Implementing BYOC-Cloud (Bring Your Own Carrier) with Azure Communication Services
What This Guide Covers
This masterclass details the integration of Azure Communication Services (ACS) as a telephony carrier for Genesys Cloud BYOC-Cloud. By the end of this guide, you will be able to architect a hybrid cloud voice solution that leverages Microsoft’s global network for PSTN access while using Genesys Cloud for sophisticated interaction orchestration. You will learn how to configure Direct Routing in Azure, establish SIP Trunks in Genesys Cloud, and secure the signaling path using TLS/SRTP.
Prerequisites, Roles & Licensing
Integrating ACS requires administrative access to both the Microsoft Azure Portal and the Genesys Cloud Admin UI.
- Licensing:
- Genesys Cloud CX 1, 2, or 3 with BYOC-Cloud enabled.
- Azure Subscription with Communication Services provisioned.
- Permissions:
Telephony > Trunk > View/Edit- Azure:
Communication Services Administrator.
- Infrastructure: A public-facing IP or FQDN for the Azure Direct Routing endpoint.
The Implementation Deep-Dive
1. Provisioning Azure Communication Services (ACS)
- In the Azure Portal, create a new Communication Services resource.
- Under Telephony and SMS, navigate to Direct Routing.
- Create a new SIP Trunk pointing to the Genesys Cloud signaling FQDN for your region (e.g.,
byoc.us-east-1.pure.cloud).
2. Configuring Genesys Cloud BYOC-Cloud Trunks
- Navigate to Admin > Telephony > Trunks.
- Select Create New and choose External SIP Trunk.
- Inbound/Outbound Configuration:
- SIP Servers: Enter the Azure Communication Services FQDN.
- SIP Termination URI: Your company-specific Azure SIP URI.
- Transport: Set to TLS (Required for Azure).
- Media Encryption: Set to SRTP (Required for Azure).
3. Implementing Identity-Based SIP Security
Azure and Genesys Cloud require certificate-based authentication to establish the TLS handshake.
Architectural Reasoning:
Do not use standard self-signed certificates. Genesys Cloud must trust the Azure Certificate Authority (DigiCert/GlobalSign), and your Azure environment must trust the Genesys Cloud certificate.
Implementation Step:
- Download the Genesys Cloud Public Certificate from the Admin UI.
- In the Azure Portal, navigate to Direct Routing > Certificates and upload the Genesys certificate.
- In Genesys Cloud, ensure the TLS Subject Name matches the Azure FQDN exactly.
4. Designing the “Cross-Cloud” Call Flow
Once the trunk is up, you must configure how calls flow between the clouds.
Implementation Pattern:
- PSTN to Genesys: A call arrives on an Azure-managed phone number. Azure Direct Routing sends a SIP INVITE to Genesys Cloud. Genesys Cloud identifies the number and launches an Architect flow.
- Genesys to PSTN: An agent dials an outbound number. Genesys Cloud sends the INVITE to Azure via the SIP Trunk. Azure routes the call to the global PSTN.
Validation, Edge Cases & Troubleshooting
Edge Case 1: Firewall / NSG Blockage
- The failure condition: The SIP Trunk status is “Active,” but calls fail with a
SIP 408 Timeout. - The root cause: The Azure Network Security Group (NSG) is blocking the media (UDP) or signaling (TCP/5061) ports from Genesys Cloud’s public IP ranges.
- The solution: Whitelist the full CIDR ranges for Genesys Cloud Core Services and Media Services in your Azure NSG. Use the Genesys
ip-ranges.jsonfile for the source of truth.
Edge Case 2: Diversion Header Mismatch
- The failure condition: Call transfers (e.g., Genesys to an external cell phone via Azure) fail.
- The root cause: Azure requires a valid SIP Diversion Header to verify the original caller’s identity for anti-fraud purposes.
- The solution: In the Genesys Cloud Trunk settings, enable “Always send Diversion Header”. Map the
Original Called Addressto the Diversion Header to ensure the call is accepted by the Azure telephony gateway.