Overview
You want to lock down your firewall to allow specific IP addresses for your TEAMS-VOIP traffic. This is not recommended as our IP Addresses can and will change as required as the service expands. However you can check the existing addresses and modify your Firewall settings if required.
Firewall settings
You can establish the exact addresses by running the following commands depending on which platform you are on:
Windows:
nslookup -type=txt allips."your providers domain".xx
Linux:
dig +short -t TXT allips."your providers domain".xx
These commands will produce a list of addresses you will need to enter into your Firewall whitelist table.
Other:
You can also use MXToolbox to look these up. You need to be looking for DNS TXT records for allips."your providers domain".xx
PSTN Gateway
If you have previously used Teams Direct Routing then you may have used Powershell commands such as New-CsOnlinePstnGateway to tell Microsoft about your SBC. This will have caused it to display in the Teams Direct Routing Dashboard.
Microsoft have a different model for multi-tenant carriers where the PSTN Gateways are created in the carrier tenant and do not appear in your Office 365 tenant. By adding the domains to your Office 365 tenant it allows your Voice Routes to refer to the PSTN Gateways in the carrier tenant. This means they will not appear in your Teams Direct Routing Dashboard.
There are several reasons that this multi-tenant carrier approach is better:
Microsoft only need one set of SIP OPTIONS pings per SBC rather than the hundreds that would be sent if every customer configured their own PSTN Gateways.
There is no need for you to publish DNS records for the SBC.
This approach uses wildcard SSL certificates, so there is no delay as there is no need to acquire a specific certificate for you.
The carrier can fine-tune the PSTN Gateway settings without needing you to do anything.