Official AWS Docs
Browser-side only
2026 Sign-in Ready
READY
Firewall & Network Auditing — 2026 Edition
Amazon Connect
Allowlist Auditor
Validate every required URL, domain, TURN server, and port for your Amazon Connect instance — including 2026 sign-in migration endpoints, IPv6 dualstack S3, GovCloud FIPS, and omnichannel (WhatsApp/email) endpoints. Identify missing firewall rules before they cause dropped calls or blocked logins.
New 2026 sign-in domains: *.signin.aws, *.threat-mitigation.aws.amazon.com
IPv6 dualstack S3 (*.s3.dualstack.region.amazonaws.com)
GovCloud FIPS endpoints (us-gov-west-1)
All official CCP signaling domains per AWS docs
Specific TurnNLB endpoints per region (not just wildcards)
WhatsApp, email, and task omnichannel endpoints
SAML/SSO, S3 attachment, and scheduling upload endpoints
Exportable firewall rule report + JSON export
// AUDIT RESULT
Audit Configuration
Used to build mycompany.my.connect.aws URLs
For chat attachment upload/download
Adds *.signin.aws, *.threat-mitigation.aws.amazon.com, dualstack S3
Optional: paste your existing allowlist CIDRs or URLs to cross-check against requirements. Leave blank to audit Amazon Connect requirements only.
Initializing…
Missing from your allowlist — add these immediately
Audit Summary
Generated Allowlist for your Region
Allowlist — all required entries
// ALLOWLIST AUDIT REPORT — PLAIN TEXT
Amazon Connect Allowlist & Firewall Guide 2026 — Official AWS Requirements
Amazon Connect's Contact Control Panel (CCP) requires outbound access to a specific set of URLs, domains, and ports. In 2026, this list expanded significantly — all instances must allowlist new sign-in domains (*.signin.aws, *.apps.signin.aws) before October 7 2026 or agents will fail to log in. This free tool generates and validates every required firewall entry from the official AWS documentation — CCP signaling, TURN/media relay, CloudFront CDN, telemetry, participant API, new 2026 sign-in domains, IPv6 dualstack S3, GovCloud FIPS endpoints, and omnichannel (email, WhatsApp, tasks) endpoints — all per region, with live reachability probes and exportable reports.
What new domains must be allowlisted for the 2026 Amazon Connect sign-in migration?
Amazon Connect is migrating all instances to a new sign-in experience by October 7 2026. Before this date, firewall teams must allowlist: *.apps.signin.aws (TCP 443), *.signin.aws (TCP 443), *.threat-mitigation.aws.amazon.com (TCP 443), and *.s3.dualstack.{region}.amazonaws.com (TCP 443, IPv6-capable). GovCloud instances additionally require *.signin-fips.amazonaws-us-gov.com, *.apps.signin-fips.aws-us-gov.com, and *.apps.signin.aws-us-gov.com. Password reset emails now arrive from no-reply@signin.aws — ensure your email security gateway allows this sender. Migration is automatic on July 7 2026 for eligible instances, and forced on October 7 2026 for all remaining.
What domains must be allowlisted for Amazon Connect CCP in 2026?
The full 2026 required list: (1) {instance}.my.connect.aws — CCP app, API, auth; (2) *.transport.connect.{region}.amazonaws.com — WebRTC signaling (WSS); (3) rtc*.connect-telecom.{region}.amazonaws.com — CCP v1 signaling; (4) *.telemetry.connect.{region}.amazonaws.com — call quality telemetry; (5) participant.connect.{region}.amazonaws.com — chat; (6) TurnNlb-*.elb.{region}.amazonaws.com on UDP 3478 — TURN media relay; (7) *.cloudfront.net — static CCP assets; (8) *.signin.aws and *.apps.signin.aws — new 2026 sign-in (mandatory Oct 2026); (9) *.s3.dualstack.{region}.amazonaws.com — IPv6 S3 for new sign-in; (10) connect.{region}.amazonaws.com — Connect API. All TCP 443 except TURN (UDP 3478).
What port does Amazon Connect TURN server use and how do I identify the specific endpoints?
Amazon Connect TURN servers use UDP port 3478 outbound to TurnNlb-*.elb.{region}.amazonaws.com. Each region has specific NLB hostnames — us-east-1 has five: TurnNlb-d76454ac48d20c1e.elb.us-east-1.amazonaws.com and four others. Allowlist the wildcard TurnNlb-*.elb.{region}.amazonaws.com on UDP 3478, or add each specific endpoint for tighter control. For stateless firewalls also allow inbound UDP 49152–65535 (Windows) or 32768–61000 (Linux) for RTP return traffic. This tool outputs all specific TurnNLB hostnames for your selected region.
What is the difference between domain allowlisting (Option 1) and IP range allowlisting (Option 2)?
AWS recommends Option 1 (domain allowlist): allowlist specific FQDNs like TurnNlb-*.elb.{region}.amazonaws.com and *.transport.connect.{region}.amazonaws.com. This is more precise, easier to maintain, and reduces blast radius. Option 2 uses ip-ranges.json: allowlist the AMAZON_CONNECT service tag (dedicated /19 block, 15.193.0.0/19) on UDP 3478, plus EC2 and CloudFront IPs on TCP 443. IPs change with 30-day notice — subscribe to AWS IP range change SNS notifications to stay current. Never use the new 2026 sign-in domains as IP ranges — they use shared infrastructure that changes frequently.
Why do agents get "Failed to establish softphone connection" errors?
The most common cause is a missing TURN server entry. The error "Browser unable to establish media channel with turn:TurnNlb-xxxxxxxxxxxxx.elb.{region}.amazonaws.com:3478?transport=udp" means UDP 3478 to TurnNLB endpoints is blocked. Run nslookup on a TurnNLB hostname to test DNS. If DNS resolves but calls fail, UDP 3478 is blocked — add TurnNlb-*.elb.{region}.amazonaws.com UDP 3478 outbound. For stateless firewalls also add inbound UDP 49152–65535 for RTP return. If TURN is allowed but you still get one-way audio, check the WebSocket upgrade header — some proxies block Upgrade: websocket requests needed by *.transport.connect.{region}.amazonaws.com on TCP 443.
What additional endpoints are needed for SAML/SSO and the new 2026 sign-in?
For SAML 2.0: allowlist signin.aws.amazon.com, *.awsapps.com, and your IdP domain (Okta, Azure AD, ADFS, PingFederate) on TCP 443. For IAM Identity Center: add sso.{region}.amazonaws.com. For the new 2026 sign-in (mandatory by Oct 7 2026, all auth types using Amazon Connect Managed identity): add *.signin.aws, *.apps.signin.aws, *.threat-mitigation.aws.amazon.com, and *.s3.dualstack.{region}.amazonaws.com. Note: SAML 2.0 federated instances are not affected by the new sign-in domain requirement — the new sign-in applies only to Amazon Connect Managed or Managed identity instances.
What endpoints are needed for Amazon Connect omnichannel — email, WhatsApp, and tasks?
Email channel: allow email.{region}.amazonaws.com TCP 443 for outbound, and *.inbound-smtp.{region}.amazonaws.com on TCP 25 or 587 for inbound email ingestion via SES. WhatsApp Outbound Campaigns (launched December 2025): allow *.whatsapp.net and *.whatsapp.com on TCP 443. Amazon Connect Cases: allow cases.{region}.amazonaws.com TCP 443. Task file attachments (up to 5 files per task, January 2026): ensure your S3 bucket and *.s3.{region}.amazonaws.com are allowed TCP 443. Chat participant API (participant.connect.{region}.amazonaws.com) is already required for all instances.
What CloudFront domains does Amazon Connect use and why are they needed?
Amazon Connect CCP loads JavaScript, CSS, fonts, and configuration from CloudFront distributions. If CloudFront is blocked, the CCP shows a blank page or infinite spinner. The wildcard *.cloudfront.net on TCP 443 covers all regions. Specific distributions include: us-east-1 uses dd401jc05x2yk.cloudfront.net and two others; eu-central-1 uses d1n9s7btyr4f0n.cloudfront.net and two others. This tool outputs exact CloudFront distribution FQDNs for your region so you can use specific rules if your policy does not allow wildcards. CloudFront IPs are shared and global — always use domain-based rules, never CloudFront IP ranges.
What are the ephemeral port requirements for stateless firewalls?
Stateless firewalls require explicit inbound rules for UDP return traffic. Per AWS documentation: allow inbound UDP 49152–65535 (Windows) or 32768–61000 (Linux) from the AMAZON_CONNECT IP ranges in ip-ranges.json. This is the return path for TURN media sessions initiated outbound on UDP 3478. Stateful firewalls automatically permit return traffic for established connections and do not need these inbound rules. VPN split-tunnel configurations can introduce stateless behavior for split-tunnelled traffic even when the perimeter firewall is stateful — test this explicitly.
More Free Online Tools
Simple tools. Surgical fixes. Zero friction.
Amazon Connect CCP Log Parser
Parse Amazon Connect CCP logs into structured, searchable diagnostics.
OpenAmazon Connect Agent Workstation Validator
Pre-flight check for Amazon Connect softphone agents.
OpenAmazon Connect Pricing Calculator
Instantly estimate monthly AWS Connect costs — voice, chat, email, campaigns, telephony & more.
OpenConnect CloudWatch Log Analyzer
Drop any Amazon Connect CloudWatch log and get a rich visual breakdown.
Open