Hi,

I have a customer with a unique requirement. We are proposing a multi-site Genesys Cloud CX deployment for this customer, and we are using BYOC On Premise model due to some of the contact centers being in highly regulated countries like India and China. Customer is fine with letting agents access Genesys Cloud functionalities (e.g. the web UI, the screen recording uploads etc.) but due to IT Security policies, they do not want to let the on-premise Edge server communicate directly to Internet. We are exploring a solution using an AWS Direct Connect circuit, whereby we use network routing to force the traffic outbound from or inbound to the on-premise Edges from Genesys Cloud CX to be forced across the AWS Direct Connect. The agents are in a separate network segment from the Edge servers, and they need to be able to access Genesys Cloud CX directly and not go across the AWS Direct Connect circuit. Questions

1. Has this sort of design ever deployed anywhere? Does this even look feasible? Resource Center is rather vague about this segregation, and indicates that every type of traffic bound for Genesys Cloud will go across the AWS Direct Connect circuit (What traffic from my network will go across an AWS Direct Connect connection? - Genesys Cloud Resource Center)

2. I am also seeing a requirement that "To use a Direct Connect connection with Genesys Cloud effectively, you must have Internet access at your location" (AWS Direct Connect for Genesys Cloud overview - Genesys Cloud Resource Center). What is this about? Does this mean that agents need direct Internet access to work with Genesys Cloud CX even if their traffic (e.g. web-UI, non-voice traffic etc.) is supposed to be transported across the Direct Connect circuit? What about the traffic from the Edges, do they also leverage AWS CloudFront?

In other words, I am trying to find out if blocking Internet access from the Edges while allowing it for agent desktops can be done. Anyone can help?

#ArchitectureandDesign

------------------------------
Soumik Biswas
BT Solutions Ltd (Bahrain Branch)
------------------------------

I too have similar questions. 
Hope some one helps in answering.

------------------------------
Rajeev Srikant
------------------------------

Original Message:
Sent: 08-05-2021 09:58
From: Soumik Biswas
Subject: AWS Direct Connect and Internet Connectivity

Hi,

I have a customer with a unique requirement. We are proposing a multi-site Genesys Cloud CX deployment for this customer, and we are using BYOC On Premise model due to some of the contact centers being in highly regulated countries like India and China. Customer is fine with letting agents access Genesys Cloud functionalities (e.g. the web UI, the screen recording uploads etc.) but due to IT Security policies, they do not want to let the on-premise Edge server communicate directly to Internet. We are exploring a solution using an AWS Direct Connect circuit, whereby we use network routing to force the traffic outbound from or inbound to the on-premise Edges from Genesys Cloud CX to be forced across the AWS Direct Connect. The agents are in a separate network segment from the Edge servers, and they need to be able to access Genesys Cloud CX directly and not go across the AWS Direct Connect circuit. Questions

1. Has this sort of design ever deployed anywhere? Does this even look feasible? Resource Center is rather vague about this segregation, and indicates that every type of traffic bound for Genesys Cloud will go across the AWS Direct Connect circuit (What traffic from my network will go across an AWS Direct Connect connection? - Genesys Cloud Resource Center)

2. I am also seeing a requirement that "To use a Direct Connect connection with Genesys Cloud effectively, you must have Internet access at your location" (AWS Direct Connect for Genesys Cloud overview - Genesys Cloud Resource Center). What is this about? Does this mean that agents need direct Internet access to work with Genesys Cloud CX even if their traffic (e.g. web-UI, non-voice traffic etc.) is supposed to be transported across the Direct Connect circuit? What about the traffic from the Edges, do they also leverage AWS CloudFront?

In other words, I am trying to find out if blocking Internet access from the Edges while allowing it for agent desktops can be done. Anyone can help?

#ArchitectureandDesign

------------------------------
Soumik Biswas
BT Solutions Ltd (Bahrain Branch)
------------------------------

Now you did it - asked for an answer - and I just have to take the bait!!

1. Realize that SIP and RTP can have two different paths.  The SIP can be routed to GC directly and the RTP can transverse a different path depending on STUN and TURN replies.  AWS Direct Connect is like a pipe that rides the internet in its own little tunnel and only allows connections to AWS end points.  So, if you have Direct Connect any traffic to GC can go through that connection and avoid any contention on the Internet because it is controlled by AWS and only allows AWS traffic to flow through that tunnel - kind of like a toll road - you pay to have a fast lane that is not affected by anything happening on the normal lanes.  (I am from LA, so I understand fully the need for toll roads).  

2.  Think of Direct Connect like the entrances to the toll roads - you can just hop on any place.  Your AWS Direct Connect partner will bring you an MPLS that allows you to "hop on" to Direct Connect from you facility by either a dedicated on ramp or riding over your existing internet connection to the local handoff to AWS, so you will pay your carrier for this local access loop and then pay AWS for Direct Connect.

Now as for your questions about privatization of the Edges (if I can refer to it like that), GC only supports AWS Direct Connect on the public side of AWS.  If you use the Private side, you can have your traffic flow into AWS into your own VPC and then use a VPC gateway in AWS to transverse over to the public side and into GC, but you cannot connect directly to GC on the private side like an MPLS connection to your VPC or data center.  

The Edges themselves create their own little tunnel to GC through your firewall on port 443 and use RTP ports to transport audio to and from GC in the cloud.  Cloud Front is not really involved in any of this except for storage of resources like icons, wavefiles, and the like.  

I hope I have not confused things too much and happy to get into some details if need be.

------------------------------
Robert Wakefield-Carl
Avtex Solutions, LLC
Contact Center Innovation Architect
robertwc@avtex.com
https://www.Avtex.com
https://RobertWC.Blogspot.com
------------------------------

Original Message:
Sent: 08-10-2021 00:28
From: Rajeev Srikant
Subject: AWS Direct Connect and Internet Connectivity

I too have similar questions.
Hope some one helps in answering.

------------------------------
Rajeev Srikant

Original Message:
Sent: 08-05-2021 09:58
From: Soumik Biswas
Subject: AWS Direct Connect and Internet Connectivity

Hi,

I have a customer with a unique requirement. We are proposing a multi-site Genesys Cloud CX deployment for this customer, and we are using BYOC On Premise model due to some of the contact centers being in highly regulated countries like India and China. Customer is fine with letting agents access Genesys Cloud functionalities (e.g. the web UI, the screen recording uploads etc.) but due to IT Security policies, they do not want to let the on-premise Edge server communicate directly to Internet. We are exploring a solution using an AWS Direct Connect circuit, whereby we use network routing to force the traffic outbound from or inbound to the on-premise Edges from Genesys Cloud CX to be forced across the AWS Direct Connect. The agents are in a separate network segment from the Edge servers, and they need to be able to access Genesys Cloud CX directly and not go across the AWS Direct Connect circuit. Questions

1. Has this sort of design ever deployed anywhere? Does this even look feasible? Resource Center is rather vague about this segregation, and indicates that every type of traffic bound for Genesys Cloud will go across the AWS Direct Connect circuit (What traffic from my network will go across an AWS Direct Connect connection? - Genesys Cloud Resource Center)

2. I am also seeing a requirement that "To use a Direct Connect connection with Genesys Cloud effectively, you must have Internet access at your location" (AWS Direct Connect for Genesys Cloud overview - Genesys Cloud Resource Center). What is this about? Does this mean that agents need direct Internet access to work with Genesys Cloud CX even if their traffic (e.g. web-UI, non-voice traffic etc.) is supposed to be transported across the Direct Connect circuit? What about the traffic from the Edges, do they also leverage AWS CloudFront?

In other words, I am trying to find out if blocking Internet access from the Edges while allowing it for agent desktops can be done. Anyone can help?

#ArchitectureandDesign

------------------------------
Soumik Biswas
BT Solutions Ltd (Bahrain Branch)
------------------------------

Hi all.  

We're in the process of setting this up ourselves.  It would be wonderful if someone could assist/confirm the following ...

- We are in the process of provisioning a AWS direct-connect with an associated public VIF in AWS for this use-case

- From the Genesys Cloud external trunk perspective, do I just configure the "far-end" IP of the trunk to be the AWS public VIF?

- (Assuming this is correct so far) Where does the address translation happen from the public VIF to the IP of the SBC on the "internal-side" of the AWS direct-connect ? 

Any guidance would be appreciated.   

------------------------------
Angel Rivera
Computer Generated Solutions, Inc.
------------------------------

Original Message:
Sent: 08-10-2021 10:19
From: Robert Wakefield-Carl
Subject: AWS Direct Connect and Internet Connectivity

Now you did it - asked for an answer - and I just have to take the bait!!

1. Realize that SIP and RTP can have two different paths.  The SIP can be routed to GC directly and the RTP can transverse a different path depending on STUN and TURN replies.  AWS Direct Connect is like a pipe that rides the internet in its own little tunnel and only allows connections to AWS end points.  So, if you have Direct Connect any traffic to GC can go through that connection and avoid any contention on the Internet because it is controlled by AWS and only allows AWS traffic to flow through that tunnel - kind of like a toll road - you pay to have a fast lane that is not affected by anything happening on the normal lanes.  (I am from LA, so I understand fully the need for toll roads).  

2.  Think of Direct Connect like the entrances to the toll roads - you can just hop on any place.  Your AWS Direct Connect partner will bring you an MPLS that allows you to "hop on" to Direct Connect from you facility by either a dedicated on ramp or riding over your existing internet connection to the local handoff to AWS, so you will pay your carrier for this local access loop and then pay AWS for Direct Connect.

Now as for your questions about privatization of the Edges (if I can refer to it like that), GC only supports AWS Direct Connect on the public side of AWS.  If you use the Private side, you can have your traffic flow into AWS into your own VPC and then use a VPC gateway in AWS to transverse over to the public side and into GC, but you cannot connect directly to GC on the private side like an MPLS connection to your VPC or data center.  

The Edges themselves create their own little tunnel to GC through your firewall on port 443 and use RTP ports to transport audio to and from GC in the cloud.  Cloud Front is not really involved in any of this except for storage of resources like icons, wavefiles, and the like.  

I hope I have not confused things too much and happy to get into some details if need be.

------------------------------
Robert Wakefield-Carl
Avtex Solutions, LLC
Contact Center Innovation Architect
robertwc@avtex.com
https://www.Avtex.com
https://RobertWC.Blogspot.com

Original Message:
Sent: 08-10-2021 00:28
From: Rajeev Srikant
Subject: AWS Direct Connect and Internet Connectivity

I too have similar questions.
Hope some one helps in answering.

------------------------------
Rajeev Srikant

Original Message:
Sent: 08-05-2021 09:58
From: Soumik Biswas
Subject: AWS Direct Connect and Internet Connectivity

Hi,

I have a customer with a unique requirement. We are proposing a multi-site Genesys Cloud CX deployment for this customer, and we are using BYOC On Premise model due to some of the contact centers being in highly regulated countries like India and China. Customer is fine with letting agents access Genesys Cloud functionalities (e.g. the web UI, the screen recording uploads etc.) but due to IT Security policies, they do not want to let the on-premise Edge server communicate directly to Internet. We are exploring a solution using an AWS Direct Connect circuit, whereby we use network routing to force the traffic outbound from or inbound to the on-premise Edges from Genesys Cloud CX to be forced across the AWS Direct Connect. The agents are in a separate network segment from the Edge servers, and they need to be able to access Genesys Cloud CX directly and not go across the AWS Direct Connect circuit. Questions

1. Has this sort of design ever deployed anywhere? Does this even look feasible? Resource Center is rather vague about this segregation, and indicates that every type of traffic bound for Genesys Cloud will go across the AWS Direct Connect circuit (What traffic from my network will go across an AWS Direct Connect connection? - Genesys Cloud Resource Center)

2. I am also seeing a requirement that "To use a Direct Connect connection with Genesys Cloud effectively, you must have Internet access at your location" (AWS Direct Connect for Genesys Cloud overview - Genesys Cloud Resource Center). What is this about? Does this mean that agents need direct Internet access to work with Genesys Cloud CX even if their traffic (e.g. web-UI, non-voice traffic etc.) is supposed to be transported across the Direct Connect circuit? What about the traffic from the Edges, do they also leverage AWS CloudFront?

In other words, I am trying to find out if blocking Internet access from the Edges while allowing it for agent desktops can be done. Anyone can help?

#ArchitectureandDesign

------------------------------
Soumik Biswas
BT Solutions Ltd (Bahrain Branch)
------------------------------

Hi Soumik,

Hopefully you're done with initial deployments. But yet if you need some help with this I've experience with AWS direct connect and GC. Please contact me at asad@frontline.nl an I can guide you accordingly.



------------------------------
Kind regards,

Asad Saqlain
------------------------------

Original Message:
Sent: 08-05-2021 09:58
From: Soumik Biswas
Subject: AWS Direct Connect and Internet Connectivity

Hi,

I have a customer with a unique requirement. We are proposing a multi-site Genesys Cloud CX deployment for this customer, and we are using BYOC On Premise model due to some of the contact centers being in highly regulated countries like India and China. Customer is fine with letting agents access Genesys Cloud functionalities (e.g. the web UI, the screen recording uploads etc.) but due to IT Security policies, they do not want to let the on-premise Edge server communicate directly to Internet. We are exploring a solution using an AWS Direct Connect circuit, whereby we use network routing to force the traffic outbound from or inbound to the on-premise Edges from Genesys Cloud CX to be forced across the AWS Direct Connect. The agents are in a separate network segment from the Edge servers, and they need to be able to access Genesys Cloud CX directly and not go across the AWS Direct Connect circuit. Questions

1. Has this sort of design ever deployed anywhere? Does this even look feasible? Resource Center is rather vague about this segregation, and indicates that every type of traffic bound for Genesys Cloud will go across the AWS Direct Connect circuit (What traffic from my network will go across an AWS Direct Connect connection? - Genesys Cloud Resource Center)

2. I am also seeing a requirement that "To use a Direct Connect connection with Genesys Cloud effectively, you must have Internet access at your location" (AWS Direct Connect for Genesys Cloud overview - Genesys Cloud Resource Center). What is this about? Does this mean that agents need direct Internet access to work with Genesys Cloud CX even if their traffic (e.g. web-UI, non-voice traffic etc.) is supposed to be transported across the Direct Connect circuit? What about the traffic from the Edges, do they also leverage AWS CloudFront?

In other words, I am trying to find out if blocking Internet access from the Edges while allowing it for agent desktops can be done. Anyone can help?

#ArchitectureandDesign

------------------------------
Soumik Biswas
BT Solutions Ltd (Bahrain Branch)
------------------------------