# Restrict Inbound Calls to the Cloud Voice App

A voice app receives incoming calls over the internet, so in principle any source that can reach your device could try to ring it directly. To reduce your exposure to unwanted or malicious calls, you can lock down the Cloud Voice App on your phone so it ignores any inbound call that does not arrive through your Cloud Voice server. This page shows you how to turn that protection on.

:::note
An IP (Internet Protocol) address is the numeric address a device uses on a network. An "external IP" call is one that reaches the app from a public internet address instead of being routed through your Cloud Voice server. Voice apps signal calls using SIP (Session Initiation Protocol), and unsolicited call attempts from unknown external addresses are a common form of scanning and abuse. The **Restrict External IP** setting filters those out.
:::

## Enable the restriction

1. On the **Calls** screen, tap your account in the upper-left corner.
2. Open **Settings > Advanced**.
3. Switch on **Restrict External IP**.

![Advanced settings screen with the Restrict External IP option switched on](/images/pbx/enable-external-ip-restriction.png)

:::tip
Turning this on is good security practice for any device that only ever places and receives calls through your Cloud Voice server, which covers most everyday users.
:::

## What changes

With the setting enabled, the app delivers calls to you only when they are routed through your Cloud Voice server. Attempts that come directly from an unrecognized external IP address are no longer accepted.

:::caution
This is a per-device setting: it only affects the app on this phone, not your account elsewhere. After you enable it, any inbound call that reaches the app directly instead of through your Cloud Voice server will be silently dropped. If you rely on a device or system that calls the app directly, expect those calls to stop arriving once this is on.
:::
