Set up your network
Traditional VoIP solutions require you to allow both inbound and outbound for specific UDP port ranges and IPs, such as 80 and 443. These solutions also apply to TCP. In comparison, the network requirements for using the Contact Control Panel (CCP) with a softphone are less intrusive. You can establish persistent outbound send/receive connections through your web browser. As a result, you don't need to open a client-side port to listen for inbound traffic.
The following diagram shows you what each port is used for.
The following sections describe the two primary connectivity options for using the CCP.
Contents
- Option 1 (recommended): Replace Amazon EC2 and CloudFront IP range requirements with a domain allowlist
- Option 2 (not recommended): Allow IP address ranges
- About Amazon Connect IP address ranges
- Stateless firewalls
- Allow upload of time-off balances and allowances in Amazon Connect scheduling
- Allow DNS resolution for softphones
- Port and protocol considerations
- Region selection considerations
- Agents using Amazon Connect remotely
- Rerouting audio
- Using AWS Direct Connect
- Agent workstation networking requirements for app, web, and video calling
- Detailed Network Paths
- Use Amazon Connect in a VDI environment
- How call center agents connect to the CCP
- Use an allowlist for integrated applications
- Update your domain
Option 1 (recommended): Replace Amazon EC2 and CloudFront IP range requirements with a domain allowlist
This first option lets you significantly reduce your blast radius.
We recommend trying Option 1 and testing it with more than 200 calls. Test for softphone errors, dropped calls, and conference/transfer functionality. If your error rate is greater than 2 percent, there might be an issue with proxy resolution. If that's the case, consider using Option 2.
To allow traffic for Amazon EC2 endpoints, allow access for the URL and port, as shown in the first row of the following table. Do this instead of allowing all of the IP address ranges listed in the ip-ranges.json file. You get the same benefit using a domain for CloudFront, as shown in the second row of the following table.
Domain/URL allowlist |
AWS Region |
Ports |
Direction |
Traffic |
|---|---|---|---|---|
rtc*.connect-telecom. This is used by ccp# (v1). Please see the note following this table. |
Replace region with the Region where your
Amazon Connect instance is located |
443 (TCP) |
OUTBOUND |
SEND/RECEIVE |
|
Following is the minimum allowlist for *.my.connect.aws:
Following is the minimum allowlist for *.awsapps.com: Important.awsapps.com is an old domain that is going away. For instructions about updating your domain to my.connect.aws, see Update your Amazon Connect domain.
|
Replace |
443 (TCP) |
OUTBOUND |
SEND/RECEIVE |
*.telemetry.connect. |
Replace |
443 (TCP) |
OUTBOUND |
SEND/RECEIVE |
participant.connect. |
Replace |
443 (TCP) |
OUTBOUND |
SEND/RECEIVE |
*.transport.connect. This is used by ccp-v2. |
Replace |
443 (TCP) |
OUTBOUND |
SEND/RECEIVE |
|
Replace |
443 (TCP) |
OUTBOUND |
SEND/RECEIVE |
TurnNlb-*.elb. To instead add specific endpoints to your allowlist based on Region, see NLB endpoints. |
Replace |
3478 (UDP) |
OUTBOUND |
SEND/RECEIVE |
GLOBALACCELERATOR |
GLOBAL and Region where your Amazon Connect instance is located (add GLOBAL AND any region-specific entry to your allow list) |
443 (HTTPS) and 80 (HTTP) |
OUTBOUND | SEND/RECEIVE |
This is used only if you have onboarded to Amazon Connect Global Resiliency. |
Replace |
443 (HTTPS) |
OUTBOUND | SEND/RECEIVE |
*. This is needed only if you have onboarded to Amazon Connect Global Resiliency. |
Replace |
443 (HTTPS) |
OUTBOUND | SEND/RECEIVE |
Fully qualified domain names (FQDNs) cannot be changed or customized on a per-customer basis. Instead, use Option 2 - allow IP address ranges.
Tip
When using
rtc*.connect-telecom.,
region.amazonaws.com
*.transport.connect., and
region.amazonaws.comhttps://myInstanceName.awsapps.com, in certain proxy applications,
web socket handling may impact functionality. Be sure to test and validate before
deploying to a production environment.
The following table lists the CloudFront domains used for static assets if you want to add domains to your allowlist instead of IP ranges:
Region |
CloudFront Domain |
|---|---|
us-east-1 |
https://dd401jc05x2yk.cloudfront.net/ https://d1f0uslncy85vb.cloudfront.net/ |
us-west-2 |
https://d38fzyjx9jg8fj.cloudfront.net/ https://d366s8lxuwna4d.cloudfront.net/ |
ap-northeast-1 |
https://d3h58onr8hrozw.cloudfront.net/ https://d13ljas036gz6c.cloudfront.net/ |
ap-northeast-2 |
https://d11ouwvqpq1ads.cloudfront.net/ |
ap-southeast-1 |
https://d2g7up6vqvaq2o.cloudfront.net/ https://d12o1dl1h4w0xc.cloudfront.net/ |
ap-southeast-2 |
https://d2190hliw27bb8.cloudfront.net/ https://d3mgrlqzmisce5.cloudfront.net/ |
eu-central-1 |
https://d1n9s7btyr4f0n.cloudfront.net/ https://d3tqoc05lsydd3.cloudfront.net/ |
eu-west-2 |
https://dl32tyuy2mmv6.cloudfront.net/ https://d2p8ibh10q5exz.cloudfront.net/ |
Note
ca-central isn't included in the table because we host static contents behind the
domain *.my.connect.aws.
If your business does not use SAML, and you have firewall restrictions, you can add the following entries per Region:
Region |
CloudFront Domain |
|---|---|
us-east-1 |
https://d32i4gd7pg4909.cloudfront.net/ |
us-west-2 |
https://d18af777lco7lp.cloudfront.net/ |
eu-west-2 |
https://d16q6638mh01s7.cloudfront.net/ |
ap-northeast-1 |
https://d2c2t8mxjhq5z1.cloudfront.net/ |
ap-northeast-2 |
https://d9j3u8qaxidxi.cloudfront.net/ |
ap-southeast-1 |
https://d3qzmd7y07pz0i.cloudfront.net/ |
ap-southeast-2 |
https://dwcpoxuuza83q.cloudfront.net/ |
eu-central-1 |
https://d1whcm49570jjw.cloudfront.net/ |
ca-central-1 |
https://d2wfbsypmqjmog.cloudfront.net/ |
us-gov-east-1: |
https://s3-us-gov-east-1.amazonaws.com/warp-drive-console-static-content-prod-osu/ |
us-gov-west-1: |
https://s3-us-gov-west-1.amazonaws.com/warp-drive-console-static-content-prod-pdt/ |
NLB endpoints
The following table lists the specific endpoints for the Region the Amazon Connect instance
is in. If you don't want to use the
TurnNlb-*.elb.region.amazonaws.com wildcard, you can add
these endpoints to your allowlist instead.
Region |
Turn Domain/URL |
|---|---|
us-west-2 |
TurnNlb-8d79b4466d82ad0e.elb.us-west-2.amazonaws.com TurnNlb-dbc4ebb71307fda2.elb.us-west-2.amazonaws.com TurnNlb-13c884fe3673ed9f.elb.us-west-2.amazonaws.com |
us-east-1 |
TurnNlb-d76454ac48d20c1e.elb.us-east-1.amazonaws.com TurnNlb-31a7fe8a79c27929.elb.us-east-1.amazonaws.com TurnNlb-7a9b8e750cec315a.elb.us-east-1.amazonaws.com |
af-south-1 |
TurnNlb-29b8f2824c2958b8.elb.af-south-1.amazonaws.com |
ap-northeast-1 |
TurnNlb-3c6ddabcbeb821d8.elb.ap-northeast-1.amazonaws.com |
ap-northeast-2 |
TurnNlb-a2d59ac3f246f09a.elb.ap-northeast-2.amazonaws.com |
ap-southeast-1 |
TurnNlb-261982506d86d300.elb.ap-southeast-1.amazonaws.com |
ap-southeast-2 |
TurnNlb-93f2de0c97c4316b.elb.ap-southeast-2.amazonaws.com |
ca-central-1 |
TurnNlb-b019de6142240b9f.elb.ca-central-1.amazonaws.com |
eu-central-1 |
TurnNlb-ea5316ebe2759cbc.elb.eu-central-1.amazonaws.com |
eu-west-2 |
TurnNlb-1dc64a459ead57ea.elb.eu-west-2.amazonaws.com |
us-gov-west-1 |
TurnNlb-d7c623c23f628042.elb.us-gov-west-1.amazonaws.com |
Option 2 (not recommended): Allow IP address ranges
The second option relies on using an allowlist to define the IP addresses and ports
that Amazon Connect can use. You create this allowlist using the IP addresses in the AWS ip-ranges.json
If the Region you are using Amazon Connect in does not appear in the AWS ip-ranges.json file, use just the Global values.
For more information about this file, see About Amazon Connect IP address ranges.
IP-Ranges entry |
AWS Region |
Ports/Protocols |
Direction |
Traffic |
|---|---|---|---|---|
AMAZON_CONNECT |
GLOBAL and Region where your Amazon Connect instance is located (add GLOBAL AND any region-specific entry to your allowlist) |
3478 (UDP) |
OUTBOUND |
SEND/RECEIVE |
EC2 |
GLOBAL and Region where your Amazon Connect instance is located (GLOBAL only if a region-specific entry doesn't exist) |
443 (TCP) |
OUTBOUND |
SEND/RECEIVE |
CLOUDFRONT |
Global* |
443 (TCP) |
OUTBOUND |
SEND/RECEIVE |
GLOBALACCELERATOR |
GLOBAL and Region where your Amazon Connect instance is located (add GLOBAL AND any region-specific entry to your allow list) |
443 (HTTPS) and 80 (HTTP) |
OUTBOUND | SEND/RECEIVE |
*CloudFront serves static content such as images or javascript from an edge location that has the lowest latency in relation to where your agents are located. IP range allow lists for CloudFront are global and require all IP ranges associated with "service": "CLOUDFRONT" in the ip-ranges.json file.
About Amazon Connect IP address ranges
In the AWS
ip-ranges.json
The /19 IP address range isn't shared with other services. It's for the exclusive use to Amazon Connect globally.
In the AWS ip-ranges.json file, you can see the same range listed twice. For example:
{ "ip_prefix": "15.193.0.0/19", "region": "GLOBAL", "service": "AMAZON" }, { "ip_prefix": "15.193.0.0/19", "region": "GLOBAL", "service": "AMAZON_CONNECT" },
AWS always publishes any IP range twice: one for the specific service, and one for "AMAZON" service. There could even be a third listing for a more specific use case within a service.
When there are new IP address ranges supported for Amazon Connect, they are added to the publicly available ip-ranges.json file. They are kept for a minimum of 30 days before they are used by the service. After 30 days, softphone traffic through the new IP address ranges increases over the subsequent two weeks. After two weeks, traffic is routed through the new ranges equivalent to all available ranges.
For more information about this file and IP address ranges in AWS, see AWS IP Address Ranges.
Stateless firewalls
If you're using a stateless firewall for both options, use the requirements described in the previous sections. Then you must add to your allowlist the ephemeral port range used by your browser, as shown in the following table.
IP-Range entry |
Port |
Direction |
Traffic |
|---|---|---|---|
AMAZON_CONNECT |
For a Windows environment: 49152-65535 (UDP) For a Linux environment: 32768 - 61000 |
INBOUND |
SEND/RECEIVE |
Allow upload of time-off balances and allowances in Amazon Connect scheduling
To allow upload of time-off balances and allowances in Amazon Connect scheduling, add the following upload endpoints to your proxy exception list:
-
https://bm-prod-
region-cell-1-uploadservice-staging.s3.region.amazonaws.com -
https://bm-prod-
region-cell-2-uploadservice-staging.s3.region.amazonaws.com
For more information about the activities these endpoints support, see the following topics:
Allow DNS resolution for softphones
If you already added Amazon Connect IP ranges to your allowlist, and you don’t have any
restriction on DNS name resolution, then you don't need to add TurnNlb-*.elb.region.amazonaws.com to
your allowlist.
-
To check whether there are restrictions on DNS name resolution, while on your network, use the
nslookupcommand. For example:nslookup TurnNlb-d76454ac48d20c1e.elb.us-east-1.amazonaws.com
If you can't resolve the DNS, you must add the TurnNLB endpoints listed above or
TurnNlb-*.elb.region.amazonaws.com
to your allowlist.
If you don't allow this domain, your agents will get the following error in their Contact Control Panel (CCP) when they try to answer a call:
-
Failed to establish softphone connection. Try again or contact your administrator with the following: Browser unable to establish media channel with turn:TurnNlb-xxxxxxxxxxxxx.elb.
region.amazonaws.com:3478?transport=udp
Port and protocol considerations
Consider the following when implementing your network configuration changes for Amazon Connect:
-
You need to allow traffic for all addresses and ranges for the Region in which you created your Amazon Connect instance.
-
If you are using a proxy or firewall between the CCP and Amazon Connect, increase the SSL certificate cache timeout to cover the duration of an entire shift for your agents, Do this to avoid connectivity issues with certificate renewals during their scheduled working time. For example, if your agents are scheduled to work 8 hour shifts that include breaks, increase the interval to 8 hours plus time for breaks and lunch.
-
When opening ports, Amazon EC2 and Amazon Connect require only the ports for endpoints in the same Region as your instance. CloudFront, however, serves static content from an edge location that has the lowest latency in relation to where your agents are located. IP range allowlists for CloudFront are global and require all IP ranges associated with "service": "CLOUDFRONT" in ip-ranges.json.
-
Once ip-ranges.json is updated, the associated AWS service will begin using the updated IP ranges after 30 days. To avoid intermittent connectivity issues when the service begins routing traffic to the new IP ranges, be sure to add the new IP ranges to your allowlist, within 30 days from the time they were added to ip-ranges.json.
-
If you are using a custom CCP with the Amazon Connect Streams API, you can create a media-less CCP that does not require opening ports for communication with Amazon Connect, but still requires ports opened for communication with Amazon EC2 and CloudFront.
Region selection considerations
Amazon Connect Region selection is contingent upon data governance requirements, use case, services available in each Region, and latency in relation to your agents, contacts, and external transfer endpoint geography.
-
Agent location/network—CCP connectivity traverses the public WAN, so it is important that the workstation has the lowest latency and fewest hops possible, specifically to the AWS Region where your resources and Amazon Connect instance are hosted. For example, hub and spoke networks that need to make several hops to reach an edge router can add latency and reduce the quality of experience.
When you set up your instance and agents, make sure to create your instance in the Region that is geographically closest to the agents. If you need to set up an instance in a specific Region to comply with company policies or other regulations, choose the configuration that results in the fewest network hops between your agents' computers and your Amazon Connect instance.
-
Location of your callers—Because calls are anchored to your Amazon Connect Region endpoint, they are subject to PSTN latency. Ideally your callers and transfer endpoints are geographically located as closely as possible to the AWS Region where your Amazon Connect instance is hosted for lowest latency.
For optimal performance, and to limit the latency for your customers when they call in to your contact center, create your Amazon Connect instance in the Region that is geographically closest to where your customers call from. You might consider creating multiple Amazon Connect instances, and providing contact information to customers for the number that is closest to where they call from.
-
External transfers—from Amazon Connect remain anchored to your Amazon Connect Region endpoint for the duration of the call. Per-minute usage continues to accrue until the call is disconnected by the recipient of the transferred call. The call is not recorded after the agent drops or the transfer completes. The contact record data and associated call recording of a transferred call are generated after the call is terminated. Whenever possible, don't transfer calls that could be transferred back into Amazon Connect, known as circular transfers, to avoid compounding PSTN latency.
Agents using Amazon Connect remotely
Remote agents, those that use Amazon Connect from a location other than those connected to your organization's main network, may experience issues relating to their local network if they have an unstable connection, packet loss, or high latency. This is compounded if a VPN is required to access resources. Ideally, the agents are located close to the AWS Region where your AWS resources and Amazon Connect instance are hosted, and have a stable connection to the public WAN.
Rerouting audio
When rerouting audio to an existing device, consider the location of the device in relation to your Amazon Connect Region. This is so you can account for potential additional latency. If you reroute your audio, whenever there is a call intended for the agent, an outbound call is placed to the configured device. When the agent answers the device, that agent is connected with the caller. If the agent does not answer their device, they are moved into a missed contact state until they or a supervisor changes their state back to available.
Using AWS Direct Connect
Contact Control Panel (CCP) network connectivity issues are most often rooted in your route to AWS using private WAN/LAN, ISP, or both. While AWS Direct Connect does not solve issues specific to private LAN/WAN traversal to your edge router, it can help solve for latency and connectivity issues between your edge router and AWS resources. AWS Direct Connect provides a durable, consistent connection rather than relying on your ISP to dynamically route requests to AWS resources. It also allows you to configure your edge router to redirect AWS traffic across dedicated fiber rather than traversing the public WAN.
