View Source

Firewall configuration

In this section

Version history

You must read this entire section to ensure that you configure your firewall correctly.

We recommend adding the appropriate URLs and IP addresses to any firewall rules that restrict employee access, and we request that you treat Vonage Contact Center as a business critical application. By this, we mean optimizing and prioritizing IP traffic to Vonage Contact Center over other non-critical traffic. This is to ensure real-time responses to agent requests (call steering buttons, call transfers, hold requests, and so on).

You should also review any IP packet inspection or local caching policies to optimize the user experience.

Ports

Outbound

All outbound traffic requires TCP port 443 (HTTPS). Responses are sent to a range of ephemeral ports. This requirement applies to:

VCC traffic, regardless of whether you use URL or IP allowlisting
VCC APIs
WebRTC traffic (see WebRTC sections later in this page for information about other ports required for WebRTC traffic)
All other third-party traffic (Amplitude, Cloudfront, and NewRelic)

SFTP access to call recordings requires TCP port 22.

Inbound

All inbound traffic requires access to destination TCP port 443 (HTTPS) on our servers to establish a connection. Responses are sent to a range of ephemeral ports.

Virtual private network (VPN)

We recommend using a split tunnel configuration to ensure that traffic—especially voice traffic—to Vonage services is routed directly from the end user to our platform and not through a VPN. We do not recommend tunneling voice connectivity through a VPN tunnel due to the potential adverse effect on voice quality.

Using URL allowlisting (recommended)

Add the following URLs to your allowlist:

*.newvoicemedia.com
*.api.newvoicemedia.com
*.contact-world.net
api.amplitude.com
bam.nr-data.net
js-agent.newrelic.com
*.nexmo.com

You must also add the IP addresses specified in the following sections to your allowlist:

Using IP allowlisting

If your firewall does not support URL or DNS allowlisting, add the following IP addresses for your region to any existing firewall permissions.

Outbound VCC traffic

Outbound IP addresses are used for standard web access, for example, agents and supervisors accessing Vonage Contact Center applications. All customers will need to allow outbound IP addresses.

If your firewall does not support URL/DNS allowlisting, add the following IP addresses for your region to any existing firewall permissions:

VCC Region	IP addresses (outbound)
EMEA	35.178.30.136 3.11.193.198 3.126.22.243 3.121.175.40
USA	107.23.216.122 18.208.11.69 54.176.97.247 54.176.165.234
APAC	13.236.101.83 13.55.214.98 52.74.111.52 52.77.102.86

--Amazon Web Services (AWS)

Most of VCC uses Amazon Web Services (AWS).

Add the IP addresses for your region as described in the following page: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.

This list of addresses is subject to change.

There might be multiple AWS regions associated with your VCC region:

VCC region	AWS region ID	AWS region name
EMEA
	eu-central-1	Frankfurt
	eu-west-2	London
USA
	us-east-1	North Virginia
	us-west-1	North California
	us-west-2	Oregon
APAC
	ap-southeast-1	Singapore
	ap-southeast-2	Sydney

Amplitude

Add the IP addresses specified in the following page to any existing firewall permissions:

https://help.amplitude.com/hc/en-us/articles/360024419152

Cloudfront

Add the IP addresses specified in the following page to any existing firewall permissions:

http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips.

The IP addresses are all inbound addresses.

NewRelic

Add this range of IP addresses—162.247.240.0/22—to any existing firewall permissions.

The IP addresses are all inbound addresses.