Reference Architecture Diagram: Deploying self hosted VoIP services for hybrid users #17822
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![hyperlint-ai[bot]](https://avatars.githubusercontent.com/in/718456?s=60&v=4){kind=small}
...eference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx
Outdated
Show resolved
Hide resolved
...eference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx
Outdated
Show resolved
Hide resolved
…g-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com>
…g-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com>
Deploying cloudflare-docs with
|
| Latest commit: |
e7a3ddd
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://5d30e8a4.cloudflare-docs-7ou.pages.dev |
| Branch Preview URL: | https://sthorpe-deploying-self-hoste.cloudflare-docs-7ou.pages.dev |
Contributor
ranbel
reviewed
Oct 29, 2024
...eference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx
Outdated
Show resolved
Hide resolved
...eference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx
Outdated
Show resolved
Hide resolved
...eference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx
Outdated
Show resolved
Hide resolved
...eference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx
Outdated
Show resolved
Hide resolved
...eference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx
Outdated
Show resolved
Hide resolved
...eference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx
Outdated
Show resolved
Hide resolved
...eference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx
Outdated
Show resolved
Hide resolved
...eference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx
Outdated
Show resolved
Hide resolved
...eference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx
Outdated
Show resolved
Hide resolved
...eference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx
Outdated
Show resolved
Hide resolved
…g-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]>
…g-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]>
…g-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]>
…g-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]>
…g-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]>
…g-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]>
…g-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]>
…g-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]>
Co-authored-by: ranbel <[email protected]>
ranbel
approved these changes
Oct 31, 2024
Contributor
ranbel
left a comment
ranbel
left a comment
There was a problem hiding this comment.
Noticed a few more tiny issues during my second read-through. Otherwise the doc looks good to me!
|
|
||
| Cloudflare improves over traditional VPN solutions by leveraging its [global network](https://www.cloudflare.com/network/) of data centers in over 300 cities to significantly reduce latency for remote users. When using our device agent, remote users are automatically connected to the nearest Cloudflare data center, thus reducing latency. | ||
|
|
||
| This document explains how Cloudflare can be architected with a self-hosted VoIP service. Note the solution below uses our [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/), a small piece of software deployed on a server in the same subnet as the VoIP servers and creates bi-directional traffic flow through Cloudflare to users. |
Contributor
There was a problem hiding this comment.
Suggested change
| This document explains how Cloudflare can be architected with a self-hosted VoIP service. Note the solution below uses our [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/), a small piece of software deployed on a server in the same subnet as the VoIP servers and creates bi-directional traffic flow through Cloudflare to users. | |
| This document explains how to architect a self-hosted VoIP service using Cloudflare products. Note the solution below uses our [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/), a small piece of software deployed on a server in the same subnet as the VoIP servers and creates bi-directional traffic flow through Cloudflare to users. |
|
|
||
|  | ||
|
|
||
| The diagram above shows the WARP Connector and our device agent deployed to create a highly performant, reliable connectivity for private VoIP services. Note that Cloudflare will assign remote users an address from the <GlossaryTooltip term="CGNAT IP">CGNAT range</GlossaryTooltip>, which is used for the private network created between device agents. The WARP Connector ensures secure, bidirectional communication between remote users and the on-premise SIP server, without exposing the server to the public Internet. This shields the VoIP infrastructure from potential attacks while maintaining a seamless, encrypted connection for real-time communications. |
Contributor
There was a problem hiding this comment.
Suggested change
| The diagram above shows the WARP Connector and our device agent deployed to create a highly performant, reliable connectivity for private VoIP services. Note that Cloudflare will assign remote users an address from the <GlossaryTooltip term="CGNAT IP">CGNAT range</GlossaryTooltip>, which is used for the private network created between device agents. The WARP Connector ensures secure, bidirectional communication between remote users and the on-premise SIP server, without exposing the server to the public Internet. This shields the VoIP infrastructure from potential attacks while maintaining a seamless, encrypted connection for real-time communications. | |
| The diagram above shows the WARP Connector and our device agent deployed to establish highly performant, reliable connectivity for private VoIP services. Note that Cloudflare will assign remote users an address from the <GlossaryTooltip term="CGNAT IP">CGNAT range</GlossaryTooltip>, which is used for the private network created between device agents. The WARP Connector ensures secure, bidirectional communication between remote users and the on-premise SIP server, without exposing the server to the public Internet. This shields the VoIP infrastructure from potential attacks while maintaining a seamless, encrypted connection for real-time communications. |
|
|
||
| ## Call flow examples | ||
|
|
||
| VoIP software running on the remote user's device registers with the VoIP server using SIP. The Cloudflare device agent will be assigned an address from the CGNAT IP range, `100.96.0.0/12`. As routing has been established to Cloudflare for `100.96.0.0/12` and to the on-prem network of `10.0.50.0/24`, call flows will work as normal – both direct and indirect media are supported. |
Contributor
There was a problem hiding this comment.
Suggested change
| VoIP software running on the remote user's device registers with the VoIP server using SIP. The Cloudflare device agent will be assigned an address from the CGNAT IP range, `100.96.0.0/12`. As routing has been established to Cloudflare for `100.96.0.0/12` and to the on-prem network of `10.0.50.0/24`, call flows will work as normal – both direct and indirect media are supported. | |
| VoIP software running on the remote user's device registers with the VoIP server using SIP. The Cloudflare device agent will be assigned an address from the CGNAT IP range, `100.96.0.0/12`. As routing has been established to Cloudflare for `100.96.0.0/12` and to the on-premise network of `10.0.50.0/24`, call flows will work as normal – both direct and indirect media are supported. |
|
|
||
| ### Remote user calling another remote user | ||
|
|
||
| When calls are made from user to user, some traffic flows from user devices through Cloudflare to the on-premises server, while other traffic flows through Cloudflare directly to the other user. Note that the device agent is creating a secure tunnel through which the CGNAT addresses are routed. Both users in this flow have registered their SIP clients with the server. |
Contributor
There was a problem hiding this comment.
Suggested change
| When calls are made from user to user, some traffic flows from user devices through Cloudflare to the on-premises server, while other traffic flows through Cloudflare directly to the other user. Note that the device agent is creating a secure tunnel through which the CGNAT addresses are routed. Both users in this flow have registered their SIP clients with the server. | |
| When calls are made from user to user, some traffic flows from user devices through Cloudflare to the on-premise server, while other traffic flows through Cloudflare directly to the other user. Note that the device agent is creating a secure tunnel through which the CGNAT addresses are routed. Both users in this flow have registered their SIP clients with the server. |
|
|
||
| The above diagram shows the high level signaling and media paths. | ||
|
|
||
| 1. Alice registers directly with the SIP server (`10.0.50.60`) with her Cloudflare assigned CGNAT IP of `100.96.0.12`. |
Contributor
There was a problem hiding this comment.
Suggested change
| 1. Alice registers directly with the SIP server (`10.0.50.60`) with her Cloudflare assigned CGNAT IP of `100.96.0.12`. | |
| 1. Alice registers directly with the SIP server (`10.0.50.60`) with a Cloudflare assigned CGNAT IP of `100.96.0.12`. |
| 4. The default gateway for the SIP server is `10.50.0.1`, but we have defined a static route such that for destination `100.96.0.0/12`, the next hop is the WARP Connector interface (`10.0.50.10`). | ||
| 5. The SIP INVITE message will be sent on the local network to Bob. | ||
| 6. Bob accepts and the SIP server will send SIP/SDP messages to both Alice and Bob specifying which parameters to use for the RTP (audio) data. | ||
| 7. Bob will send audio to Alice at 100.96.0.12, which will be routed across the WARP Connector to Cloudflare, and Alice will send audio to Bob at 10.0.50.101, which will be sent from Cloudflare across the WARP Connector to the on-premise local network. |
Contributor
There was a problem hiding this comment.
Suggested change
| 7. Bob will send audio to Alice at 100.96.0.12, which will be routed across the WARP Connector to Cloudflare, and Alice will send audio to Bob at 10.0.50.101, which will be sent from Cloudflare across the WARP Connector to the on-premise local network. | |
| 7. Bob will send audio to Alice at `100.96.0.12`, which will be routed across the WARP Connector to Cloudflare, and Alice will send audio to Bob at `10.0.50.101`, which will be sent from Cloudflare across the WARP Connector to the on-premise local network. |
|
|
||
| ## Summary | ||
|
|
||
| Remote users communicating with other remote users or on-premise users via on-premise SIP servers using Cloudflare's WARP Connector, will have a seamless and secure experience for both ends, with key benefits: |
Contributor
There was a problem hiding this comment.
Suggested change
| Remote users communicating with other remote users or on-premise users via on-premise SIP servers using Cloudflare's WARP Connector, will have a seamless and secure experience for both ends, with key benefits: | |
| With Cloudflare's WARP Connector, remote users communicating with other remote users or on-premise users via on-premise SIP servers will have a seamless and secure experience for both ends. Key benefits include: |
|
|
||
| Remote users communicating with other remote users or on-premise users via on-premise SIP servers using Cloudflare's WARP Connector, will have a seamless and secure experience for both ends, with key benefits: | ||
|
|
||
| 1. **Bidirectional Connectivity**: WARP Connector supports bidirectional traffic, which is crucial for remote users communicating with on-premise users. Both signaling and media traffic (SIP/RTP) flow securely between the two, regardless of where the user is physically located. This is done via Cloudflare's global network, using an encrypted tunnel, ensuring data integrity and encryption. |
Contributor
There was a problem hiding this comment.
Suggested change
| 1. **Bidirectional Connectivity**: WARP Connector supports bidirectional traffic, which is crucial for remote users communicating with on-premise users. Both signaling and media traffic (SIP/RTP) flow securely between the two, regardless of where the user is physically located. This is done via Cloudflare's global network, using an encrypted tunnel, ensuring data integrity and encryption. | |
| 1. **Bidirectional connectivity**: WARP Connector supports bidirectional traffic, which is crucial for remote users communicating with on-premise users. Both signaling and media traffic (SIP/RTP) flow securely between the two, regardless of where the user is physically located. This is done via Cloudflare's global network using an encrypted tunnel, ensuring data integrity and encryption. |
|
|
||
| 1. **Bidirectional Connectivity**: WARP Connector supports bidirectional traffic, which is crucial for remote users communicating with on-premise users. Both signaling and media traffic (SIP/RTP) flow securely between the two, regardless of where the user is physically located. This is done via Cloudflare's global network, using an encrypted tunnel, ensuring data integrity and encryption. | ||
|
|
||
| 2. **Private Communication Over CGNAT**: The WARP Connector assigns Carrier-Grade NAT (CGNAT) IPs to devices, which allows remote users to securely communicate with on-premise users over private networks. This ensures that communication remains isolated from the public Internet, enhancing security. The CGNAT functionality means that remote and on-premise users can communicate as though they are on the same network. |
Contributor
There was a problem hiding this comment.
Suggested change
| 2. **Private Communication Over CGNAT**: The WARP Connector assigns Carrier-Grade NAT (CGNAT) IPs to devices, which allows remote users to securely communicate with on-premise users over private networks. This ensures that communication remains isolated from the public Internet, enhancing security. The CGNAT functionality means that remote and on-premise users can communicate as though they are on the same network. | |
| 2. **Private communication over CGNAT**: The WARP Connector assigns Carrier-Grade NAT (CGNAT) IPs to devices, which allows remote users to securely communicate with on-premise users over private networks. This ensures that communication remains isolated from the public Internet, enhancing security. The CGNAT functionality means that remote and on-premise users can communicate as though they are on the same network. |
|
|
||
| 2. **Private Communication Over CGNAT**: The WARP Connector assigns Carrier-Grade NAT (CGNAT) IPs to devices, which allows remote users to securely communicate with on-premise users over private networks. This ensures that communication remains isolated from the public Internet, enhancing security. The CGNAT functionality means that remote and on-premise users can communicate as though they are on the same network. | ||
|
|
||
| 3. **No NAT Traversal Issues**: NAT traversal often poses a challenge in VoIP scenarios, but because WARP Connector preserves source IP addresses and handles bidirectional traffic without additional NAT boundaries, remote and on-premise users can communicate without issues typically caused by firewalls or NAT devices, improving the overall call setup and quality. |
Contributor
There was a problem hiding this comment.
Suggested change
| 3. **No NAT Traversal Issues**: NAT traversal often poses a challenge in VoIP scenarios, but because WARP Connector preserves source IP addresses and handles bidirectional traffic without additional NAT boundaries, remote and on-premise users can communicate without issues typically caused by firewalls or NAT devices, improving the overall call setup and quality. | |
| 3. **No NAT traversal issues**: NAT traversal often poses a challenge in VoIP scenarios, but because WARP Connector preserves source IP addresses and handles bidirectional traffic without additional NAT boundaries, remote and on-premise users can communicate without issues typically caused by firewalls or NAT devices, improving the overall call setup and quality. |
securitypedant
deleted the
sthorpe-deploying-self-hosted-VoIP-services-for-hybrid-users
branch
securitypedant
restored the
sthorpe-deploying-self-hosted-VoIP-services-for-hybrid-users
branch
elithrar
pushed a commit
that referenced
this pull request
Nov 6, 2024
…or hybrid users (#17822) * Initial commit * Updating images * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Apply suggestions from code review Co-authored-by: ranbel <[email protected]> * Update deploying-self-hosted-VoIP-services-for-hybrid-users.mdx * Update deploying-self-hosted-VoIP-services-for-hybrid-users.mdx * import missing component --------- Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> Co-authored-by: ranbel <[email protected]>
harshil1712
pushed a commit
that referenced
this pull request
Dec 3, 2024
…or hybrid users (#17822) * Initial commit * Updating images * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Update src/content/docs/reference-architecture/diagrams/sase/deploying-self-hosted-VoIP-services-for-hybrid-users.mdx Co-authored-by: ranbel <[email protected]> * Apply suggestions from code review Co-authored-by: ranbel <[email protected]> * Update deploying-self-hosted-VoIP-services-for-hybrid-users.mdx * Update deploying-self-hosted-VoIP-services-for-hybrid-users.mdx * import missing component --------- Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> Co-authored-by: ranbel <[email protected]>
securitypedant
deleted the
sthorpe-deploying-self-hosted-VoIP-services-for-hybrid-users
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Screenshots (optional)
Documentation checklist