Genesys Cloud - Main

Have you seen this page? https://help.mypurecloud.com/articles/ports-and-services-to-configure-on-your-firewall-overview/

Basically, you need to determine which parts of genesys Cloud you are using from within your firewall, then open all the respective outbound ports for those services as indicated on the other page https://help.mypurecloud.com/articles/genesys-cloud-ports-services/

Hi Serhii,

Hate to break the news to you but yes, you will still need to open outbound traffic to AWS IPs within your region.

Not all traffic will be via *.mypurecloud.xx or pure.cloud. You just need to be specific to your network/infra team on which ports, direction and protocol of the traffic for these AWS IP ranges. Most would be 443 anyway but check the articles George sent above. 

And stress on the fact that these are for OUTBOUND connections. Don't even mention BI-DIRECTIONAL or they'll go mental. 

Hello Niel. Thanks for the answer. Yes, i have read all of this help pages like https://help.mypurecloud.com/articles/genesys-cloud-ports-services/ etc.

I still don't understand why we need to open outbound connections to all Amazon AWS IP ranges IN ADDITIONAL to pure cloud domains/DNS. 

It can only make sense if some client application will request not just some *.pure.cloud but some IP address directly instead, but why this app need to do that, maybe just for some emergency situations? Or Genesys just want to exclude some client DNS problems (again "emergency")?
I don't believe that Genesys takes some Amazon AWS service and didn't add it to their domain/DNS and then take them to "production" and do this frequently. Or do they?

I understand that it will be more reliable for Genesys if client just allow in firewall all possible IP addresses that they could possibly use in theory or just any IP addresses(this will be even more reliable for Genesys) - but this definitely will not be secure for the client.

Can someone explain clearly why Genesys want us(client) to open connections to all Amazon AWS IP addresses, what is the real case/example? Is this just for some hypothetical emergency situations, or to eliminate some DNS problems? Or what is it really for?

Does someone know the Genesys support email? I can't find it. Or this forum is the only support source?

Hi Serhii,

Hate to break the news to you but yes, you will still need to open outbound traffic to AWS IPs within your region.

Not all traffic will be via *.mypurecloud.xx or pure.cloud. You just need to be specific to your network/infra team on which ports, direction and protocol of the traffic for these AWS IP ranges. Most would be 443 anyway but check the articles George sent above. 

And stress on the fact that these are for OUTBOUND connections. Don't even mention BI-DIRECTIONAL or they'll go mental. 

Genesys Cloud components can use any of the AWS IP addresses at any time to communicate with CloudFront as specified by region. There is absolutely no way to narrow it down to a specific IP address on the AWS side for a specific Genesys Cloud use, beyond those used for SIP trunks and a few other things as specified in the Resource Center.

Also, the AWS IP addresses can be changed by them, so you need to run the specified query to check the IP Address ranges for your region and make sure your firewall is up to date.

The directions for contacting Support are listed in the Resource Center. https://help.mypurecloud.com/articles/genesys-cloud-support-portal/

Hello Niel. Thanks for the answer. Yes, i have read all of this help pages like https://help.mypurecloud.com/articles/genesys-cloud-ports-services/ etc.

I still don't understand why we need to open outbound connections to all Amazon AWS IP ranges IN ADDITIONAL to pure cloud domains/DNS. 

It can only make sense if some client application will request not just some *.pure.cloud but some IP address directly instead, but why this app need to do that, maybe just for some emergency situations? Or Genesys just want to exclude some client DNS problems (again "emergency")?
I don't believe that Genesys takes some Amazon AWS service and didn't add it to their domain/DNS and then take them to "production" and do this frequently. Or do they?

I understand that it will be more reliable for Genesys if client just allow in firewall all possible IP addresses that they could possibly use in theory or just any IP addresses(this will be even more reliable for Genesys) - but this definitely will not be secure for the client.

Can someone explain clearly why Genesys want us(client) to open connections to all Amazon AWS IP addresses, what is the real case/example? Is this just for some hypothetical emergency situations, or to eliminate some DNS problems? Or what is it really for?

Does someone know the Genesys support email? I can't find it. Or this forum is the only support source?

Hi Serhii,

Hate to break the news to you but yes, you will still need to open outbound traffic to AWS IPs within your region.

Not all traffic will be via *.mypurecloud.xx or pure.cloud. You just need to be specific to your network/infra team on which ports, direction and protocol of the traffic for these AWS IP ranges. Most would be 443 anyway but check the articles George sent above. 

And stress on the fact that these are for OUTBOUND connections. Don't even mention BI-DIRECTIONAL or they'll go mental. 

I think you still don't understand my questions. I don't want to "narrow it down to a specific IP address ". I don't want to create over-permissive firewall rules and update this firewall rules frequently(or update json file form somewhere with these ip addresses). Or i need to understand how really Genesys components works with this amazon addresses and do we really need to allow them or we can work with just domains allowed in firewall. That's why i asked all of these specific questions that still have no answer here:

1. I still don't understand why we need to open outbound connections to all Amazon AWS IP ranges IN ADDITIONAL to pure cloud domains/DNS. 

2. It can only make sense if some client application will request not just some *.pure.cloud but some IP address directly instead, but why this app need to do that, maybe just for some emergency situations? Or Genesys just want to exclude some client DNS problems (again "emergency")?

3. I don't believe that Genesys takes some Amazon AWS service and didn't add it to their domain/DNS and then take them to "production" and do this frequently. Or do they?

I understand that it will be more reliable for Genesys if client just allow in firewall all possible IP addresses that they could possibly use in theory or just any IP addresses(this will be even more reliable for Genesys) - but this definitely will not be secure for the client.

4. Can someone explain clearly why Genesys want us(client) to open connections to all Amazon AWS IP addresses, what is the real case/example? Is this just for some hypothetical emergency situations, or to eliminate some DNS problems? Or what is it really for?

Genesys Cloud components can use any of the AWS IP addresses at any time to communicate with CloudFront as specified by region. There is absolutely no way to narrow it down to a specific IP address on the AWS side for a specific Genesys Cloud use, beyond those used for SIP trunks and a few other things as specified in the Resource Center.

Also, the AWS IP addresses can be changed by them, so you need to run the specified query to check the IP Address ranges for your region and make sure your firewall is up to date.

The directions for contacting Support are listed in the Resource Center. https://help.mypurecloud.com/articles/genesys-cloud-support-portal/

Hello Niel. Thanks for the answer. Yes, i have read all of this help pages like https://help.mypurecloud.com/articles/genesys-cloud-ports-services/ etc.

I still don't understand why we need to open outbound connections to all Amazon AWS IP ranges IN ADDITIONAL to pure cloud domains/DNS. 

It can only make sense if some client application will request not just some *.pure.cloud but some IP address directly instead, but why this app need to do that, maybe just for some emergency situations? Or Genesys just want to exclude some client DNS problems (again "emergency")?
I don't believe that Genesys takes some Amazon AWS service and didn't add it to their domain/DNS and then take them to "production" and do this frequently. Or do they?

I understand that it will be more reliable for Genesys if client just allow in firewall all possible IP addresses that they could possibly use in theory or just any IP addresses(this will be even more reliable for Genesys) - but this definitely will not be secure for the client.

Can someone explain clearly why Genesys want us(client) to open connections to all Amazon AWS IP addresses, what is the real case/example? Is this just for some hypothetical emergency situations, or to eliminate some DNS problems? Or what is it really for?

Does someone know the Genesys support email? I can't find it. Or this forum is the only support source?

Hi Serhii,

Hate to break the news to you but yes, you will still need to open outbound traffic to AWS IPs within your region.

Not all traffic will be via *.mypurecloud.xx or pure.cloud. You just need to be specific to your network/infra team on which ports, direction and protocol of the traffic for these AWS IP ranges. Most would be 443 anyway but check the articles George sent above. 

And stress on the fact that these are for OUTBOUND connections. Don't even mention BI-DIRECTIONAL or they'll go mental. 

Look up "Force Turn" in the Genesys documentation, this will limit the number of IP addresses you need to allow through your firewall. Also note that the Force turn is supposedly being moved to the Genesys CIDR address ranges so it should mean firewall rules to only 4 address ranges, if I am understanding correctly what I have read over the past 6 months.

I think you still don't understand my questions. I don't want to "narrow it down to a specific IP address ". I don't want to create over-permissive firewall rules and update this firewall rules frequently(or update json file form somewhere with these ip addresses). Or i need to understand how really Genesys components works with this amazon addresses and do we really need to allow them or we can work with just domains allowed in firewall. That's why i asked all of these specific questions that still have no answer here:

1. I still don't understand why we need to open outbound connections to all Amazon AWS IP ranges IN ADDITIONAL to pure cloud domains/DNS. 

2. It can only make sense if some client application will request not just some *.pure.cloud but some IP address directly instead, but why this app need to do that, maybe just for some emergency situations? Or Genesys just want to exclude some client DNS problems (again "emergency")?

3. I don't believe that Genesys takes some Amazon AWS service and didn't add it to their domain/DNS and then take them to "production" and do this frequently. Or do they?

I understand that it will be more reliable for Genesys if client just allow in firewall all possible IP addresses that they could possibly use in theory or just any IP addresses(this will be even more reliable for Genesys) - but this definitely will not be secure for the client.

4. Can someone explain clearly why Genesys want us(client) to open connections to all Amazon AWS IP addresses, what is the real case/example? Is this just for some hypothetical emergency situations, or to eliminate some DNS problems? Or what is it really for?

Genesys Cloud components can use any of the AWS IP addresses at any time to communicate with CloudFront as specified by region. There is absolutely no way to narrow it down to a specific IP address on the AWS side for a specific Genesys Cloud use, beyond those used for SIP trunks and a few other things as specified in the Resource Center.

Also, the AWS IP addresses can be changed by them, so you need to run the specified query to check the IP Address ranges for your region and make sure your firewall is up to date.

The directions for contacting Support are listed in the Resource Center. https://help.mypurecloud.com/articles/genesys-cloud-support-portal/

Hello Niel. Thanks for the answer. Yes, i have read all of this help pages like https://help.mypurecloud.com/articles/genesys-cloud-ports-services/ etc.

I still don't understand why we need to open outbound connections to all Amazon AWS IP ranges IN ADDITIONAL to pure cloud domains/DNS. 

It can only make sense if some client application will request not just some *.pure.cloud but some IP address directly instead, but why this app need to do that, maybe just for some emergency situations? Or Genesys just want to exclude some client DNS problems (again "emergency")?
I don't believe that Genesys takes some Amazon AWS service and didn't add it to their domain/DNS and then take them to "production" and do this frequently. Or do they?

I understand that it will be more reliable for Genesys if client just allow in firewall all possible IP addresses that they could possibly use in theory or just any IP addresses(this will be even more reliable for Genesys) - but this definitely will not be secure for the client.

Can someone explain clearly why Genesys want us(client) to open connections to all Amazon AWS IP addresses, what is the real case/example? Is this just for some hypothetical emergency situations, or to eliminate some DNS problems? Or what is it really for?

Does someone know the Genesys support email? I can't find it. Or this forum is the only support source?

Hi Serhii,

Hate to break the news to you but yes, you will still need to open outbound traffic to AWS IPs within your region.

Not all traffic will be via *.mypurecloud.xx or pure.cloud. You just need to be specific to your network/infra team on which ports, direction and protocol of the traffic for these AWS IP ranges. Most would be 443 anyway but check the articles George sent above. 

And stress on the fact that these are for OUTBOUND connections. Don't even mention BI-DIRECTIONAL or they'll go mental.