Cloud media services CIDR IP address range
Genesys Cloud’s cloud media services CIDR block provides you with a small range of IP addresses for outbound connections to and from telephony endpoints. Having a smaller range of Genesys-owned IP addresses for all the Genesys Cloud media services means a reduced number of allowed connection targets on your organization’s firewall and, because all the IP addresses are owned by Genesys, ultimately improves security.
The Genesys Cloud CIDR is applicable to the following Genesys Cloud services:
- WebRTC stations
- Polycom stations with Genesys Cloud Voice or BYOC Cloud
- BYOC Cloud
- ACD screen recording
- Video chat
- BYOC Premises Edge Appliances (using WebRTC and Hybrid Media)
Genesys is also using CIDR addresses for all TURN services. For more information, see Use the Relay/TURN Behavior feature.
The implementation of Genesys Cloud CIDR differs between the commercial regions and the FedRAMP region.
IP address information for commercial regions
Core and Satellite commercial regions use the following CIDR address ranges:
- 52.129.96.0/20
- 169.150.104.0/21
- 167.234.48.0/20
- 136.245.64.0/18
You must add the full set of CIDR block IP addresses to your existing firewall allowlist in order for Genesys Cloud to function properly.
| Americas | EMEA | Asia Pacific |
|---|---|---|
US-West (Oregon) US-East (N.Virginia) Canada (Central) South America (Sao Paulo) Mexico (Central) | Europe (Frankfurt) Europe (Dublin) Europe (London) Europe (Zurich) Europe (Paris) Middle East (UAE) Africa (Cape Town) | Asia Pacific (Sydney) Asia Pacific (Tokyo) Asia Pacific (Seoul) Asia Pacific (Mumbai) Asia Pacific (Osaka) Asia Pacific (Hong Kong) Asia Pacific (Singapore) Asia Pacific (Jakarta) |
Full support of Genesys Cloud's cloud media services CIDR block in this region.
Satellite region
Readiness tests for commercial regions
The following sections contains tests that allow you to confirm your organization's readiness for the CIDR IP address range and the RTP ports. Genesys recommends that you run the tests for each Genesys Cloud feature that your organization uses.
General AWS Direct Connect information
AWS advertises the Genesys CIDR block both publicly and within Direct Connect.
- Direct Connect customers who are not performing route filtering have no additional changes to make. However, Genesys recommends doing a lookup on the route table to ensure you are seeing the Genesys CIDR blocks. For example, if a Genesys CIDR block has a /20 mask, AWS may segment the block into /21’s, /22’s, /23’s, /24’s, and so on.
- Direct Connect customers who are performing route filtering must permit the Genesys CIDR blocks. For example, if a Genesys CIDR block has a /20 mask, AWS may segment the block into /21’s, /22’s, /23’s, /24’s, and so on.
- Direct Connect customers who need to filter region specific Genesys Cloud CIDRs should use prefix-lists and community tags. The prefix-list for the /20 mask should allow /20 and any prefix less than /32, and the prefix-list for the /21 mask should allow /21 and anything less than /32. The community tag set by AWS for region specific prefixes is 7224:8100. To verify the correct community tag, see the AWS Routing policies and BGP communities section of the AWS Direct Connect user guide. By using both of these filtering techniques, customers can automatically accept regional Genesys Cloud CIDRs.
For more information on AWS Direct Connect routing and filtering, see AWS Routing policies and BGP communities.
Direct Connect example
For this example, suppose that the Direct Connect circuit terminates into us-east-1 and AWS is advertising a Genesys prefix of 169.150.106.0/24 out of the us-east-1 region and 169.150.107.0/24 out of the us-west-2 region. The Direct Connect customer receives both advertisements on their us-east-1 circuit.
To filter these networks and prefer, or accept, the 169.150.106.0/24 prefix, the customer uses a prefix-list and community tag. The prefix-list should allow 169.150.104.0/21 and include any prefix less than /32. The community tag match would be for 7224:8100.
In this case, the community tag is a unique identifier for a region's route advertisements from AWS. The community tag set by AWS allows a customer to differentiate routes from region, continent, or global. Therefore, the applied filters would cause the us-east-1 prefix, 169.150.106.0/24, to be matched on the Direct Connect circuit in us-east-1. The us-west-2 prefix, 169.150.107.0/24, would not be matched and could be dropped or set as a least preferred path.
IP address information for the FedRAMP region
The FedRAMP Core region (US-East 2 (Ohio)) uses the following CIDR address range:
- 164.152.64.0/22
Readiness checks for the FedRAMP region
To help new FedRAMP customers prepare to use the CIDR block of IP addresses, Genesys provides two ways to confirm whether you are ready to use the CIDR block of IP addresses or need to make further adjustments to your firewall settings.
- You can access the Genesys Cloud WebRTC Diagnostics app and run the automated tests found on the Network Test tab. For more information, see Troubleshooting in the About WebRTC article.
- You can run the set of manual tests described below.
Genesys provides you with a set of cloud platform network connectivity diagnostic endpoints that you can use to test against. To perform the manual tests, you can use commonly available network connectivity tools, such as netcat and nmap.
You will run the tests against the FedRAMP destination FQDN:
- netdiag.use2.us-gov-pure.cloud
These tests are for guidance purposes only and are intended for network and firewall experts.
| Destination protocol / port | Sample test command | Successful response | Failed response |
|---|---|---|---|
| tcp/3478 |
(Run this command from the same network as Genesys Cloud client application) | No specific response is displayed, but a successful connection handshake is indicated. | The connection times out. |
| udp/3478 | nmap -sU -p 3478 --script stun-info netdiag.use2.us-gov-pure.cloud(You must be using nmap version 7.9 or later to run this command.) | The response includes a stun-info section listing an external IP address. This response will include the following: nmap done: 1 IP address (1 host up) scanned in #.## seconds | You receive a "host is down" response. |
| udp/16384-65535 |
(Run this command from the same network as Genesys Cloud client application.) | The response includes: GoodbyeGoodbyeGoodbyeGoodbyeGoodbye (This command sends five packets, which result in five "Goodbye" responses; one for each packet.) | You do not receive a "Goodbye" response. |
tcp/8061 (Run this test if you are using hardware phones with cloud media.) |
(Run this command from the same network on which the hardware phones are connected.) | The response includes: Goodbye | You do not receive a "Goodbye" response. |
Genesys Cloud services for the FedRAMP region
Use the information in this table to gain a detailed understanding of the Genesys Cloud services that will be affected by the CIDR IP address block. This information helps you to identify the Source, Destination address, and the Destination transport protocol/port associated with each of the affected services.
General AWS Direct Connect information
AWS advertises the Genesys CIDR block both publicly and within Direct Connect.
- Direct Connect customers who are not performing route filtering have no additional changes to make. However, Genesys recommends doing a lookup on the route table to ensure you are seeing the Genesys CIDR blocks. For example, if a Genesys CIDR block has a /20 mask, AWS may segment the block into /21’s, /22’s, /23’s, /24’s, and so on.
- Direct Connect customers who are performing route filtering must permit the Genesys CIDR blocks. For example, if a Genesys CIDR block has a /20 mask, AWS may segment the block into /21’s, /22’s, /23’s, /24’s, and so on.
- Direct Connect customers who need to filter region specific Genesys Cloud CIDRs should use prefix-lists and community tags. The prefix-list for the /20 mask should allow /20 and any prefix less than /32, and the prefix-list for the /21 mask should allow /21 and anything less than /32. The community tag set by AWS for region specific prefixes is 7224:8100. To verify the correct community tag, see the AWS Routing policies and BGP communities section of the AWS Direct Connect user guide. By using both of these filtering techniques, customers can automatically accept regional Genesys Cloud CIDRs.
For more information on AWS Direct Connect routing and filtering, see AWS Routing policies and BGP communities.
Direct Connect example
For this example, suppose that the Direct Connect circuit terminates into us-east-1 and AWS is advertising a Genesys prefix of 169.150.106.0/24 out of the us-east-1 region and 169.150.107.0/24 out of the us-west-2 region. The Direct Connect customer receives both advertisements on their us-east-1 circuit.
To filter these networks and prefer, or accept, the 169.150.106.0/24 prefix, the customer uses a prefix-list and community tag. The prefix-list should allow 169.150.104.0/21 and include any prefix less than /32. The community tag match would be for 7224:8100.
In this case, the community tag is a unique identifier for a region's route advertisements from AWS. The community tag set by AWS allows a customer to differentiate routes from region, continent, or global. Therefore, the applied filters would cause the us-east-1 prefix, 169.150.106.0/24, to be matched on the Direct Connect circuit in us-east-1. The us-west-2 prefix, 169.150.107.0/24, would not be matched and could be dropped or set as a least preferred path.
[NEXT] Was this article helpful?
Get user feedback about articles.