# Network Security

Network security forms the second layer in a defense-in-depth approach to protecting your phone system, your PBX (Private Branch Exchange, the platform that runs your calls and extensions). It watches every connection attempt reaching Cloud Voice and decides whether to permit or reject it against rules you define. Two policies let you tighten this layer: restricting access by country or region, and explicitly allowlisting trusted IP (Internet Protocol) addresses.

Use these when you want to shrink the number of places on the internet that are even allowed to talk to your system. The fewer sources that can reach it, the fewer ways an attacker has in. The two policies live in different parts of the **Security** menu: country and region filtering sits under **Security Settings**, while the trusted-IP allowlist sits under **Security Rules**.

## Restrict access by country or region

Geographic filtering limits who can reach your Cloud Voice system based on where their traffic originates. When you enable it, only the countries and regions you approve are allowed through; connections from everywhere else are blocked.

:::note
This filtering happens at the network level, before traffic reaches any service. A blocked region cannot reach the web portal, the Cloud Voice App, or SIP (Session Initiation Protocol, the signaling that carries calls). It is not limited to blocking calls.
:::

To turn on geographic restrictions:

1. Navigate to **Security > Security Settings > Allowed Country IPs**.
2. Enable the **Enable Allowed Country/Region IP Access Protection** switch.

   :::caution
   If a confirmation prompt appears, you must approve access for your own country or region. Skipping this step will lock you out of your own system.
   :::
3. Use the search bar in the top-right corner to find each country or region you want to permit, then switch it on in the **Operations** column.

   ![Country and region access list with per-region toggles in the Operations column](/images/pbx/geo-restriction-pce.png)
4. Click **Apply**.

:::tip
Enable only the countries and regions where your staff, phones, and integrations actually connect from. A shorter allowed list means a smaller attack surface. If everyone works from a single country, allow just that one.
:::

## Allow trusted access by IP address

Cloud Voice ships with built-in protection that guards legitimate connections, such as those from auto-provisioned devices (phones the system configures automatically) and platform services, while blocking unknown threats. It does this by inspecting the volume of packets sent to particular ports over a set window of time.

:::note
Think of this built-in protection as an automatic rate limit. If any single address sends too many packets to a monitored port too quickly, Cloud Voice treats the burst as a possible attack and blocks that address. A busy but legitimate device can occasionally cross this threshold and get blocked by mistake.
:::

To keep a trusted device from being blocked this way, add its IP address to the allowlist so Cloud Voice always accepts its connections.

1. Sign in to the PBX web portal and go to **Security > Security Rules**.
2. On the **Allowed IPs** tab, click **Add** to create a rule.

   ![Form for adding a trusted IP address rule under the Allowed IPs tab](/images/pbx/allowed-ip-pce.png)
3. Click **Save**, then **Apply**.

:::caution
An allowlisted address is exempt from the packet-rate protection above, so each entry is a standing hole in that defense. Only add addresses you fully control and trust, and remove entries once they are no longer needed.
:::

:::tip
Enter a fixed (static) public IP address. A device on a dynamic IP will eventually be assigned a different address, after which the rule stops matching and the device can be blocked again.
:::
