Cloud media services CIDR IP address range

Genesys Cloud’s cloud media services provides the following CIDR IP address ranges:

Core/Satellite regions

• 52.129.96.0/20
• 169.150.104.0/21 

FedRAMP region

• 164.152.64.0/22

Full support of Genesys Cloud’s cloud media services CIDR block feature in this region

Coming soon.

Genesys Cloud’s cloud media services CIDR block provides a smaller range of IP addresses for outbound connections to and from telephony endpoints. If you currently use any of these Genesys Cloud services:

• WebRTC stations
• Polycom stations with Genesys Cloud Voice or BYOC Cloud
• BYOC Cloud
• ACD screen recording
• Video chat

then we recommend that you run the tests listed in the Readiness check section in this article. Doing so allows you to evaluate what you need to do to incorporate the CIDR block of IP addresses for our public-facing cloud media services into your firewall’s allowlist.   

Readiness check

To help you prepare to use the CIDR block of IP addresses, Genesys provides you with two ways to confirm whether you are ready to use the CIDR block of IP addresses or need to make further adjustments to your firewall settings.

1. You can access the Genesys Cloud WebRTC Diagnostics app and run the automated tests found on the Network Test tab.
2. You can run the set of manual tests described in this article.

Genesys provides you with a set of cloud platform network connectivity diagnostic endpoints that you can use to test against. To perform the manual tests, you can use commonly available network connectivity tools, such as netcat and nmap.

 To ensure that the entirety of the address range is covered, run these checks against each one of the following destination FQDNs:

• netdiag.use1.pure.cloud
• netdiag.use2.us-gov-pure.cloud 
• netdiag.usw2.pure.cloud
• netdiag.cac1.pure.cloud
• netdiag.sae1.pure.cloud
• netdiag.euw1.pure.cloud
• netdiag.euw2.pure.cloud
• netdiag.euw3.pure.cloud
• netdiag.euc1.pure.cloud
• netdiag.apne1.pure.cloud
• netdiag.apne2.pure.cloud
• netdiag.apse2.pure.cloud
• netdiag.aps1.pure.cloud
• netdiag.ape1.pure.cloud

These tests are for guidance purposes only and are intended for network and firewall experts.

Genesys Cloud services

Use the information in this table to gain a detailed understanding of the Genesys Cloud services that will be affected by the addition of the CIDR IP address block. This information helps you to identify the Source, Destination address, and the Destination transport protocol/port associated with each of the affected services. 

Expand All

AWS Direct Connect and routing specific information

AWS advertises the Genesys CIDR block both publicly and within Direct Connect.

• Direct Connect customers who are not performing route filtering have no additional changes to make. Genesys recommends doing a lookup on the route table to ensure they are seeing the Genesys CIDR block (52.129.96.0/20 or 169.150.104.0/21), which includes anything greater than or equal to /20 or 21. For example, AWS may segment the block into /21’s, /22’s, /23’s, /24’s, and so on.
• Direct Connect customers who are performing route filtering must permit the Genesys CIDR block (52.129.96.0/20 or 169.150.104.0/21), which includes anything greater than or equal to /20 or 21. For example, AWS may segment the block into /21’s, /22’s, /23’s, /24’s, and so on.
  • Direct Connect customers who need to filter region specific Genesys Cloud CIDRs should use prefix-lists and community tags. The prefix-list for 52.129.96.0/20 should allow /20 and any prefix less than /32, and the prefix-list for 169.150.104.0/21 should allow /21 and anything less than /32. The community tag set by AWS for region specific prefixes is 7224:8100. To verify the correct community tag, see AWS Routing policies and BGP communities. By using both of these filtering techniques, customers can automatically accept regional Genesys Cloud CIDRs.

For more information on AWS Direct Connect routing and filtering, see AWS Routing policies and BGP communities.

Direct Connect example

For this example, suppose that the Direct Connect circuit terminates into us-east-1 and AWS is advertising a Genesys prefix of 169.150.106.0/24 out of the us-east-1 region and 169.150.107.0/24 out of the us-west-2 region. The Direct Connect customer receives both advertisements on their us-east-1 circuit.

To filter these networks and prefer, or accept, the 169.150.106.0/24 prefix, the customer uses a prefix-list and community tag. The prefix-list should allow 169.150.104.0/21 and include any prefix less than /32. The community tag match would be for 7224:8100.

In this case, the community tag is a unique identifier for a region’s route advertisements from AWS. The community tag set by AWS allows a customer to differentiate routes from region, continent, or global. Therefore, the applied filters would cause the us-east-1 prefix, 169.150.106.0/24, to be matched on the Direct Connect circuit in us-east-1. The us-west-2 prefix, 169.150.107.0/24, would not be matched and could be dropped or set as a least preferred path.