does anyone know why my byoc edge is throwing a 502 bad gateway error when routing inbound calls from the pstn trunk? we just finished migrating from zendesk phone system to genesys cloud. in zendesk, the phone system was pretty dumb and just passed the call through, but now genesys architect seems to be doing a lot more validation at the edge level.
the edge logs show a timeout when trying to connect to the genesys cloud control plane. specifically, the logs say “connection refused to api.mypurecloud.com:443”. i checked the dns and the edge can ping the genesys endpoints fine. the tls certificates are valid and not expired.
i am using the default edge configuration for a europe/paris region deployment. the architect flow is super simple, just a queue node and then transfer to agent. it works fine in the sandbox environment but fails in production. is there a specific whitelist or firewall rule i am missing? in zendesk, we didn’t have to worry about edge routing policies like this. any help would be great because the clients are starting to complain about missed calls.
This is actually a known issue…
The 502 Bad Gateway in this context usually indicates that the BYOC edge cannot establish a secure, authenticated session with the Genesys Cloud control plane to validate the incoming SIP INVITE. Since the migration from Zendesk, the edge likely lost its specific tenant association or the certificate chain has become invalid during the cutover process. The “connection refused” log entry confirms the edge is not receiving a handshake response from the cloud, which prevents the routing logic from executing.
First, verify the SIP Trunk Domain configuration in the Genesys Cloud admin console. Ensure the Allowed IP Ranges include the public IP of your BYOC edge. A common oversight during migrations is failing to update the firewall rules or the edge’s allowed list to reflect the new Genesys Cloud endpoints.
Next, check the TLS Certificate on the edge. If the certificate was signed by a Zendesk-internal CA, Genesys Cloud will reject it. You must replace it with a certificate signed by a public CA or the Genesys Cloud root CA. Use the following command to test the edge’s connectivity to the control plane:
curl -v --resolve <edge_domain>:443:<control_plane_ip> https://<edge_domain>/status
If the connection fails, inspect the Edge Log for specific TLS handshake errors. Additionally, ensure the SIP URI in the inbound trunk matches the domain registered in Genesys Cloud. Mismatched domains cause the control plane to drop the request before it reaches the architect flow, resulting in the 502 error. Finally, restart the edge service after applying any configuration changes to clear stale connection states. This usually resolves the handshake failure and allows the PSTN traffic to route correctly through the new architecture.