article

JohnD-aws avatar image
JohnD-aws Posted · · edited ·

Amazon Chime Firewall Simplification

Update: 6 January 2020
Amazon Chime has completed the consolidation of its IP addresses and ports to simplify firewall rules.

Amazon Chime uses TCP/443 for https and websocket communication to hosts with DNS suffixes:

Additionally:

  • Amazon Chime Meetings and Business Calling uses 99.77.128.0/18 UDP/3478
  • SIP and H.323 room systems use 13.248.147.139 or 76.223.18.152, and UDP/10000-60000
  • H.323 room systems also use TCP/10000-60000

Check if your firewall rules require updating with the Amazon Chime Readiness Checker.


Learn More

For more information, see:


Original Notice (posted 5 September 2019)

Amazon Chime uses UDP to stream audio, video and screen sharing, which is typically blocked by enterprise firewalls. IT Administrators are required to configure several firewall rules to allow users and room systems to connect to Chime.

Amazon Chime is simplifying its firewall requirements to minimize the chance of firewalls inadvertently blocking media and help reduce firewall administrative overhead. If you are responsible to firewall rules, keep reading to learn what changes, if any, are required in your firewall configuration to ensure your access to Amazon Chime is not affected.

There are two groups of users affected:

  1. Users of the Amazon Chime clients for Meetings and Business Calling
  2. Users of room systems used to join Amazon Chime Meetings


Amazon Chime Clients

What’s changing?

Amazon Chime is moving all its media (audio, video, and screen share) to utilize a single subnet and port: 99.77.128.0/18 UDP/3478. This reduces the firewall configuration for Amazon Chime media from 18 rules (six subnets, each with three UDP port ranges) to one.

Who is affected?

Amazon Chime Meetings and Business Calling users will automatically transition to the new subnet. Action is required to ensure Amazon Chime Meetings and Business Calling users can access the media subnet and are not blocked by a firewall.

When is it changing?

The new media subnet will launch in October, 2019, however the six existing media subnets will remain in use through to December, 2019.

What should I do?

Before October 2019, check if your firewall rules require updating with the Amazon Chime Readiness Checker. If UDP port 3478 is not open, you will need to add rule to open 99.77.128.0/18 UDP/3478.


Room Systems

What’s changing?

H.323 room systems have new redundant pair of IP addresses to connect to Amazon Chime Meetings: 13.248.147.139, 76.223.18.152.

All room systems will be transitioning their media to utilize the same subnet as Amazon Chime clients (99.77.128.0/18), however they require UDP ports 10000 to 60000 to be open. H.323 room systems also require TCP ports 10000 to 60000 to be open.

Who is affected?

Amazon Chime users joining meetings from a SIP or H.323 Room System. Action is required to ensure room systems can join Amazon Chime Meetings and their access to the media subnet is not blocked by a firewall.

When is it changing?

The new IP addresses for H.323 room systems to connect to Amazon Chime Meetings is available now. The existing IP address will continue to be in service through to December, 2019.

The new media subnet will launch in October, 2019, however the existing two subnets will remain in use through to December, 2019.

What should I do?

Before October, 2019, update your firewall rules to open 99.77.128.0/18 UDP/10000:60000 for all room systems.

Before December, 2019, update your H.323 Room System configuration to connect to Amazon Chime Meetings on 13.248.147.139 or 76.223.18.152.


What’s Not Changing

Amazon Chime will continue to use TCP/443 for https and websocket communication to hosts with DNS suffixes:

If using a proxy, ensure that it proxies websockets as well as https.

If your firewall blocks port TCP/443, you must put *.amazonaws.com on an allow list, or the AWS IP Address Ranges from the AWS General Reference for the following services:

  • Amazon EC2
  • Amazon CloudFront
  • Amazon Route 53


Learn More

For more information, see:

firewallportshostsip addressesreadiness checker
10 |600 characters needed characters left characters exceeded

Up to 25 attachments (including images) can be used with a maximum of 10.0 MiB each and 96.4 MiB total.

Documentation

View the Amazon Chime User, Administration Guide and API Reference on the AWS Documentation site.

Website

Find more information about the Amazon Chime solution, pricing, customer references, getting started, and other resources.

Article

Contributors

JohnD-aws contributed to this article