers. You must configure your firewall for both providers.

Adding an IP address to your outbound firewall enables both inbound and outbound WebRTC traffic so you do not need to add the IP address to your inbound firewall too.

Vonage WebRTC provider
When using WebRTC, you must use IPv4 over IPv6 in prefix policies.
Purpose Protocol Source IP Source port Destination port Destination IP
Signalling/presence TCP Your local network addresses *Ephemeral range 443 See Destination IP addresses.
Media UDP *Ephemeral range
*Ephemeral Range: The application will select any available port from a range depending on the operating system. On most machines, the port range is 1,024 to 65,535, with source ports generally up to 20,000 and destination ports generally over 50,000.

Destination IP addresses
Your firewall settings should allow outbound traffic as specified in the following list:
Backup WebRTC provider
Add all the IP addresses listed in the following pages to your allowlist:
- https://www.twilio.com/docs/stun-turn/regions
- https://www.twilio.com/docs/voice/client/javascript/voice-client-js-and-mobile-sdks-network-connectivity-requirements

If your agents use VPN clients, you must also add *.nexmo.com to your allowlist; failure to do so may result in agents not being able to use WebRTC.

Where relevant, you must also add *.nexmo.com to the VPN's proxy bypass list and then restart your agents' clients.

Purpose	Protocol	Source IP	Source port	Destination port	Destination IP
Signalling/presence	TCP	Your local network addresses	*Ephemeral range	443	See Destination IP addresses.
Media	UDP	Your local network addresses	*Ephemeral range	*Ephemeral range	See Destination IP addresses.