Official AWS Docs
Browser-side only
READY
Firewall & Network Auditing
Amazon Connect
Allowlist Auditor
Validate every required URL, domain, TURN server, and port for your Amazon Connect instance against the official AWS networking documentation. Identify missing firewall rules before they cause dropped calls.
All official CCP signaling domains per AWS docs (docs.aws.amazon.com/connect)
Specific TurnNLB endpoints per region (not just wildcards)
CloudFront static asset CDN domains per region
Participant, telemetry, and transport endpoints
Port matrix: TCP 443, UDP 3478, ephemeral 49152–65535
SAML/SSO, S3 attachment, and scheduling endpoints
Reachability probe (fetch HEAD) + DNS pattern validation
Exportable firewall rule report in plain text
// AUDIT RESULT
Audit Configuration
Used to build mycompany.my.connect.aws URLs
For chat attachment upload/download
Optional: paste your existing allowlist CIDRs or URLs to cross-check against requirements. Leave blank to audit Amazon Connect requirements only.
Initializing…
Missing from your allowlist — add these immediately
Audit Summary
Generated Allowlist for your Region
Allowlist — all required entries
// ALLOWLIST AUDIT REPORT — PLAIN TEXT
Amazon Connect Allowlist & Whitelist Guide (Official AWS Requirements)
Amazon Connect's Contact Control Panel (CCP) requires outbound access to a specific set of URLs, domains, and ports. If any required entry is missing from your firewall allowlist, agents may experience dropped calls, failed media sessions, authentication failures, or a broken CCP interface. This tool generates and validates every required entry from the official AWS documentation — including per-region TurnNLB TURN server endpoints, CCP signaling domains, CloudFront static asset CDNs, telemetry endpoints, and participant API domains.
What domains must be allowlisted for Amazon Connect CCP?
Per AWS documentation (docs.aws.amazon.com/connect/latest/adminguide/ccp-networking.html), the minimum required domains are: (1) {instance}.my.connect.aws/ccp-v2 and /api and /auth/authorize — for the CCP application; (2) *.cloudfront.net — for static assets; (3) *.transport.connect.{region}.amazonaws.com — for WebRTC signaling (CCP v2); (4) *.telemetry.connect.{region}.amazonaws.com — for call quality telemetry; (5) participant.connect.{region}.amazonaws.com — for chat participant API; (6) TurnNlb-*.elb.{region}.amazonaws.com on UDP 3478 — for TURN media relay. All on TCP 443 except TURN which is UDP 3478.
What port does Amazon Connect TURN server use?
Amazon Connect TURN (Traversal Using Relays around NAT) servers use UDP port 3478 outbound. The TURN servers are hosted on AWS Network Load Balancers named TurnNlb-*.elb.{region}.amazonaws.com. You can allowlist the wildcard or add specific endpoints per region. For example, us-east-1 has five specific TurnNLB endpoints: TurnNlb-d76454ac48d20c1e.elb.us-east-1.amazonaws.com, TurnNlb-31a7fe8a79c27929.elb.us-east-1.amazonaws.com, and three others. For stateless firewalls, you must also allow inbound UDP ephemeral ports 49152–65535 (Windows) or 32768–61000 (Linux).
What is the difference between Option 1 (domain allowlist) and Option 2 (IP ranges) for Amazon Connect?
AWS recommends Option 1 (domain allowlist): allowlist specific URLs like *.transport.connect.{region}.amazonaws.com and TurnNlb-*.elb.{region}.amazonaws.com instead of broad IP ranges. This reduces blast radius — you only open exactly what Connect needs. Option 2 uses ip-ranges.json IP blocks: AMAZON_CONNECT (global + region) on UDP 3478, EC2 (global + region) on TCP 443, and CloudFront (global) on TCP 443. Option 2 is harder to maintain as IPs change (30-day notice in ip-ranges.json) and opens a much wider surface area.
Why do agents get "Failed to establish softphone connection" errors?
The most common cause is a missing TURN server entry. When an agent sees "Browser unable to establish media channel with turn:TurnNlb-xxxxxxxxxxxxx.elb.{region}.amazonaws.com:3478?transport=udp", it means UDP 3478 to the TurnNLB endpoints is blocked. Use nslookup TurnNlb-d76454ac48d20c1e.elb.us-east-1.amazonaws.com to test DNS resolution. If DNS resolves but calls fail, UDP 3478 is likely blocked by your firewall or proxy. Add TurnNlb-*.elb.{region}.amazonaws.com UDP 3478 outbound to your allowlist.
Does Amazon Connect have dedicated IP address ranges?
Yes. In ip-ranges.json, the AMAZON_CONNECT service tag contains a /19 IP address block (15.193.0.0/19) that is exclusively used by Amazon Connect globally — it is not shared with other AWS services. New IP ranges are added with a 30-day grace period before traffic is routed through them. After 30 days, traffic increases over two weeks until fully migrated. Subscribe to AWS IP range change notifications (SNS topic) to get notified when ip-ranges.json is updated so you can update your allowlist proactively.
What additional endpoints are needed for SAML/SSO login with Amazon Connect?
If your agents use SAML 2.0 to log in, you must also allowlist AWS SSO/IAM Identity Center sign-in endpoints: signin.aws.amazon.com, *.awsapps.com (for the legacy domain), and your IdP's domain. For AWS IAM Identity Center: *.awsapps.com, {directory-id}.awsapps.com/start, and sso.{region}.amazonaws.com. Your SAML identity provider (Okta, Azure AD, ADFS, PingFederate etc.) must also be reachable from the agent workstation on TCP 443 for the SAML assertion redirect to complete successfully.
What are the ephemeral port requirements for stateless firewalls?
Stateless firewalls (those that don't track connection state) require inbound allowlisting of ephemeral ports in addition to outbound rules. Per AWS documentation: for Windows environments, allow inbound UDP 49152–65535 from the AMAZON_CONNECT IP ranges. For Linux environments, allow inbound UDP 32768–61000 from AMAZON_CONNECT IP ranges. This is the return traffic for TURN media sessions. Stateful firewalls (which track established connections) do not need the inbound rules as they automatically allow return traffic for established outbound sessions.
What CloudFront domains does Amazon Connect use per region?
Amazon Connect uses specific CloudFront distribution domains per region for static CCP assets. For example: us-east-1 uses dd401jc05x2yk.cloudfront.net and d1f0uslncy85vb.cloudfront.net; us-west-2 uses d38fzyjx9jg8fj.cloudfront.net and d366s8lxuwna4d.cloudfront.net; eu-central-1 uses d1n9s7btyr4f0n.cloudfront.net and d3tqoc05lsydd3.cloudfront.net. The wildcard *.cloudfront.net covers all of these but if your firewall requires specific FQDNs, this tool outputs the exact CloudFront domains for your region. ca-central-1 serves static content via *.my.connect.aws instead of dedicated CloudFront distributions.
More Free Online Tools
Simple tools. Surgical fixes. Zero friction.
Amazon Connect CCP Log Parser
Parse Amazon Connect CCP logs into structured, searchable diagnostics.
OpenAmazon Connect Agent Workstation Validator
Pre-flight check for Amazon Connect softphone agents.
OpenAmazon Connect Pricing Calculator
Instantly estimate monthly AWS Connect costs — voice, chat, email, campaigns, telephony & more.
OpenConnect CloudWatch Log Analyzer
Drop any Amazon Connect CloudWatch log and get a rich visual breakdown.
Open