Deploy Azure Communications Gateway
Prerequisites
Complete Prepare to deploy Azure Communications Gateway. Ensure you have access to all the information that you collected by following that procedure.
Important
You must be a telecommunications operator to use Azure Communications Gateway.
For Operator Connect or Teams Phone Mobile, you must also have signed an Operator Connect or Teams Phone Mobile agreement with Microsoft. For more information on these programs, see Operator Connect or Teams Phone Mobile.
For Zoom Phone Cloud Peering, you must also have started the onboarding process with Zoom to become a Zoom Phone Cloud Peering provider. For more information on Cloud Peering, see Zoom's Cloud Peering information.
Important
You must fully understand the onboarding process for your chosen communications service and any dependencies introduced by the onboarding process.
Allow sufficient elapsed time for the deployment and onboarding process. For example, you might need wait up to two weeks for a new Azure Communications Gateway resource to be provisioned before you can connect it to your network.
You must own globally routable numbers for two types of testing:
- Integration testing by your staff during deployment and integration
- Service verification (continuous call testing) by your chosen communication services
The following table describes how many numbers you need to allocate.
Service | Numbers for integration testing | Service verification numbers |
---|---|---|
Operator Connect | 1 (minimum) | - Production deployments: 6 - Lab deployments: 3 |
Teams Phone Mobile | 1 (minimum) | - Production deployments: 6 - Lab deployments: 3 |
Microsoft Teams Direct Routing | 1 (minimum) | None (not applicable) |
Zoom Phone Cloud Peering | 1 (minimum) | - US and Canada: 6 - Rest of world: 2 |
Azure Operator Call Protection Preview | 1 (minimum) | None (not applicable) |
Important
Service verification numbers must be usable throughout the lifetime of your deployment.
Create an Azure Communications Gateway resource
Use the Azure portal to create an Azure Communications Gateway resource.
Sign in to the Azure portal.
In the search bar at the top of the page, search for Communications Gateway and select Communications Gateways.
Select the Create option.
Use the information you collected in Collect basic information for deploying an Azure Communications Gateway to fill out the fields in the Basics configuration tab and then select Next: Service Regions.
Use the information you collected in Collect configuration values for service regions to fill out the fields in the Service Regions tab and then select Next: Communications Services.
Select the communications services that you want to support in the Communications Services configuration tab, use the information that you collected in Collect configuration values for each communications service to fill out the fields, and then select Next: Test Lines.
Use the information that you collected in Collect values for service verification numbers to fill out the fields in the Test Lines configuration tab and then select Next: Tags.
- Don't configure numbers for integration testing.
- Microsoft Teams Direct Routing and Azure Operator Call Protection Preview don't require service verification numbers.
(Optional) Configure tags for your Azure Communications Gateway resource: enter a Name and Value for each tag you want to create.
Select Review + create.
If you've entered your configuration correctly, the Azure portal displays a Validation Passed message at the top of your screen. Navigate to the Review + create section.
If you haven't filled in the configuration correctly, the Azure portal display an error symbol for the section(s) with invalid configuration. Select the section(s) and use the information within the error messages to correct the configuration, and then return to the Review + create section.
Submit your Azure Communications Gateway configuration
Check your configuration and ensure it matches your requirements. If the configuration is correct, select Create.
Once your resource has been provisioned, a message appears saying Your deployment is complete. Select Go to resource group, and then check that your resource group contains the correct Azure Communications Gateway resource.
Note
You can't make calls immediately. You need to complete the remaining steps in this guide before your resource is ready to handle traffic.
Wait for provisioning to complete
Wait for your resource to be provisioned. When your resource is ready, the Provisioning Status field on the resource overview changes to "Complete." We recommend that you check in periodically to see if the Provisioning Status field is "Complete." This step might take up to two weeks.
Connect Azure Communications Gateway to your networks
When your resource has been provisioned, you can connect Azure Communications Gateway to your networks.
- Exchange TLS certificate information with your onboarding team.
- Azure Communications Gateway is preconfigured to support the DigiCert Global Root G2 certificate and the Baltimore CyberTrust Root certificate as root certificate authority (CA) certificates. If the certificate that your network presents to Azure Communications Gateway uses a different root CA certificate, provide your onboarding team with this root CA certificate.
- The root CA certificate for Azure Communications Gateway's certificate is the DigiCert Global Root G2 certificate. If your network doesn't have this root certificate, download it from https://www.digicert.com/kb/digicert-root-certificates.htm and install it in your network.
- Configure your infrastructure to meet the call routing requirements described in Reliability in Azure Communications Gateway.
- Depending on your network, you might need to configure SBCs, softswitches, and access control lists (ACLs).
Important
When configuring SBCs, firewalls, and ACLs, ensure that your network can receive traffic from both of the /28 IP ranges provided to you by your onboarding team because the IP addresses used by Azure Communications Gateway can change as a result of maintenance, scaling or disaster scenarios.
- If you are using Azure Operator Call Protection Preview, a component in your network (typically an SBC), must act as a SIPREC Session Recording Client (SRC).
- Your network needs to send SIP traffic to per-region FQDNs for Azure Communications Gateway. To find these FQDNs:
- Sign in to the Azure portal.
- In the search bar at the top of the page, search for your Communications Gateway resource.
- Go to the Overview page for your Azure Communications Gateway resource.
- In each Service Location section, find the Hostname field. You need to validate TLS connections against this hostname to ensure secure connections.
- We recommend configuring an SRV lookup for each region, using
_sip._tls.<regional-FQDN-from-portal>
. Replace<regional-FQDN-from-portal>
with the per-region FQDNs from the Hostname fields on the Overview page for your resource.
- If your Azure Communications Gateway includes integrated MCP, configure the connection to MCP:
- Go to the Overview page for your Azure Communications Gateway resource.
- In each Service Location section, find the MCP hostname field.
- Configure your test numbers with an iFC of the following form, replacing
<mcp-hostname>
with the MCP hostname for the preferred region for that subscriber.XML<InitialFilterCriteria> <Priority>0</Priority> <TriggerPoint> <ConditionTypeCNF>0</ConditionTypeCNF> <SPT> <ConditionNegated>0</ConditionNegated> <Group>0</Group> <Method>INVITE</Method> </SPT> <SPT> <ConditionNegated>1</ConditionNegated> <Group>0</Group> <SessionCase>4</SessionCase> </SPT> </TriggerPoint> <ApplicationServer> <ServerName>sip:<mcp-hostname>;transport=tcp;service=mcp</ServerName> <DefaultHandling>0</DefaultHandling> </ApplicationServer> </InitialFilterCriteria>
- Configure your routers and peering connection to ensure all traffic to Azure Communications Gateway is through Microsoft Azure Peering Service Voice (also known as MAPS Voice) or ExpressRoute Microsoft Peering.
- Enable Bidirectional Forwarding Detection (BFD) on your on-premises edge routers to speed up link failure detection.
- The interval must be 150 ms (or 300 ms if you can't use 150 ms).
- With MAPS Voice, BFD must bring up the BGP peer for each Private Network Interface (PNI).
- Meet any other requirements for your communications platform (for example, the Network Connectivity Specification for Operator Connect or Teams Phone Mobile). If you need access to Operator Connect or Teams Phone Mobile specifications, contact your onboarding team.