Running VICIdial in the cloud: the complete guide
Why teams move VICIdial to the cloud, the per-provider landscape, the universal gotchas, and how BYOI and managed hosting compare for a working dialer.
VICIdial runs fine on a cloud VPS. It was written for bare metal in a colo rack, and most of the install guides still assume that, but the actual software does not care where the kernel lives. What it cares about is a public IP, an open audio port range, and low latency to your carrier. Get those three right and a cloud box dials exactly like a metal one. Get them wrong and you spend a week chasing one-way audio. This guide is the map: why teams move VICIdial to the cloud, what each provider gives you, the gotchas that bite everyone, and the two clean ways to skip the gotchas entirely.
Why teams move VICIdial to the cloud
The old way was a server in a data center: a sales call, a quote, a few days of lead time, a card swipe for a month of rack space, then someone racks a box and hands you an IP. That worked. It also took days, locked you into a year, and meant a hardware failure was a truck roll and a downtime window. Cloud changed the unit of work. A VPS — a virtual private server, a slice of a big host carved into its own machine with its own IP — spins up in a couple of minutes from an API call. You pay by the hour. You delete it when you are done. For a dialer, that flexibility is the whole pitch.
There is a cost angle too. A predictable VICIdial seat count maps to a known CPU and RAM size, and a cloud VPS at that size is often cheaper than a leased dedicated box once you count the hands that rack and replace metal. We break the numbers down in cloud cost versus bare metal, and the broader trade in VICIdial cloud versus on-prem. The short version: cloud wins on speed and on never touching hardware again, bare metal wins on raw per-core price at very large scale. Most rooms under a few hundred agents are better off in the cloud.
Snapshots are the other reason. A cloud host can freeze the entire disk into a Server snapshot — a point-in-time image of the whole machine — and bring it back on a new box in minutes. On metal, a bad upgrade is a restore-from-tape evening. In the cloud it is a roll-back to last night's image. That single capability changes how brave you can be with patches.
The cloud provider landscape
Every major host can run VICIdial, but they are not interchangeable. The differences that matter for a dialer are price per core, how the firewall (the host's "security group") handles a wide UDP range, whether you get a clean public IPv4 with good IP reputation, and which regions sit close to your carrier. Here is the honest per-provider read.
Hetzner
Cheapest dedicated-grade cores you can rent, German and Finnish data centers, and a flat firewall model that does not fight a wide RTP range. The catch is geography: every region is in Europe or the US, so a carrier in Asia or South America pays a latency tax. For a European or US-East operation, it is hard to beat on price. Full walkthrough in VICIdial on Hetzner.
AWS, Google Cloud, and Azure
The three hyperscalers give you the most regions on earth and the deepest networking controls. They also cost the most and make the audio firewall the hardest to get right — their security groups default closed and you must explicitly open the UDP RTP range, which is exactly where most cloud VICIdial failures live. They are the right call when you already run there and want the dialer next to your other systems. See VICIdial on AWS, VICIdial on Google Cloud, and VICIdial on Azure for the per-platform port and IP steps.
DigitalOcean, Vultr, Linode, and OVH
The mid-tier hosts are the sweet spot for a lot of dialer shops: simple pricing, a flat or easily-relaxed firewall, clean public IPs, and a spread of regions wider than Hetzner without hyperscaler complexity. Vultr and OVH in particular have data centers in places the big three under-serve. Walkthroughs for each: DigitalOcean, Vultr, Linode, and OVH. Region choice matters more than brand — pick the data center closest to your carrier's media, not the one closest to your office. We unpack that in choosing a cloud region.
Choosing a provider
The decision is mostly mechanical once you stop arguing about brands. Where is your carrier's media gateway, how many agents will you run, and do you already live in one of these clouds? That routes you to an answer.
flowchart TD
A[Need to run VICIdial in the cloud] --> B{Already on a hyperscaler}
B -->|Yes| C[Use AWS or GCP or Azure next to existing systems]
B -->|No| D{Carrier media in Europe or US}
D -->|Yes| E[Hetzner for lowest cost per core]
D -->|No| F{Need a region the big hosts miss}
F -->|Yes| G[Vultr or OVH for wider footprint]
F -->|No| H[DigitalOcean or Linode for simple flat firewall]
C --> I[Open RTP UDP range and assign public IPv4]
E --> I
G --> I
H --> I
I --> J[Install secured VICIdial and point carrier trunk]The universal cloud gotchas
These bite on every provider. They are not VICIdial bugs and they are not host bugs — they are the seam where a telephony app meets cloud networking. Knowing them in advance saves the week everyone otherwise loses.
The public IP requirement
VICIdial's media engine is Asterisk, and Asterisk needs to advertise a real, routable address to your carrier so the audio knows where to come back. A cloud box that only has a private IP behind the host's network will set up the call signaling fine over SIP (Session Initiation Protocol) — the protocol that rings the phone — and then hear nothing, because the audio packets have nowhere to land. You need a dedicated public IPv4, not a shared one, and Asterisk must be told what it is. The detail lives in the public IP requirement.
The RTP port range and security groups
Call audio rides on RTP — the real-time transport protocol — and Asterisk hands each call a fresh UDP port from a wide range, typically ten to twenty thousand ports. A cloud firewall that only opens the SIP signaling port and forgets the RTP range gives you the classic symptom: calls connect, both sides see "answered", and nobody can hear anyone. You must open the whole UDP RTP range in the host's security group. The exact range and why it is that wide is in the RTP port range.
NAT and one-way audio
Some clouds put your public IP on the host and hand the box a private address — the public IP is one-to-one network address translation, not bound to the interface. Asterisk then advertises the private address and the carrier sends audio into the void. The fix is NAT traversal config: tell Asterisk its external IP and which subnet is local. Skip it and you get audio in one direction only, which sounds like the agent hears the lead but the lead hears silence. The full diagnosis is in NAT and cloud audio issues. This is the single most common cloud-VICIdial support ticket on earth.
Disk for recordings
If you record calls, every two-leg conversation writes audio to disk and it adds up faster than people expect — a busy room can fill a small root volume in days. Cloud boxes ship with modest root disks, so you attach a block volume and point recording storage at it. Sizing and the codec maths are in disk for recordings. Your Codec — the compression format the call uses, like G.729 codec or uncompressed G.711 — decides how much each minute costs you in bytes.
Snapshots, backups, and TLS
Take a nightly snapshot and you can roll back a bad change in minutes; the strategy is in snapshots and backups. For HTTPS on the agent and admin screens, a free Let's Encrypt certificate is the right answer — see Let's Encrypt TLS. And keep the firewall tight so the box is not an open relay; the rules are in firewall management. When agent counts grow, you resize the VPS up rather than shard across boxes — the path is in vertical scaling.
IP reputation and the carrier path
A fresh cloud IP can carry baggage from whoever held it last, and a flagged IP shows up to your called party as "spam likely". This is mostly a carrier and outbound caller-ID problem, not a server one, but the box's IP still matters for your sender reputation. And once the box is up, the network distance to your carrier's media gateway sets your audio quality — too far and you get jitter and clipped words, covered in latency to your carrier. Pick a region near your carrier and most of this evaporates.
That is the full gotcha list, and it is the same on every host. Public IP, RTP range, NAT, disk, snapshots, region. None of it is hard once you know it exists. All of it is a lost week if you do not. If you would rather not own that list, the next two sections are the two ways to hand it off — and our pricing page lays out what each costs.
BYOI: bring your own infrastructure
There is a middle path between doing it all yourself and renting a black box. It is called BYOI (bring your own infrastructure) — bring your own infrastructure. You spin up the cloud box on your own account, on whichever provider you already use, and you give us SSH access. We install and manage secured VICIdial on it over that connection: the install, the patches, the Asterisk CVEs, the upgrades. You own the server, the data, the IP, and the cloud bill. We own keeping the dialer healthy.
The thing people care about most with BYOI is that the recordings and lead data never leave your box. We connect in to manage; we do not move your data out. That matters for keeping data on your own box, and it is the whole reason regulated shops choose this model. The starting point and the full concept are in what BYOI VICIdial means, and the step list for handing us a box is in the BYOI install checklist. BYOI starts from $29/mo.
BYOI still leaves you holding the gotchas above — the public IP, the RTP range, the firewall — because it is your box. The trade you are making is full control and data residency in exchange for owning the infrastructure layer. If that trade does not appeal, the managed option owns that layer for you. We compare them head to head in BYOI versus a managed host and in managed versus DIY in the cloud.
Managed hosting: we own the box
The other clean path is to let us provision the whole thing. You pay, and Provisioning — the automated build of a fresh server — runs end to end: we spin up a dedicated Hetzner VPS, install hardened VICIdial, issue the TLS cert, open the right ports, set the NAT config, and hand you a branded HTTPS subdomain. The whole sequence finishes in under 40 seconds. There is no ticket queue, no provider account to manage, no security group to hand-edit. The public-IP and RTP gotchas are already handled because we build the box knowing they exist.
It is one tenant per server. Your dialer is the only thing on the machine — Single tenant means no noisy neighbor stealing CPU mid-campaign, and no shared blast radius if someone else's box gets popped. You still get full root SSH; it is your server, we just built and secured it. And you bring your own Carrier — we do not sell minutes or lock you to a route. You point your SIP trunk — the connection from your VoIP carrier into the box — at the server and dial.
What we explicitly do not do is your compliance. We make TCPA, DNC, and STIR/SHAKEN easier to operate, but the calling rules, the consent records, and the do-not-call hygiene stay yours. We host and secure the dialer; you run the campaign within the law. The only refund we promise is for a provisioning failure within the first hour. Beyond that, what you see on the pricing page is what you pay — hosting starts from $49/mo.
Which path is yours
Three honest options, and they sort cleanly. Pure DIY — pick a provider, rent the VPS, fight the public-IP and RTP-range gotchas yourself — is the cheapest in dollars and the most expensive in your hours; the per-provider guides above are written to make that path survivable if it is the one you want. BYOI is for the team that needs the box and the data on its own account but does not want to babysit Asterisk patches: you own the infrastructure, we own the dialer, from $29/mo. Managed hosting is for the team that wants to dial today: a secured DID (direct inward dialing)-ready box on a branded subdomain in under 40 seconds, single tenant, root SSH, your carrier, from $49/mo.
Cloud is the right home for VICIdial in 2026 — the speed, the snapshots, and the freedom to delete a box and start clean all favor it over a leased rack. The only real question is how much of the plumbing you want to own. Read the gotcha guides if you are going DIY, look at BYOI if you need the data on your own box, and check the managed numbers on the pricing page if you would rather we built it. Whatever you choose, the dialer underneath is the same VICIdial — the difference is only who owns the wrench.
About VICIfast LLC
VICIfast LLC operates a managed VICIdial hosting + BYOI service for outbound and inbound call centers. We run the dialers, the carriers, the recordings pipeline, and the compliance plumbing so operators don’t have to.
Citing this article
VICIfast Engineering. “Running VICIdial in the cloud: the complete guide”. VICIfast LLC, June 29, 2026. Retrieved from https://vicifast.com/blog/vicidial-in-the-cloud-guide
Have questions?
Related posts
You might be interested in
VICIfast newsletter
Liked this? Get the next one in your inbox.
We ship the kind of stuff you just read — concrete, numbers-first, no drip. One email when a new post goes live. Unsubscribe in one click.
Comments
No comments yet — be the first.