Cloud Security Groups for a VICIdial Server

Cloud security groups default to blocking everything — this guide lists every port VICIdial and Asterisk need open and explains why each one matters.

Cloud providers protect new servers with a default-deny inbound firewall — often called a security group, firewall rule set, or network ACL depending on the provider. Nothing gets in unless you explicitly allow it. For a typical web server that means opening port 80 and 443 and calling it done. A VICIdial server is more demanding: it needs SIP signaling ports, a wide UDP range for audio, SSH for administration, and several web ports for the admin interface and agent screens. Get any of those wrong and the system appears to work but silently fails at the protocol level.

SIP signaling ports

SIP (Session Initiation Protocol) SIP (Session Initiation Protocol) uses port 5060 for unencrypted signaling over both UDP and TCP. Port 5061 is used for SIP TLS (Transport Layer Security) SIP over TLS when the carrier or agent softphone connects over an encrypted channel. You need both protocols open on 5060 and TCP open on 5061. If your trunk uses IP authentication IP authentication instead of a SIP username and password, you can narrow the source to your carrier's IP range on the SIP rule — this reduces scanning abuse from bots that constantly probe port 5060.

RTP media ports

RTP (Real-time Transport Protocol) RTP is the UDP stream that carries encoded voice. Asterisk allocates a port from a configurable range for each active call leg. The default in a standard VICIdial install is 10000–20000 UDP. This entire range must be open inbound from any source (carriers, agent softphones on remote networks). You cannot predict which port will be assigned to which call in advance, so partial opening of the range causes intermittent audio failures that are hard to diagnose.

flowchart LR
  Internet --> FW{Security Group}
  FW -- port 22 TCP --> SSH[SSH admin]
  FW -- port 80 TCP --> HTTP[HTTP redirect]
  FW -- port 443 TCP --> HTTPS[HTTPS web panel]
  FW -- port 5060 UDP TCP --> SIP[Asterisk SIP]
  FW -- port 5061 TCP --> SIPTLS[SIP TLS]
  FW -- 10000-20000 UDP --> RTP[Asterisk RTP media]
  FW -- port 8080 TCP --> AgentWeb[Agent login panel]
  FW -- blocked --> Drop[All other traffic dropped]

Web and admin ports

VICIdial's web interface runs on Apache. The admin panel is on port 80 (HTTP) and typically 443 (HTTPS) if you have a certificate installed. Agents log in through the same web server. Some deployments also expose port 8080 for the VoIP (Voice over Internet Protocol) VoIP web phone interface. SSH on port 22 is needed for remote administration, though locking SSH source to your own IP range is good practice and reduces brute-force attempts.

Here is the full inbound rule set as a reference:

# SIP signaling
ufw allow 5060/udp
ufw allow 5060/tcp
ufw allow 5061/tcp

# RTP media
ufw allow 10000:20000/udp

# Web and admin
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 8080/tcp

# SSH (restrict source in production)
ufw allow 22/tcp

Locking down what you can

Not every port needs to be open to the world. SSH should be restricted to your office IP or VPN exit node. If you know your carrier's IP ranges, scope SIP to those ranges. The web panel does not need to be world-accessible if you put it behind a VPN — though most operations do leave 80/443 open so agents on any network can log in. The RTP range must remain open to all sources because the carrier's RTP source address may differ from its SIP signaling address.

Port 5060 open to the internet will attract SIP scanners within minutes. Enable fail2ban with an Asterisk jail and keep your SIP credentials strong. Or restrict port 5060 to your carrier's IP block.

Two firewall layers to keep in sync

Remember that the cloud security group and the OS-level firewall (ufw or iptables) are independent. Traffic must pass both. A common mistake is opening a port in the cloud security group but leaving it blocked in ufw, or the reverse. When debugging a port issue, verify both layers. For a broader look at managing VICIdial cloud networking day-to-day, see our VICIdial in the cloud guide. For the ongoing firewall management side once everything is running, managing the firewall on a cloud dialer covers that workflow.

Setting up firewall rules correctly from scratch is detail-oriented work, and one missed port causes hard-to-trace failures. If you would rather not go through it manually, VICIfast plans deliver a VICIdial server with all required ports pre-configured and verified in under 40 seconds.