foreign-sapphire
foreign-sapphire3mo ago

Restricting Incoming Calls to Specific SIP Trunk on BYO Phone Number

Good morning, Support Team, I am currently migrating the SIP trunks of our assistants to a BYO-SIP-Trunk model ("provider": "byo-sip-trunk"), and the process has been successful so far following your documentation. However, I’ve encountered an issue when creating a phone number with "provider": "byo-phone-number" and linking it to a trunk via "credentialId": "YOUR_CREDENTIAL_ID". Despite this association, I am still able to receive calls to the number from any SIP origin. My question is: How can I configure the BYO phone number to only accept calls originating from the SIP trunk associated with its credentials? I’ve configured the trunk using peer authentication, which is suitable for my use case. If any specific parameter needs to be set, I would appreciate if you could let me know which SIP header the sip.vapi.ia backend expects to receive in order to validate the source. Logs: Call from an external source Call ID 9008baa0-539a-4ae6-a996-86aa1c674e54 (should not be allowed). Call from my SIP Trunk BYO Call ID 8e16ea8b-7d6f-4b1b-967a-cfc4ad8e258e. Thank you for your support — I look forward to your guidance. Best regards, S.Caballero
12 Replies
foreign-sapphire
foreign-sapphireOP3mo ago
????
Shubham Bajaj
Shubham Bajaj3mo ago
Hi caballero330, To restrict incoming calls to a specific SIP trunk using a "byo-phone-number," you'll need to ensure that your provider's configuration only allows calls from the designated SIP trunk. The generic SIP setup in Vapi doesn't inherently restrict call sources, so this control must be enforced at the SIP provider level. 1. Verify your SIP provider settings: Ensure your provider's settings are configured to accept calls only from your Vapi SIP URI or the specific credentials associated with your "byo-phone-number." 2. Use IP whitelisting: If your SIP provider supports it, limit the IP addresses that can send calls to your trunk to only those associated with your Vapi configuration. 3. Configure Vapi Webhooks: Implement webhooks on events like "call.ringing" to manage call behavior programmatically by inspecting the call source and deciding whether to accept or reject the call. The required headers are the to: and from: 
From: <sip:+1234567890@provider.com>
To: <sip:+1987654321@YOUR_CREDENTIAL_ID.sip.vapi.ai>
From: <sip:+1234567890@provider.com>
To: <sip:+1987654321@YOUR_CREDENTIAL_ID.sip.vapi.ai>
For more detailed steps on configuring your SIP provider and Vapi setup, you might find this SIP Trunking guide helpful.
SIP Trunking | Vapi
How to integrate your SIP provider with Vapi
foreign-sapphire
foreign-sapphireOP3mo ago
Good morning, Kyle, What I want is to prevent a pseudo number from being dialed from any public IP address other than the one of my SIP trunk. Usually, setting type=peer is enough. I have tried enabling all possible authentication options in the SIP trunk and assigned the pseudo number to use my SIP trunk. However, I can still dial the number from any source. I'm sharing the anonymized SIP trunk and number data below so you can review them and see if anything is missing, or if it could be a bug in Vapi. [ { "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "orgId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "provider": "byo-sip-trunk", "createdAt": "2025-06-30T08:12:32.875Z", "updatedAt": "2025-06-30T08:12:32.875Z", "gateways": [ { "ip": "3x.2xx.2x.2xx", "outboundEnabled": true, "optionsPingEnabled": true } ], "name": "ANON_PBX", "outboundAuthenticationPlan": { "authUsername": "REDACTED_USERNAME", "sipRegisterPlan": { "domain": "example.com", "username": "REDACTED_USERNAME", "realm": "example.com", "publicIpInContactEnabled": true } }, "outboundLeadingPlusEnabled": false } ] { "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "orgId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "assistantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "number": "+00000000000", "createdAt": "2025-06-30T08:13:48.244Z", "updatedAt": "2025-06-30T08:15:50.982Z", "name": "+00000000000", "credentialId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "provider": "byo-phone-number", "numberE164CheckEnabled": false, "status": "active", "providerResourceId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "smsEnabled": true } Thank you very much. S. Caballero
Shubham Bajaj
Shubham Bajaj3mo ago
This kind of configuration for restricting all domains except the one specified is something that must be performed on your SIP trunk. if type=peer isn't working, you can try editing the acl.conf and permit the range of IPs for the domain you are allowing. If you would like some more suggestions, please provide the specific SIP trunk you are using and we can look over some options
foreign-sapphire
foreign-sapphireOP2mo ago
Good morning, I believe the instructions you provided may not be entirely correct. Outbound calls from VAPI to my trunk are working as expected, so that flow is fine. The issue arises when I make an outbound call to the number I have configured and assigned to a BYO SIP trunk. According to your explanation, the configuration of my trunk is affecting VAPI’s behavior, which doesn’t align with my understanding—my trunk’s configuration shouldn’t impact your end. Even so, I have deactivated my trunk, and I’m still able to reach the pseudo number when dialing it, which suggests that the call isn't actually going through my trunk. Based on the tests I've performed, everything indicates that this could be a bug on your side for this type of number. Could you please review and escalate it if necessary? Here’s the ID of my number so you can verify it: a9dc5e2e-2bdb-4c9b-9513-5cd07b0xxxxx Thank you very much.
Shubham Bajaj
Shubham Bajaj2mo ago
Thanks for providing that info, we will look into it a little further This request is taking a little longer than usual but we are still working on it. Thank you for your patience I have replied to your email. We can continue the discussion there
foreign-sapphire
foreign-sapphireOP2mo ago
Good morning, my email is caballero330@gmail.com. You can write to me there, and I'd be happy to help with all the necessary testing, send you SIP traffic captures, and serve as a beta tester
Shubham Bajaj
Shubham Bajaj2mo ago
Thanks for providing that email. We will keep in touch
foreign-sapphire
foreign-sapphireOP3w ago
Good morning Kyle, Could you let me know if you've made any progress on this issue? I haven't tried again. Can you tell me if you've made any adjustments on your end? Thank you very much.
Shubham Bajaj
Shubham Bajaj3w ago
Hey there, I have some new instructions for you for setting up the SIP trunk. Please review it and let me know if you have any questions: 
{
  "provider": "byo-sip-trunk",
  "name": "My SIP Trunk",
  "gateways": [
    {
      "ip": "sip.provider.com",
      "port": 5060,
      "outboundEnabled": true,
      "inboundEnabled": false,
      "outboundProtocol": "udp"
    },
    {
      "ip": "203.0.113.10",
      "port": 5060,
      "outboundEnabled": false,
      "inboundEnabled": true
    }
  ]
}
{
  "provider": "byo-sip-trunk",
  "name": "My SIP Trunk",
  "gateways": [
    {
      "ip": "sip.provider.com",
      "port": 5060,
      "outboundEnabled": true,
      "inboundEnabled": false,
      "outboundProtocol": "udp"
    },
    {
      "ip": "203.0.113.10",
      "port": 5060,
      "outboundEnabled": false,
      "inboundEnabled": true
    }
  ]
}
Basically, you will want to set up two gateways: One for inbound and one for outbound. The outbound one will use a resolved domain name over UDP and the inbound one will use a static IP address. This setup should be the correct configuration for any BYO SIP trunk.
fair-rose
fair-rose2w ago
whose IP address do I put for inbound? Where do I get that?
Shubham Bajaj
Shubham Bajaj6d ago
The IP address should be of the resolved domain name. If you need an IP from the domain, you can open a terminal and PING the destination which should return an IP address. Alternatively, you could ask the provider for their direct IP address and that will also work.

Did you find this page helpful?