Hello
For cloud deployment with BYOC configuration I would like to make a proper Access List on our SBC
So I know for the range listed here https://help.mypurecloud.com/articles/byoc-cloud-public-sip-ip-addresses/
and I was able to retrieve those fer designated region eu-west-1

But it is for the signalization, but RTP is u sing the other range.
I'm aware of the AWS list available at https://ip-ranges.amazonaws.com/ip-ranges.json

But it is actually huge list. So I extracted only those for eu-west-X region
But what I may see that there are eu-west-1 ; eu-west-2 and eu-west-3 although on PureCloud article there's only reference to eu-west-1
So if in json file I look only to IPv4 addresses there are 187 objects there, which is not very convenient to maintain
What Is noticeable that there are services like service": "AMAZON"; "service": "EC2"; "service": "S3"; "service": "CLOUDFRONT"; "service": "CODEBUILD"; "service": "ROUTE53_HEALTHCHECKS"
So I guess not all of them are neccesery for this case.
So if someone from genesys team can tell which services are actually used, than maybe we can create some descent list with IP addresses that may be added on SBC to configure for access.

So my questions related to BYOC deployment are:

1. If my PureCloud organization is under eu-west-1 does it mean that the RTP goes only through services assigned to that region?
2. Which amazon services are required? From logs that we collected we noticed that those IP addresses belong to "service": "EC2" but need to check anyway

I know that IP address from AWS are subject to change, but knowing the exact region and which services on AWS are used by PureCloud BYOC will help to narrow down and filter those.

Thanks

------------------------------
Rasko Radojević
Saga d.o.o. Beograd
------------------------------

Hello again Rasko,

You have correctly identified the signaling IP's to whitelist in the ACL for your region.  For RTP, a given call could use any of the available media microservice instances, which come and go based on overall system load and also cycle in and out for updates.  These instances can have any of the public IP addresses listed under the EC2 service type for your region.  While these media microservice instances utilize a variety of AWS services, your SBC has no need to directly access these other services (including S3, cloudfront, etc).

Limiting your SBC's whitelist to include the 4 x signaling IP's, and the EC2 IP's for your region should be a safe list for a BYOC Cloud trunk.

Thanks,

------------------------------
alan lanteigne
Genesys - Employees
------------------------------

Original Message:
Sent: 06-28-2018 10:31
From: Rasko Radojević
Subject: Access list configuration for BYOC deployment

Hello
For cloud deployment with BYOC configuration I would like to make a proper Access List on our SBC
So I know for the range listed here https://help.mypurecloud.com/articles/byoc-cloud-public-sip-ip-addresses/
and I was able to retrieve those fer designated region eu-west-1

But it is for the signalization, but RTP is u sing the other range.
I'm aware of the AWS list available at https://ip-ranges.amazonaws.com/ip-ranges.json

But it is actually huge list. So I extracted only those for eu-west-X region
But what I may see that there are eu-west-1 ; eu-west-2 and eu-west-3 although on PureCloud article there's only reference to eu-west-1
So if in json file I look only to IPv4 addresses there are 187 objects there, which is not very convenient to maintain
What Is noticeable that there are services like service": "AMAZON"; "service": "EC2"; "service": "S3"; "service": "CLOUDFRONT"; "service": "CODEBUILD"; "service": "ROUTE53_HEALTHCHECKS"
So I guess not all of them are neccesery for this case.
So if someone from genesys team can tell which services are actually used, than maybe we can create some descent list with IP addresses that may be added on SBC to configure for access.

So my questions related to BYOC deployment are:

1. If my PureCloud organization is under eu-west-1 does it mean that the RTP goes only through services assigned to that region?
2. Which amazon services are required? From logs that we collected we noticed that those IP addresses belong to "service": "EC2" but need to check anyway

I know that IP address from AWS are subject to change, but knowing the exact region and which services on AWS are used by PureCloud BYOC will help to narrow down and filter those.

Thanks

------------------------------
Rasko Radojević
Saga d.o.o. Beograd
------------------------------

Hello Alan
thank you very much for your respond.

Considering that at this moment BYOC implementation must include Public IP addresses it is very important to take care of proper security settings.
When we have done this integration, I think in a less than a hour we have seen some very fancy addresses from Seychelles trying to reach our SIP trunk (of course we prevented them) but this is why we consider this as very important settings.

I do not know if there are some plans and time frames when BYOC will allow some other communication other than through public IP addresses, but at this moment we are taking care not to be intruded. I will eventually organize additional testings with my team to include only those EC2 services IP addresses.

Regards from Belgrade



------------------------------
Раско Радојевић
Rasko Radojević
------------------------------

Original Message:
Sent: 07-19-2018 13:44
From: alan lanteigne
Subject: Access list configuration for BYOC deployment

Hello again Rasko,

You have correctly identified the signaling IP's to whitelist in the ACL for your region.  For RTP, a given call could use any of the available media microservice instances, which come and go based on overall system load and also cycle in and out for updates.  These instances can have any of the public IP addresses listed under the EC2 service type for your region.  While these media microservice instances utilize a variety of AWS services, your SBC has no need to directly access these other services (including S3, cloudfront, etc).

Limiting your SBC's whitelist to include the 4 x signaling IP's, and the EC2 IP's for your region should be a safe list for a BYOC Cloud trunk.

Thanks,

------------------------------
alan lanteigne
Genesys - Employees

Original Message:
Sent: 06-28-2018 10:31
From: Rasko Radojević
Subject: Access list configuration for BYOC deployment

Hello
For cloud deployment with BYOC configuration I would like to make a proper Access List on our SBC
So I know for the range listed here https://help.mypurecloud.com/articles/byoc-cloud-public-sip-ip-addresses/
and I was able to retrieve those fer designated region eu-west-1

But it is for the signalization, but RTP is u sing the other range.
I'm aware of the AWS list available at https://ip-ranges.amazonaws.com/ip-ranges.json

But it is actually huge list. So I extracted only those for eu-west-X region
But what I may see that there are eu-west-1 ; eu-west-2 and eu-west-3 although on PureCloud article there's only reference to eu-west-1
So if in json file I look only to IPv4 addresses there are 187 objects there, which is not very convenient to maintain
What Is noticeable that there are services like service": "AMAZON"; "service": "EC2"; "service": "S3"; "service": "CLOUDFRONT"; "service": "CODEBUILD"; "service": "ROUTE53_HEALTHCHECKS"
So I guess not all of them are neccesery for this case.
So if someone from genesys team can tell which services are actually used, than maybe we can create some descent list with IP addresses that may be added on SBC to configure for access.

So my questions related to BYOC deployment are:

1. If my PureCloud organization is under eu-west-1 does it mean that the RTP goes only through services assigned to that region?
2. Which amazon services are required? From logs that we collected we noticed that those IP addresses belong to "service": "EC2" but need to check anyway

I know that IP address from AWS are subject to change, but knowing the exact region and which services on AWS are used by PureCloud BYOC will help to narrow down and filter those.

Thanks

------------------------------
Rasko Radojević
Saga d.o.o. Beograd
------------------------------