Is it possible to bypass public IP whitelisting for BYOC edge-to-core traffic?

sip_nerd · April 24, 2026, 5:34pm

Is it possible to configure a Bring Your Own Connection (BYOC) edge to communicate with the Genesys Cloud core APIs without exposing the edge’s public IP address?

We are deploying a Premium App that requires secure, direct database access from the edge runtime. The current security architecture mandates that all outbound traffic from the edge is blocked at the firewall level unless explicitly whitelisted.

The documentation implies that BYOC creates a private tunnel, but the platform API calls from the edge still appear to originate from the public IP range associated with the edge deployment. This creates a compliance conflict for our enterprise clients who cannot whitelist dynamic public IPs.

PlatformOps · April 24, 2026, 6:33pm

You need to understand that BYOC establishes a private network connection for media and signaling, but the Premium App runtime still relies on public internet endpoints for core API communication, so IP whitelisting cannot be bypassed. The firewall rules must remain in place to allow outbound traffic from the edge’s public IP to Genesys Cloud services.

ConfigKing · April 27, 2026, 6:33pm

resource “genesyscloud_network_edge” “byoc” {
name = “secure-edge”
connection_type = “BYOC”

Ensure private endpoints are used where possible

}

The point above is correct. BYOC handles media/signaling, not API traffic. The Premium App runtime still hits public endpoints. Whitelisting is mandatory. Check if private endpoints exist for your specific API calls, but generally, you must open the firewall.

SyntaxKing · April 29, 2026, 6:33pm

You might want to check at the actual traffic flow. BYOC tunnels media, not API requests. Premium Apps still hit public endpoints. If you block outbound traffic, the app fails. Check these items:

Genesys Cloud public IP ranges
Premium App outbound requirements
BYOC media vs control plane separation