# Architectural guidance for Amazon Connect
<a name="architecture-guidance"></a>

This topic provides guidance and best practices for designing and building reliable, secure, efficient, and cost-effective systems for your Amazon Connect contact center workloads. Using this guidance can help you build stable and efficient workloads, allowing you to focus on innovation, reduce costs, and improve your customer's experience.

This content is intended for chief technology officers (CTOs), architects, developers, and operations team members.

**Topics**
+ [Services to use with Amazon Connect](related-services-amazon-connect.md)
+ [Amazon Connect workload layers](workload-layers.md)
+ [Scenario and deployment approaches](scenario-deployment-approaches.md)
+ [Single Instance or Multiple Instances?](single-instance-multiple-instances.md)
+ [Operational Excellence](operational-excellence.md)
+ [Security for contact centers](security-bp.md)
+ [Load and penetration / security testing](load-and-penetration-testing.md)
+ [Reliability in Amazon Connect](reliability-bp.md)
+ [Performance efficiency for Amazon Connect workloads](performance-efficiency-bp.md)
+ [Cost optimization for Amazon Connect workloads](cost-optimization-bp.md)

# The power of AWS with Amazon Connect
<a name="related-services-amazon-connect"></a>

**This topic is for developers and administrators who are interested in an overview of which other AWS services you can integrate with Amazon Connect. **

The following diagram shows some of the other AWS services you can use with Amazon Connect.

![\[Icons for all the services you can use with Amazon Connect.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/connect-overview2.png)


## Development
<a name="development-services"></a>

You can use AWS Lambda functions to either look up or post data to sources outside of Amazon Connect. For example, you can look up an inbound caller on Salesforce based on the customer’s phone number. The function may return such results as the customer name, membership level (for example, frequent flyer), last order, and order status. Then based on that information, the call can be routed to an Amazon Lex bot or an agent. 

You can also use Lambda with AWS databases like DynamoDB to create dynamic routing abilities. For example, you can retrieve a prompt in a specific language, based on input from the customer.

API Gateway and Step Functions further enhance the abilities of Lambda. 

For more information, see:
+ [Grant Amazon Connect access to your AWS Lambda functions](connect-lambda-functions.md)

## Storage
<a name="storage-services"></a>

Amazon Connect uses Amazon Simple Storage Service (Amazon S3) to store recorded conversations and exported reports. When you set up Amazon Connect, it creates default buckets for these requirements, or you can point it to existing Amazon S3 infrastructure. For more information, see [Step 4: Data storage](amazon-connect-instances.md#get-started-data-storage) in [Create an Amazon Connect instance](amazon-connect-instances.md).

VPC endpoints are not supported. 

You can also manage the Amazon S3 policies to move data to Amazon Glacier for less expensive long-term storage. However, it breaks the link in the contact record in Amazon Connect. To fix this, use a Lambda function to rename the Amazon Glacier object to match the data in the contact record. 

## Database
<a name="database-services"></a>

You can use AWS databases with Amazon Connect for a variety of reasons. For example, with DynamoDB, you can create quick tables of data. 

You can also create tables of dynamic information for call routing. For example, a Lambda function can write inbound calls to a DynamoDB table, then query the table to see if there are other matches for the phone number. If so, a decision can be made to send the caller to the same queue as before, or to flag them as a repeat caller. 

For more information, see:
+ Blog post: [Creating dynamic, personalized experiences in Amazon Connect](https://aws.amazon.com/blogs/contact-center/creating-dynamic-personalized-experiences-in-amazon-connect/)

## Analytics
<a name="analytics-services"></a>

Amazon Connect tracks all interactions using [contact records](about-contact-states.md#ctr-events). Contact records are used for real-time and historical metrics reports. You can also use Amazon Kinesis to stream them to an AWS database like Amazon Redshift or Amazon Athena for BI analysis (Quick, or a third party such as Tableau). There are AWS CloudFormation templates available to set up this functionality for Amazon Redshift and Athena. 

To perform analysis on your flow logs, you can set up an Amazon Kinesis stream to stream your flow log data from CloudWatch to a data warehouse service, such as Amazon Redshift. You can combine the flow log data with other Amazon Connect data in your warehouse, or run queries to identify trends or common issues with a flow.

For more information, see:
+ [Develop live media streaming in Amazon Connect](access-media-stream-data.md)
+ Blog post: [Recovering abandoned calls with Amazon Connect](https://aws.amazon.com/blogs/contact-center/recovering-abandoned-calls-with-amazon-connect/)

## Machine Learning (ML) and Artificial Intelligence (AI)
<a name="ai-services"></a>

Amazon Connect uses the following services for ML/AI: 
+ Amazon Lex—Lets you create a chatbot to use as Interactive Voice Response (IVR). For more information, see [Add an Amazon Lex bot to Amazon Connect](amazon-lex.md). 
+ Amazon Polly—Provides text-to-speech in all flows. For more information, see [Add text-to-speech to prompts in flow blocks in Amazon Polly](text-to-speech.md) and [SSML tags supported by Amazon Connect](supported-ssml-tags.md).
+ Amazon Transcribe—Grabs conversation recordings from Amazon S3, and transcribes them to text so you can review them.
+ Amazon Comprehend—Takes the transcription of recordings, and applies speech analytics machine learning to the call to identify sentiment, keywords, adherence to company policies, and more.

## Messaging services
<a name="messaging-services"></a>

Amazon Connect uses the following services for messaging: 
+ Amazon Pinpoint—Use as an outbound messaging trigger for events; for example, bulk messaging (such as outbound marketing campaigns). For more information, see this blog post: [Using Amazon Pinpoint to send text messages in Amazon Connect](https://aws.amazon.com/blogs/contact-center/using-amazon-pinpoint-to-send-text-messages-in-amazon-connect/).
+ Amazon Simple Notification Service (Amazon SNS)—Use to send and receive SMS and other channel notifications. Amazon SNS is particularly useful for sending alerts and validations. 
+ Amazon Simple Email Service (Amazon SES)—Use to send validation e-mails, such as a password reset bot sending a confirmation of the transaction. 

## Security
<a name="security-services"></a>

Amazon Connect uses the following services for added security: 
+ AWS Identity and Access Management (IAM)—Use to manage permissions for users. Amazon Connect users require permission for services. For more information, see [Identity and access management for Amazon Connect](security-iam.md).
+ Directory Service—Amazon Connect supports user federation through the internal directory (created in the Amazon Connect instance), using Active Directory integration (MAD, ADFS) or SAML 2.0. 

  For more information, see:
  +  [Plan your identity management in Amazon Connect](connect-identity-management.md)
  + Blog post: [Enabling federation with AWS Single Sign-On and Amazon Connect](https://aws.amazon.com/blogs/contact-center/enabling-federation-with-aws-single-sign-on-and-amazon-connect/)

## Management
<a name="management-services"></a>

Amazon Connect uses the following services for monitoring usage: 
+ Amazon CloudWatch—Collects logs, service metrics, performance metrics for Amazon Connect. For more information, see [Monitoring your Amazon Connect instance using CloudWatch](monitoring-cloudwatch.md). 
+ AWS CloudTrail—Provides a record of Amazon Connect API calls. 

  For more information about Amazon Connect and AWS CloudTrail, see [Log Amazon Connect API calls with AWS CloudTrail](logging-using-cloudtrail.md).
+ CloudFormation—Amazon Connect supports using CloudFormation for initiating an instance with all the supported channels enabled. For more information, see [AWS::Connect::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-connect-instance.html). 

# Amazon Connect workload layers
<a name="workload-layers"></a>

You can separate Amazon Connect workloads into the following layers: telephony, Amazon Connect interface/API, flows/IVR, agent workstation, and metric and reporting. 

## Telephony
<a name="workload-layers-telephony"></a>

![\[A graphic showing how telephony works for Amazon Connect.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/telephony.png)


**Important**  
TFN connecting to multiple carriers is only available in the US.

 Amazon Connect is integrated with multiple telephony providers with redundant dedicated network paths to three or more Availability Zones in every Region where the service is offered today. Capacity, platform resiliency, and scaling are handled as part of the managed service, allowing you to efficiently ramp from 10 to 10,000\$1 agents without worrying about the management or configuration of underlying platform and telephony infrastructure. Workloads are load balanced across a fleet of telephony media servers, allowing new updates and features to be delivered to you with no downtime required for maintenance or upgrades. If a particular component, data center, or an entire Availability Zone experiences failure, the affected endpoint is taken out of rotation, allowing you to continue to provide a consistent quality experience for your customers.

![\[A graphic showing how telephony works for Amazon Connect.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/telephony2.png)


When a voice call is placed to an Amazon Connect instance, the telephony layer is responsible for controlling the endpoint that your customer calls into through their carrier, across the PSTN and into Amazon Connect. This layer represents the audio path established between Amazon Connect and the customer. Through the Amazon Connect interface layer, you can configure things like outbound caller ID, assign flow/IVRs to phone numbers, enable live media streaming, enable call recording, and the ability to claim phone numbers without any prior traditional telephony knowledge or experience. Additionally, when migrating workloads to Amazon Connect, you have the option to port your existing phone numbers by opening a support case in your AWS Management Console. You can also forward your existing phone numbers to numbers that you’ve claimed in your Amazon Connect instance until you are fully migrated.

## Amazon Connect Interface/API
<a name="connectinterface-api"></a>

The Amazon Connect interface layer is the access point that your agents and contact center supervisors and administrators will use to access Amazon Connect components like reporting and metrics, user configuration, call recordings, and the Contact Control Panel (CCP). This is also the layer responsible for:
+ Single Sign-On (SSO) integration user authentication
+ Custom desktop applications created using the [Amazon Connect Streams](https://github.com/aws/amazon-connect-streams) API that may provide additional functionality and/or integrate with existing Customer Relationship Management (CRM) systems including the [Amazon Connect Salesforce CTI Adapter](salesforce-integration.md). 
+ Amazon Connect contact-facing chat interface
+ Chat web server hosting the Amazon Connect Chat API
+ Any Amazon API Gateway endpoints and corresponding AWS Lambda functions necessary to route chat contacts to Amazon Connect. 

Anything your agents, managers, supervisors, or contacts use to access, configure, or manage Amazon Connect components from a web browser or API is considered the Amazon Connect interface layer.

![\[A graphic showing Amazon Connect interface and API.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/connectinterface.png)


### Flow / IVR
<a name="contactflowivr"></a>

The Flow/IVR layer is the primary architectural vehicle for Amazon Connect and serves as the point of entry and first line of communication with customers reaching out to your contact center. After a customer contacts your Amazon Connect instance, a flow controls the interaction between Amazon Connect, the contact, and the agent, allowing you to:
+ Dynamically invoke AWS Lambda functions to make API calls.
+ Send real-time IVR and voice data to third-party endpoints through Amazon Kinesis.
+ Access resources inside your VPC and behind your VPN.
+ Call other AWS services like Amazon Pinpoint to send SMS messages from the IVR.
+ Perform data dips to database like Amazon DynamoDB to service your contacts.
+ Call Amazon Lex directly from the flow to invoke a Lex bot for Natural Language Understanding (NLU) and Automatic Speech Recognition (ASR).
+ Play dynamic and natural Text-to-Speech through Amazon Polly, and use SSML and Neural Text-to-Speech (NTTS) to achieve the most natural and human-like text-to-speech voices possible.

Flows enable you to dynamically prompt contacts, collect and store contact attributes, and route appropriately. You can assign a flow to multiple phone numbers, and manage and configure it through Amazon Connect.

![\[A graphic showing flows and IVR.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/contactflowivr.png)


## Agent workstation
<a name="workload-layers-agent-workstation"></a>

The agent workstation layer is not managed by AWS. It consists of any physical equipment and third-party technologies, services, and endpoints that facilitate your agent’s voice, data, and access the Amazon Connect interface layer. Components in the agent workstation layer include:
+ The Contact Control Panel (CCP) agent hardware
+ Network path
+ Agent headset or handset
+ VDI environment
+ Operating system and web browser
+ Endpoint security
+ All networking components and infrastructure
+ Internet Service Provider (ISP) or Direct Connect dedicated network path to AWS. 
+ All other aspects of your agent’s operating environment including power, facilities, security, and ambient noise. 

![\[A graphic agent workstation.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/agentworkstation.png)


## Metric and reporting
<a name="workload-layers-metric-reporting"></a>

The metric and reporting layer includes the components responsible for delivering, consuming, monitoring, alerting, or processing real-time and historical metrics for your agents, contacts, and contact center. This includes all native and third-party components responsible for facilitating the processing, transmission, storage, retrieval, and visualization of real-time or historical contact center metrics, activity audit, and monitoring data. For example:
+ Call recordings and scheduled reports stored in Amazon Simple Storage Service (Amazon S3).
+ Contact records that you can export to AWS database services like Amazon Redshift or your own on-premises data warehouse with Amazon Kinesis. 
+ Real-time dashboards you create with Amazon OpenSearch Service and Kibana.
+ Amazon CloudWatch metrics generated that you can use to set alarms based on static thresholds, set up Amazon SNS notifications to alert to your administrators and supervisors, or launch AWS Lambda functions in response to the event. 

![\[A graphic metrics and reporting.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/metricandreporting.png)


# Scenario and deployment approaches in Amazon Connect
<a name="scenario-deployment-approaches"></a>

Amazon Connect offers self-service configuration and enables dynamic, personal, and natural customer engagement at any scale with a variety of migration and integration options. In this section, we explain the following scenarios and deployment approaches to consider when designing a workload for Amazon Connect:
+ Traditional contact center
+ Inbound
+ Outbound
+ Hybrid contact center
+ Legacy contact center migration
+ Virtual desktop infrastructure (VDI)

## Traditional contact center
<a name="traditional-contact-center"></a>

The traditional contact center requires a significant telephony, media, networking, database, and compute infrastructure footprint that can span multiple vendors and data center locations to service contacts. Each individual solution and vendor have unique hardware, software, networking, and architectural requirements that have to be met while resolving versioning, compatibility, and licensing conflicts. 

It is common to have separate vendors and infrastructure requirements for local and remote agent hardware and VPN connectivity, Text-To-Speech (TTS), Automatic Call Distribution (ACD), Interactive Voice Response (IVR), voice audio and data, physical desk phones, voice recording, voice transcriptions, chat, reporting, database, Computer Telephony Integration (CTI), Automatic Speech Recognition (ASR), and Natural Language Understanding (NLP). Your contact center architecture and infrastructure becomes more complicated when you consider multi-stage development, quality assurance, and test environments. 

![\[Traditional contact center.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/traditionalcontactcenter.png)


A typical Amazon Connect deployment solves or reduces many of the challenges associated with versioning, compatibility, licensing, contact center telephony infrastructure, and maintenance. It gives you the flexibility to create instances in new locations in minutes and migrate components individually, or in parallel, to best meet your individual business objectives. You can use flows for your IVR/ACD, have voice and data delivered through a supported web browser to your agent’s softphone, port your existing phone numbers, redirect softphone audio to an existing desk phone, invoke an Amazon Lex bot natively within your flow for ASR and NLP, and use the same flow for chat and voice. You can use Amazon Connect Contact Lens to automatically generate voice transcriptions, perform key word identification and sentiment analysis, and categorize contacts. For agent CTI data and real-time voice streaming, you can use Amazon Connect Agent Event Streams and Kinesis Video Streams. You can also create multi-stage development, quality assurance, and test environments at no additional cost and only pay for what you use.

## Inbound
<a name="inbound"></a>

Inbound is a contact center term used to describe a communication request initiated by a contact to the center. Contacts can reach your Amazon Connect instance for inbound self-service or to speak with a live agent in a variety of ways, including voice and chat. Voice contacts go through the PSTN and are routed to the Amazon Connect Instance telephony entry point through the phone number claimed in your instance. You can reserve a phone number with Amazon Connect directly, port your existing phone number, or forward voice contacts to Amazon Connect. Amazon Connect can provide local and toll-free numbers in all Regions where the service is supported.

![\[A diagram showing an inbound request initiated by a contact to the center.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/inbound.png)


When a phone call is placed to a number claimed in or ported to your Amazon Connect instance, the flow associated with the called number will be invoked. You can define the flow using flow blocks that can be configured with no coding knowledge required. The flow determines how the contact should be processed and routed, optionally prompting the contact for additional information to assist in routing decisions, storing those attributes to the contact details, and, if necessary, routing that contact to an agent with all of the call details and transcripts gathered along the way. Through the flow, you can invoke AWS Lambda functions to query customer information, call other AWS services like Amazon Pinpoint to send SMS text messages, and use native AWS service integrations including Amazon Lex for NLU/NLP and Kinesis Video Streams for real-time streaming of voice calls. 

If an inbound contact needs to reach an agent, the contact is put into a queue and routed to an agent when they change their status to Available, according to your routing configuration. When the available agent’s contact is accepted manually or through auto-accept configuration, Amazon Connect connects the contact with the agent. 

![\[A diagram showing an inbound contact in a queue.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/inbound2.png)


 When an inbound contact comes from a browser or mobile app request for a chat session, the request is routed to a web service or Amazon API Gateway endpoint that calls the Amazon Connect chat API to invoke the flow configured in your request. You can use the same flows for chat and voice, where the experience is managed and routed dynamically, based on the logic defined in the flow.

## Outbound
<a name="outbound"></a>

Amazon Connect allows you the ability to programmatically make outbound contact attempts to local and international endpoints, reduce agent set-up time between contacts, and improve agent productivity. By using the [Amazon Connect Streams](https://github.com/aws/amazon-connect-streams) API and [StartOutboundVoiceContact](https://docs.aws.amazon.com/connect/latest/APIReference/API_StartOutboundVoiceContact.html), you can develop your own outbound solution or take advantage of existing partner integrations that work with your CRM data to create dynamic, personalized experiences for your contacts and empowering your agents with the tools and resources they need to service those contacts. 

Outbound campaigns are typically driven by contact data exported from CRMs and separated into contact lists. Those contacts are prioritized and either delivered to the agents to initiate after a period of preview or programmatically contacted using the Amazon Connect Outbound API, driven by your flow logic, and connecting to agents as needed. Typical outbound contact center use cases include fraud and service alerts, collections, and appointment confirmations.

## Hybrid
<a name="hybrid"></a>

If you have requirements to transfer contacts between Amazon Connect and legacy contact center technologies, you can use a Hybrid model architecture to pass contact data with the transfer. For example, a sales business unit on a legacy contact center platform may need to transfer a call to the service business unit that’s been migrated to Amazon Connect. Without a Hybrid architecture, call details will be lost and may require the contact to repeat information. This could increase handle times and may result in contact calling again for the same purpose. 

Hybrid architectures require you to claim as many phone numbers as your expected maximum concurrent contacts and an intermediary state database accessible by both Amazon Connect and your legacy contact center platform. When a transfer is required to the other platform, you will use one of these phone numbers as a unique identifier, flag it as in-use in your intermediary database, insert your contact details, and use that number as your ANI or DNIS when you transfer the contact. When the contact is received by the other contact center platform, you will query the intermediary database for the contact details based on the unique ANI or DNIS you used. Hybrid architectures are typically used as an interim migration step because of the additional cost and complexity associated.

### IVR-only
<a name="ivr-only"></a>

You may choose to use Amazon Connect to drive the contact’s IVR experience while your agent population remains on your legacy contact center platform. With this approach, you can use Amazon Connect flows to drive self-service and routing logic, and, if necessary, transfer the contact to the target agent or agent queue on your legacy contact center platform. 

![\[A diagram showing a customer Interactive Voice Response experience.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/hybridivr.png)


In this diagram, the contact dials a phone number claimed in your Amazon Connect instance for service. If they need to be transferred to an agent on your legacy contact center platform, an AWS Lambda function is invoked to query an available unique phone number, flag it as in-use, and write relevant contact details to an intermediary database. The contact is then transferred to the legacy contact center platform with the phone number returned from the Lambda function. The legacy contact center will then perform a query on the intermediary database for the contact details, route accordingly, and reset the contact data in the intermediary database, allowing the phone number to be used again.

### Agent-only
<a name="agent-only"></a>

With this approach, your legacy contact center IVR drives the contact’s IVR self-serve and routing logic, and, if necessary, transfers the contact to Amazon Connect to route to your agent population.

![\[A diagram showing an Agent only experience.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/hybridagentonly.png)


In this diagram, the contact dials a phone number claimed with your legacy contact center platform. If they need to be transferred to an agent on Amazon Connect, the legacy contact center platform will query an available unique phone number, flag it as in-use, and write relevant contact details to an intermediary database. The contact will then be transferred to Amazon Connectwith the phone number returned by the legacy contact center’s query. Amazon Connect will then query the contact details from the intermediary database using AWS Lambda, route accordingly, and reset the contact data in the intermediary database, allowing the phone number to be used again.

### Mixed
<a name="mixed"></a>

In this scenario, you may have your IVR and agents operating in parallel on Amazon Connect and your legacy contact center platform to allow for site, agent group, or line-of-business migrations.

![\[A diagram showing a hybrid Agent only and Interactive Voice Response experience.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/hybridmixed.png)


## Legacy contact center migration
<a name="legacy-contact-center-migration"></a>

When you are evaluating Amazon Connect for new or existing workloads, there are several strategies you can consider. For situations that require contact details to be included when contacts are transferred between Amazon Connect and your legacy contact center solution, a Hybrid model architecture will be required until the migration is complete. The approaches described in this section allow you to move specific lines of business in phases, manage training and support, and mitigate risks associated with change.

### New workload
<a name="new-workload"></a>

You may decrease risk associated with changes to existing business units and increase flexibility and digital innovation potential by adopting a net new workload on Amazon Connect. Net new workloads that do not require the Hybrid model architecture are less complex, are not affected by change in business process or agent routine, and have a faster time to market. Adopting a net new workload allows you to take advantage of usage-based, pay-as-you-go pricing. Your contact center resources are available to create a new experience for their end users, test and implement it to evaluate the platform, gain confidence, and build the skills and operational mechanisms to prepare for larger migration across existing workloads.

### IVR First
<a name="ivr-first"></a>

You may choose to use Amazon Connect to drive the contact’s IVR experience while your agent population remains on your legacy contact center platform. With this approach, you can use Amazon Connect Flows to drive self-service and routing logic, and, if necessary, transfer the contact to the target agent or agent queue on your legacy contact center platform. 

### IVR Last
<a name="ivr-last"></a>

With this approach, your legacy contact center IVR drives the contact’s IVR self-serve and routing logic, and, if necessary, transfers the contact to Amazon Connect to route to your agent population.

### Line of business segmentation
<a name="lob-segmentation"></a>

If your lines of business have separate IVRs or don’t require contact transfers to legacy contact center platforms, you may want to consider a line of business migration approach. For example, selecting your service desk for internal support as your first line of business to migrate. After migrating your service desk IVR and agent population to Amazon Connect, you may choose to forward your existing contact to Amazon Connect, porting the endpoint after testing and business validation is completed. 

### Site or agent group segmentation
<a name="agent-segmentation"></a>

If your contact center has a global footprint, services contacts from multiple countries, or is managed independently by a respective geography or location, you may want to consider a migration approach based on a physical site or geography of agents. Each agent population and/or geography can have its own unique requirements and considerations that may not apply globally. Approaching your migration this way will allow each site or agent group to gain the skills they need to continue to operate independently before moving onto the next.

## Virtual desktop infrastructure (VDI)
<a name="vdi"></a>

While you can use the Amazon Connect Contact Control Panel (CCP) within Virtual Desktop Infrastructure (VDI) environments, it will add another layer of complexity to your solution that warrants separate POC efforts and performance testing to optimize. The configuration/support/optimization is best handled by your VDI support team and the following deployment models are the most commonly implemented.

### VDI client with local browser access
<a name="vdi-with-browser"></a>

You can build a custom CCP with the [Amazon Connect Streams](https://github.com/aws/amazon-connect-streams) API by creating a CCP with no media for call signaling. This way, the media is handled on the local desktop using standard CCP, and the signaling and call controls are handled on the remote connection with the CCP with no media. The following diagram describes this approach.

![\[VDI client with local browser access.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/vdi.png)


### Citrix VDI with Amazon Connect audio optimization
<a name="vdi-citrix"></a>

If you use Citrix Virtual Desktop Infrastructure (VDI) environment, you can build a custom CCP with the Amazon Connect RTC JavaScript library which integrates with Citrix United Communications SDK (ucsdk) and automatically redirects the media from your local desktop to Amazon Connect. This enables your agents to use Citrix VDI client applications, such as Citrix Workspaces, to connect to their custom agent applications or custom CCPs. This removes the need to develop and manage a separate agent application, like dual-CCPs, for audio media redirection for their Citrix environments. The following diagram describes that approach:

![\[Amazon Connect media workflow for Citrix VDI environments.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/vdi-citrix.png)


**Note**  
This solution requires you to allow WebRTC signaling traffic between your VDI server and Amazon Connect, and the media connection between the agent’s desktop and Amazon Connect. For more information, see the [Set up your network to use the Amazon Connect Contact Control Panel (CCP)](ccp-networking.md) documentation.

### Amazon WorkSpaces VDI with Amazon Connect audio optimization
<a name="vdi-amazon-workspaces"></a>

By using Amazon WorkSpaces, a Virtual Desktop Infrastructure (VDI) environment, you have the capability to create a customized Contact Control Panel (CCP) by leveraging the Amazon Connect Real-Time Communications (RTC) JavaScript library. This library seamlessly integrates with the Amazon WorkSpaces SDK, enabling automatic media redirection from your local desktop to Amazon Connect. This eliminates the need to develop and manage a separate agent application, such as dual-CCPs, specifically for audio media redirection within their WorkSpaces environments. The following diagram illustrates this approach.

![\[Amazon Connect and Workspaces environment.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/vdi-connect.png)


### Omnissa VDI with Amazon Connect audio optimization
<a name="vdi-omnissa"></a>

The Omnissa Virtual Desktop Infrastructure (VDI) solution enables a streamlined integration with Amazon Connect through the implementation of a custom Contact Control Panel (CCP). 

 By leveraging the Amazon Connect RTC JavaScript library in conjunction with Omnissa's Horizon WebRTC SDK, audio processing is optimized by redirecting media streams directly from the agent's local endpoint to Amazon Connect. This architecture eliminates the traditional challenges of audio routing through virtual desktops, providing agents with a superior voice experience while using their Omnissa VDI environment. The solution removes the complexity of managing separate audio redirection applications, offering a single, unified interface for agent interactions. The following diagram illustrates this architectural approach.

![\[Amazon Connect and Omnissa environment.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/omnissa-6.png)


### VDI client without local browser access
<a name="vdi-without-browser"></a>

Sometimes the VDI client does not have access to a local browser. In this scenario, you can create a single CCP instance with media run from the VDI server allowing access to enterprise resources. For this deployment model UDP audio is usually enabled on the VDI OS. This deployment model requires extensive testing to calibrate the different VDI server parameters to optimize quality of experience:

![\[VDI client without local browser access.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/vdinobrowser.png)


# Amazon Connect: Single Instance or Multiple Instances?
<a name="single-instance-multiple-instances"></a>

## Single instance of Amazon Connect (including single ACGR pair)
<a name="single-instance-connect"></a>

### Best For
<a name="single-instance-best-for"></a>

A centralized contact center operation with shared infrastructure and unified customer experience.

### Pros
<a name="single-instance-pros"></a>
+ **Lower operational overhead** – Manage/maintain single system, less duplication of setup/config.
+ **Centralized management** – Unified metrics, reporting, queues, routing profiles, users, etc.
+ **Consistent customer experience** – Common IVR, flows, and settings across teams.

### Cons
<a name="single-instance-cons"></a>
+ **Data/tenant isolation design** – Data isolation across business units, brands, or regions must be designed.
+ **Single Geographic Location** – Latency can be high in regions far away from the instance.
+ **Service Quota Management** – Service quota management can be more challenging due to difficulty in anticipating usage and growth across multiple business units.

## Multiple instances of Amazon Connect
<a name="multiple-instances-connect"></a>

### Best For
<a name="multiple-instances-best-for"></a>

Enterprises with geographic, regulatory, or security requirements infeasible to implement in single-region (telephony, data segregation, latency due to physical distance, etc.).

### Pros
<a name="multiple-instances-pros"></a>
+ **Strong isolation** – Each BU or region can have its own agents, routing, reporting. Isolation is required for agents in India, South Korea, and South Africa.
+ **Tailored configurations** – Flows, prompts, integrations can be customized per instance.
+ **Simpler data residency** – Can be useful for compliance in multinational organizations.
+ **Reduced blast radius** – An issue in one instance doesn't affect others.
+ **Geographic proximity** – Regions can be chosen to keep local telephony traffic local.

### Cons
<a name="multiple-instances-cons"></a>
+ **Higher management overhead** – Need to maintain and update multiple environments.
+ **Fragmented reporting** – Multi-region reporting currently needs to be built.
+ **Increased costs** – Each instance may require duplicate resources (Lambda, Amazon Lex, API).
+ **Inconsistent user experience** – Unless strictly governed, each instance may drift in flow design, customer experience, customer security models, etc.

## Summary
<a name="single-multiple-instances-summary"></a>

The decision of single- vs. multiple-instance architecture is nuanced, and highly dependent on the nature of the customer's requirements. Considering the scalability, customizability, programmability, and security of Amazon Connect, we generally recommend single-instance Amazon Connect architectures (including a single Amazon Connect Global Resiliency pair) in the absence of compelling requirements requiring multiple regions.

# Operational excellence in Amazon Connect workloads
<a name="operational-excellence"></a>

Operational excellence includes the ability to run and monitor systems to deliver business value and continually improve supporting processes and procedures. This section consists of design principles, best practices, and questions surrounding the operational excellence of Amazon Connect workloads.

## Prepare
<a name="prepare"></a>

Consider the following areas to prepare for an Amazon Connect workload.

### AWS account
<a name="awsaccount"></a>

With AWS Organizations, you can set up multiple AWS accounts for each level of your development, staging, and quality assurance environments. This allows you to centrally govern your environment as you grow and scale your workloads on AWS. Whether you are a growing startup or a large enterprise, Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts. This is the starting point for consuming AWS services along with a cloud adoption framework. 

### Region selection
<a name="regionselection"></a>

Amazon Connect Region selection is contingent upon data governance requirements, use case, services available in each Region, telephony costs in each region, and latency in relation to your agents, contacts, and external transfer endpoint geography.

### Telephony
<a name="telephony-bp"></a>
+ **Phone number porting** Open a porting request as far in advance of your pending go-live date as possible. 

  When porting phone numbers for critical workloads, include all requirements and use case information in your claim/port number several months before the go-live date. This includes requests for live cutover support, communication prior, during, and after cutover, monitoring, and anything else specific to your use case. 

  For detailed information about porting your numbers, see [Port a current phone number to Amazon Connect](port-phone-number.md).
+ **Carrier diversity** In the US, you should use Amazon Connect telephony services for US toll-free numbers, allowing you to route toll-free traffic across multiple suppliers in an active-active fashion at no additional charge. In situations where you are forwarding inbound traffic to an Amazon Connect phone number, you should request redundant DID or Toll-Free numbers across multiple telephony providers. If you are claiming or porting multiple DID or Toll-Free numbers outside of the US, you should request that those numbers be claimed or ported to a variety of telephony providers for increased resiliency.
+ **International toll-free and high-concurrency DIDs** If you are using an existing toll-free national service to redirect inbound traffic to DIDs, you should request DID phone numbers across multiple telephony providers. A general recommendation for this configuration is 100 sessions per-DID and your AWS Solutions Architect can help with capacity calculations and setup.
+ **Testing** Thoroughly test all use case scenarios, preferably using the same or similar environment as your agents and customers. Ensure that you test several inbound and outbound scenarios for quality of experience, Caller ID functionality, and measure latency to ensure it falls within acceptable range for your use case. Any deviations from your target agent and customer environments need to be measured and accounted for. For more information, including use case testing instructions and criteria, see [Troubleshooting Issues with the Contact Control Panel (CCP)](troubleshooting.md).

### Agent workstation
<a name="agent-ws"></a>

The Amazon Connect Call Control Panel (CCP) has specific network and hardware requirements that must be met to ensure the highest quality of service for your agents and contacts:
+ Set Up Your Network for CCP use and ensure that your agent hardware meets minimum requirements.
+ Ensure that you have used the Amazon Connect Check Amazon Connectivity Tool on the same network segment as your agents to verify that your network and environment is configured correctly for CCP use.
+ Calculate PSTN latency for use cases that require agents and contacts to be in geographically distant locations
+ Review the [Troubleshooting Issues with the Contact Control Panel (CCP)](troubleshooting.md) section to create runbooks and playbooks for your agents and supervisors to follow should they encounter issues. 
+ Set up monitoring for your agent workstations and consider partner solutions for call quality monitoring. Your goal with monitoring your agent workstations should be the ability to identify the source of any potential network and resource contention. For example, consider a typical agent’s softphone network connection path to Amazon Connect:  
![\[Agent workstation monitoring.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/agentworkstation-oe.png)

  Without setting up monitoring at the local LAN/WAN, path to AWS, and agent workstation levels, it’s difficult and often impossible to determine if a voice quality issue is originating from your agent’s workstation, their private LAN/WAN, ISP, AWS, or the contact itself. Setting up logging and alerting mechanisms proactively is critical in determining root cause and optimizing your environment for voice quality.

### Configure your existing directory
<a name="configure-directory"></a>

If you are already using an Directory Service directory to manage users, you can use the same directory to manage user accounts in Amazon Connect. This must be decided and configured when you create your Amazon Connect instance. You cannot change the identity option you select after you create the instance. For example, if you decide to change the directory you selected to enable Single Sign On (SSO) for your instance, you can delete the instance and create a new one. When you delete an instance, you lose all configuration settings and metrics data for it

### Service Quotas
<a name="service-quotas-bp"></a>

Review the default service quotas for each service involved in your workload as well as the default service quotas for Amazon Connect and request increases where applicable. When requesting an increase for Amazon Connect, be sure to use expected values without additional padding for fluctuations. Fluctuations are considered automatically when you make your request.

### AWS Enterprise support
<a name="enterprise-support-bp"></a>

AWS Enterprise Support is recommended for business and/or mission-critical workloads on AWS. Both Enterprise Support and Well-Architected Review with an AWS Solutions Architect are required to qualify for the Amazon Connect Service Level Agreement. 

### AWS well-architected review
<a name="well-architected-review-bp"></a>

Before any migration or implementation to Amazon Connect, follow our best practices by using the AWS Well-Architected Framework, Operational Excellence. The Framework provides a consistent approach for you to evaluate architectures and implement designs that will scale over time based on five pillars — operational excellence, security, reliability, performance efficiency, and cost optimization. We also recommend using AWS Enterprise Support for business and mission-critical workloads in AWS. Both Enterprise Support and Well-Architected Review with your AWS Solutions Architect are required to qualify for the Amazon Connect Service Level Agreement. 

## Operate
<a name="operate-bp"></a>

Consider the following areas to operate an Amazon Connect workload.

### Logging and monitoring
<a name="logging-monitoring-bp"></a>

See [Monitoring your Amazon Connect instance using CloudWatch](monitoring-cloudwatch.md) and [Log Amazon Connect API calls with AWS CloudTrail](logging-using-cloudtrail.md). 

### Contact attributes
<a name="contactattributes-bp"></a>

Amazon Connect allows you to dynamically set and reference contact attributes within flows to create dynamic and personalized experiences for your contacts, create powerful self-service applications, data-driven IVRs, integrations with other AWS services, simplify phone number management, and allows for custom real-time and historical reporting and analytics. The following are Best practices and considerations you can follow to reduce complexity, prevent data loss, and ensure a consistent quality of experience for your contacts.

Note the following considerations:
+ Data size – To prevent truncation, the size limitation for contact attributes you can set in a Set contact attributes block varies depending on the charset, encoding, and language used. While this is generally enough data to play a short story for a contact, it is possible to exceed this limit, truncating any attributes set over the 32KB. 
+ Data sensitivity – Note if any attributes being set, queried, and referenced are sensitive or fall under any regulatory guidelines and ensure that the data is being treated appropriately for your use case. 
+ Data persistence – Any attributes set using the Set contact attributes block will be included in the contact record for your contact and available for screen pop to any custom agent desktop using the Streams API. Any time the attribute is referenced within your flow and logging is enabled for the flow, the name and value of the attribute will be logged to Amazon CloudWatch.

**Best practices**
+ Monitor usage – As you implement new functionality, onboard new business units, and iterate on existing flows, look up your current attribute usage in contact search, copy the attributes to a text editor, add the new attributes, and ensure that you do not exceed the 32KB size limitation. Be sure to account for variable length fields like firstName and lastName and ensure that, even when the maximum space is used in a field, that you are still below the 32KB limitation.
+ Clean-up – If data persistence isn’t required, you can set an attribute with the same name and a blank value to prevent the data from being stored to the contact record or passed in a screen pop to an agent using the [Amazon Connect Streams](https://github.com/aws/amazon-connect-streams) API while freeing up the bytes that data would have otherwise used in the contact record. 
+ Sensitive data – Use the **Store customer input** block to collect sensitive DTMF input from your contacts and use envelope encryption to protect both the raw data and the data keys used to encrypt them. Store sensitive data in a separate database where persistence is required, use the **Set logging behavior** flow block to disable logging whenever sensitive information is referenced, and remove, clean up, or obfuscate sensitive data using the **Set contact attributes** block Clean-up method outlined previously. For more information, see [Compliance validation in Amazon Connect](compliance-validation.md). 

### Telephony
<a name="telephony-bp"></a>

In the US, use toll-free phone numbers wherever possible to load balance across multiple carriers for additional route and carrier redundancy. This also helps to decrease time to resolution when compared to DID phone numbers, which must be managed by a single carrier. In situations where you use DIDs, load balance across numbers from multiple carriers, when possible, to increase reliability. Make sure that you handle all error paths in your flow appropriately, and implement the best practices, requirements, and recommendations located in [Troubleshooting Issues with the Contact Control Panel (CCP)](troubleshooting.md). 

If you’re forwarding your existing telephony provider’s phone numbers to Amazon Connect, ensure that the process to change the forward destination to an alternative DID/toll-free number or otherwise remove the forward is defined and well-understood by your operations team. Ensure that you have Runbooks and Playbooks specifically for production readiness assessments, phone number porting and forwarding processes, and troubleshooting audio issues that could arise when transferring calls from your existing telephony provider. You also want a repeatable process that your operations team can follow to determine if the source of these audio issues is Amazon Connect or your existing telephony provider.

### Amazon Connect APIs
<a name="apis-bp"></a>

Amazon Connect throttling quotas are by account, and not instance. You should consider the following best practices when working with Amazon Connect APIs: 

#### Implement a caching/queuing solution
<a name="queuingsolution"></a>

To decrease API data query overhead and avoid throttling, you can use an intermediary database like Amazon DynamoDB to store API call results rather than calling the API from all endpoints interested in the API data. For example, the following diagram represents the use of the Amazon Connect metric API from multiple sources that need to consume this information:

![\[Implement a caching and queuing solution.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/amazonconnectapis-oe.png)


Rather than having separate AWS Lambda functions, each with their own polling requirements, you can have a single AWS Lambda function write all interesting data to Amazon DynamoDB. Rather than having each endpoint go to the API directly to retrieve the data, they point to DynamoDB, as illustrated in the following diagram:

![\[A diagram showing endpoints pointing to DynamoDB instead of retrieving data from the API.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/amazonconnectapis2-oe.png)


This architecture allows you to change polling intervals and add endpoints, as needed, without worrying about exceeding service quotas, giving you the ability to scale to however many concurrent connections your database solution supports. You can use this same concept with querying any real-time data feeds from Amazon Connect. For situations where you need to perform an API action, like an Outbound API call, you can use this same concept in combination with Amazon Simple Queue Service to queue API requests Using AWS Lambda with SQS.

#### Exponential back off and retry strategies
<a name="retrystrategies"></a>

You can run into situations where API throttling limits get exceeded. This can happen when the API calls fail and are retried repeatedly or made directly from multiple concurrent endpoints without a caching or queuing solution implemented. To avoid exceeding your service quotas and impacting downstream processes, you should consider using exponential back off and retry strategies within your AWS Lambda functions in combination with caching and queueing.

### Change management
<a name="changemanagement"></a>

Two of the primary drivers for moving workloads to the Amazon Connect are flexibility and speed to market. To ensure operational excellence without sacrificing agility, follow these best practices: 
+ **Modular flows**: Flows in Amazon Connect are similar to modern application building where smaller, purpose-built components allow for more flexibility, control, and ease of management when compared to monolithic alternatives. You can make your flows small and re-usable, combining the modular flows into an end-to-end experience with **Transfer to flow** blocks. This approach allows you to reduce risk during change implementation, allow you to test single, smaller changes rather than regression testing the entire experience, and will make it easier to identify and address issues with your flows during testing. 
+ **Repositories**: Back up all versions of all flows to a repository of your choice using contact flow Import/Export as part of your change management process. 
+ **Distribute by percentage**: To reduce risk encountered during change management and experiment with new experiences for your contacts, you can use the **Distribute by percentage** block to route a subset of your traffic to new flows while leaving the other traffic on the original experience. 
+ **Measuring results**: Data driven decision making is key to successfully driving meaningful changes for your business. Having a key metric to measure your changes against is absolutely necessary. For all changes you’re making, you need to plan for how you will measure success. For example, if you’re implementing self-service functionality for your contacts, what percentage of contacts do you expect to self-serve to consider the workload successful or what other metrics are you measuring to determine success? 
+ **Rollbacks**: Ensure that there is a clear, well-defined, and well-understood process to back out any changes to the previous state, specific to the change performed. For example, if you publish a new flow version, ensure that the change instructions include documentation on how to roll back to the previous flow version. 

### Routing profiles
<a name="routingprofiles"></a>

Understanding how priority, delay, and overflow routing work within Amazon Connect is critical to maximizing agent productivity, reducing contact wait times, and ensuring the best quality of experience for your contacts. 

### Routing in Amazon Connect
<a name="routing-bp"></a>

Contact routing in Amazon Connect is done through a collection of queues and routing configurations called a routing profile. A queue is equivalent to a skill or proficiency that agent needs to possess to service contacts for that queue. A routing profile can be viewed a set of skills that you can match to your contact’s needs

Within your flow, you can prompt for additional information and, if they need to reach an agent, you can use the flow configuration to place them in the appropriate queue. In the following example, Savings, Checking, and Loans are individual queues or skills and the three routing profiles are unique skillsets, or groups of skills:

![\[Routing by groups of queues.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/routingprofile1.png)


Each agent is assigned to only one routing profile based on their skillset, and many agents with similar skillset can share the same routing profile:

![\[Routing by skillset.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/routingprofile2.png)


Each phone number or chat endpoint will be associated with one flow. The flow executes its logic, which may involve prompting the customer for information, to determine the contact’s needs, and eventually routes the contact into an appropriate queue. The following diagram depicts how routing profile, queue, and flow work together to service a contact:

![\[Routing diagram showing how a routing profile, queue, and flow work together to service a contact.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/routingprofile3.png)


To illustrate how you might determine various queues, routing profiles, and agent assignments to the routing profiles, consider the following table: 

![\[Routing by groups of queues.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/routingprofile4.png)


On the top row, you’ve identified your skills or queues. In the left column, you have your list of agents, and in the middle, you’ve checked the skills supported by each of the agents. You can sort the matrix grouped by the common set of skill requirements across our agent population. This helps identify the routing profiles as one marked in the green box (which consists of two queues), which you can assign agents to. As a result of this exercise, you have identified four routing profiles, and assign your 13 agents to them accordingly.

Based on the previous table, an incoming call from a contact needing the Savings skill could be served by three groups of agents in the three routing profiles 1, 2, and 4 as depicted in the following diagram:

![\[Routing by groups of queues.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/routingprofile5.png)


### Priority and delay
<a name="prioritydelay-bp"></a>

Using the combination of priority and delay in different Routing Profiles, you can create flexible routing strategies. 

![\[A diagram showing priority and delay in a Routing Profiles to create a routing strategy.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/priorityandelay.png)


The preceding routing profile example shows a set of queues, and their respective priority and delay. The lower the number, the higher the priority. All higher priority calls must be processed before a lower priority call will be processed. This is a difference from systems that will eventually process lower priority of calls based upon a weighting factor.

You can also add a delay to each of the queues within each of the routing profiles. Any call coming into the queue will be held for the specified period of delay assigned to the designated queue. The call will be held for the delay period, even when agents are available. You might use this in situations where you have a group of agents who are reserved to help you meet your Service Level Agreements (SLAs), but are otherwise assigned to other tasks or queues. If a call doesn’t get answered within a specified period of time, these agents would become eligible to receive a call from the designated queue. For example, consider the following diagram:

![\[A diagram showing the Savings queue routing a call to an available agent.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/priorityandelay2.png)


This diagram shows an SLA of 30 seconds. A call comes in for the Savings queue. The Savings queue immediately looks for an agent in the "Savings" routing profile due to the configuration of 0 delay in the profile for the queue. Because of the configuration of 15 delay for Senior Agents, they will not be eligible to receive the Savings contact for 15 seconds. After 15 seconds elapses, the contact becomes available for a Senior Level agent and Amazon Connect looks for the Longest Available across both routing profiles.

### Path to service
<a name="pathtoservice-bp"></a>

When you are designing customer experiences in Amazon Connect, plan to ensure a path to service. There are many planned and unplanned events that can impact the customer experience as they traverse through Amazon Connect Flows. The following sample customer experience shows some suggested checks to ensure a consistent quality experience for your contacts:

![\[Diagram showing a Path to service to respond to unplanned events that could affect customer service.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/pathtoservice.png)


This sample customer experience takes into account planned events such as Holidays and Business hours as well as unplanned events, like agents not staffed during business hours. With this logic, you can also account for emergency situations, such as contact center closures because of inclement weather or service disruptions. Consider the following concepts as illustrated in the diagram:
+ **Self-service**: In a typical IVR, you can include any greetings and disclaimer messages such as call recording announcements upfront, which can be followed by self-service options. Self-service brings cost and performance optimizations for your contact center and enables your organization to serve customers 24x7, regardless of holidays, business hours, or availability of agents. Always include a path to service in case customers are unable to self-serve and need human assistance. For example, if you are using Amazon Lex bots for self-service, you can make use of fallback intents to escalate conversations for human assistance. 
+ **Holidays**: Many enterprise customers have a central repository that holds corporate holidays. You can use an AWS Lambda function to data dip into that repository and offer holiday treatment to customers. Additionally, you can also store corporate holidays in DynamoDB along with a custom message for each holiday. For example, if your enterprise observes December 25 as Christmas, you could have a holiday prompt or Text to Speech, "We are currently closed for Christmas. Please call back on December 26 when our normal business hours will resume."  
![\[A diagram showing how Amazon Connect uses AWS Lambda and DynamoDB to play messages to customers.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/holidays.png)
+ **Business hours**: After holidays have been verified, you can check for business hours and, if outside of business hours, you can change the experience dynamically for your contacts. If the contact occurs during business hours, you can identify customer intent for calls and map to certain queues in your contact center, increasing the likelihood of getting to the correct agent, and decreasing the amount of time it takes your contact to reach service. It is highly recommended to map defaults as customers could be calling for a reason you haven’t accounted for yet or may respond in a way you don’t expect.
+ **Emergency messages**: After you have identified customer intent for call, it is suggested to implement an emergency check treatment. In the event of an emergency situation that impacts your contact center, you can store an emergency True/False flag in an intermediary database like DynamoDB. To allow your supervisors and administrators to set this flag dynamically, with no code, you can build a separate IVR that authenticates your Amazon Connect administrators based upon ANI and PIN number verification for internal use only. In the event of emergency, your supervisors can call into that dedicated line from their phones and after authentication set the Emergency flag to true for scenarios such as contact center closure due to inclement weather or ISP outage at the physical location of contact center.
+ **Emergency message API**: You can also consider building an AWS API gateway with AWS Lambda function at the back end to set the Emergency flag to true/false securely in the database. Your supervisors can securely access that API through web to toggle disaster mode or dynamically toggle it in response to an external event. In your Amazon Connect instance, every contact that comes in through the flow will use AWS Lambda to check for that emergency flag and, in case of disaster mode, you can dynamically make announcements and provide a customer with a path to service. This will further ensure business continuity and mitigate the impact of situations like these from affecting your customers.
+ **Check agent staffing**: Before transferring to the queue in your flow, you can check agent staffing to ensure that an agent is logged in to service the contact. For example, you may have an agent busy servicing another contact that might become available in the next five minutes, or you may not have anyone logged into the system at all. During these instances, you will prefer a different customer experience rather than making them wait in the queue for an agent to become available. 
+ **Route to service**: When you transfer the call to the queue, you can offer queued callbacks, queue overflows, or tiered routing using Amazon Connect routing profiles to offer a consistent, high-quality experience for your callers that meet your Service Level requirements.

## Resources
<a name="operational-resources-bp"></a>

**Documentation**
+ [DevOps and AWS](https://aws.amazon.com/devops/)
+ [Amazon Connect Service API Documentation](https://docs.aws.amazon.com/connect/latest/APIReference/welcome.html)

**Blog**
+ [How to handle unexpected contact spikes with Amazon Connect](https://aws.amazon.com/blogs/contact-center/how-to-handle-unexpected-contact-spikes-with-amazon-connect/)

**Video**
+ [DevOps at Amazon](https://www.youtube.com/watch?v=esEFaY0FDKc.pdf) 

# Design principles for developing a secure contact center in Amazon Connect
<a name="security-bp"></a>

Security includes the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. This section provides an overview of design principles, best practices, and questions surrounding security for Amazon Connect workloads. 

## Amazon Connect Security Journey
<a name="amazon-connect-security-journey"></a>

After you’ve made the decision to move your workload to Amazon Connect, in addition to reviewing [Security in Amazon Connect](security.md) and [Security Best Practices for Amazon Connect](security-best-practices.md), follow these guidelines and steps to understand and implement your security requirements relative to the following core security areas:

![\[A diagram showing the core security areas to implement in Amazon Connect.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/securityjourney.png)


### Understanding the AWS Security Model
<a name="understanding-security-model"></a>

When you move computer systems and data to the cloud, security responsibilities become shared between you and AWS. AWS is responsible for securing the underlying infrastructure that supports the cloud, and you’re responsible for anything you put on the cloud or connect to the cloud.

![\[Understanding the AWS Security Model.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/shareresponsibilitymodel.png)


Which AWS services you use will determine how much configuration work you have to perform as part of your security responsibilities. When you use Amazon Connect, the shared model reflects AWS and customer responsibilities at a high-level, as shown in the following diagram.

![\[AWS shared responsibility model for Amazon Connect.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/shareresponsibilitymodelforamazonconnect.png)


### Compliance Foundations
<a name="compliance-foundations"></a>

Third-party auditors assess the security and compliance of Amazon Connect as part of multiple AWS compliance programs. These include [SOC](https://aws.amazon.com/compliance/soc-faqs/), [PCI](https://aws.amazon.com/compliance/pci-dss-level-1-faqs/), [HIPAA](https://aws.amazon.com/compliance/hipaa-compliance/), [C5 (Frankfurt)](https://aws.amazon.com/compliance/bsi-c5/), and [HITRUST CSF](https://aws.amazon.com/compliance/hitrust/). 

For a list of AWS services in scope of specific compliance programs, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/). For general information, see [AWS Services Compliance Programs](https://aws.amazon.com/compliance/programs/). 

### Region selection
<a name="regionselection"></a>

Region selection to host the Amazon Connect instance depends on data sovereignty restrictions and where the contacts and agents are based. After that decision is made, review network requirements for Amazon Connect and ports and protocols that you need to allow. Additionally, to reduce the blast radius use the domain allow list or allowed IP address ranges for your Amazon Connect instance.

For more information, see [Set up your network to use the Amazon Connect Contact Control Panel (CCP)](ccp-networking.md).

### AWS services integration
<a name="servicesintegration"></a>

We recommend reviewing each AWS service in your solution against the security requirements of your organization. See the following resources: 
+ [Security in AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/lambda-security.html) 
+ [Security and Compliance in DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/security.html) 
+ [Security in Amazon Lex](https://docs.aws.amazon.com/lex/latest/dg/security.html) 

## Data Security in Amazon Connect
<a name="datasecurity-bp"></a>

During your security journey, your security teams may require a deeper understanding of how data is handled in Amazon Connect. See the following resources: 
+ [Detailed network paths for Amazon Connect](detailed-network-paths.md)
+ [Infrastructure security in Amazon Connect](infrastructure-security.md)
+ [Compliance validation in Amazon Connect](compliance-validation.md)

### Workload diagram
<a name="workload-diagram"></a>

Review your workload diagram and architect an optimum solution on AWS. This includes analyzing and deciding which additional AWS services should be included in your solution and any third-party and on-premises applications that need to be integrated. 

## AWS Identity and Access Management (IAM)
<a name="iam-bp"></a>

### Types of Amazon Connect Personas
<a name="typesofpersonas"></a>

There are four types of Amazon Connect personas, based on the activities being performed.

![\[Types of Amazon Connect personas.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/amazonconnectpersonas.png)


1. AWS administrator – AWS administrators create or modify Amazon Connect resources and may also delegate administrative access to other principals by using the AWS Identity and Access Management (IAM) service. The scope of this persona is focused on creating and administering your Amazon Connect instance.

1. Amazon Connect administrator – Service administrators determine which Amazon Connect features and resources employees should access within the Amazon Connect admin website. The service administrator assigns security profiles to determine who can access the Amazon Connect admin website and what tasks they can perform. The scope of this persona is focused on creating and administering your Amazon Connect contact center.

1. Amazon Connect agent – Agents interact with Amazon Connect to perform their job duties. Service users may be contact center agents or supervisors.

1. Amazon Connect Service contact – The customer who interacts with your Amazon Connect contact center.

### IAM Administrator Best Practices
<a name="iambp"></a>

IAM Administrative access should be limited to approved personnel within your organization. IAM administrators should also understand what IAM features are available to use with Amazon Connect. For IAM best practices, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. Also see [Amazon Connect identity-based policy examples](security_iam_id-based-policy-examples.md). 

### Amazon Connect Service Administrator Best Practices
<a name="iambp"></a>

Service administrators are responsible for managing Amazon Connect users, including adding users to Amazon Connect give them their credentials, and assign the appropriate permissions so they can access the features needed to do their job. Administrators should start with a minimum set of permissions and grant additional permissions as necessary. 

[Security profiles for Amazon Connect and Contact Control Panel (CCP) access](connect-security-profiles.md) help you manage who can access the Amazon Connect dashboard and Contact Control Panel, and who can perform specific tasks. Review the granular permissions granted within the default security profiles available natively. Custom security profiles can be set up to meet specific requirements. For example, a power agent who can take calls but also has access to reports. After this is finalized, users should be assigned to the correct security profiles.

### Multi-Factor Authentication
<a name="mfa"></a>

For extra security, we recommend that you require multi-factor authentication (MFA) for all IAM users in your account. MFA can be [set up through AWS IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) or your SAML 2.0 identity provider, or Radius server, if that's more applicable for your use case. After MFA is set up, a third text box becomes visible on the Amazon Connect login page to provide the second factor.

### Identity Federation
<a name="identityfederation"></a>

In addition to storing users in Amazon Connect, you can [enable single sign-on (SSO) to Amazon Connect](configure-saml.md) by using identity federation. Federation is a recommended practice to allow for employee lifecycle events to be reflected in Amazon Connect when they are made in the source identity provider. 

### Access to Integrated Applications
<a name="accessintegratedapps"></a>

Steps within your flows may need credentials to access information in external applications and systems. To provide credentials to access other AWS services in a secure way, use IAM roles. An IAM role is an entity that has its own set of permissions, but that isn't a user or group. Roles also don't have their own permanent set of credentials and are automatically rotated. 

Credentials such as API keys should be stored outside of your flow application code, where they can be retrieved programmatically. To accomplish this, you can use AWS Secrets Manager or an existing third-party solution. Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.

## Detective controls
<a name="detectivecontrols"></a>

Logging and monitoring are important for the availability, reliability and, performance of contact center. You should log relevant information from Amazon Connect Flows to Amazon CloudWatch and build alerts and notifications based on the same. 

You should define log retention requirements and lifecycle policies early on, and plan to move log files to cost-efficient storage locations as soon as practical. Amazon Connect public APIs log to AWS CloudTrail. You should review and automate actions set up based on CloudTrail logs.

Amazon S3 is the best choice for long-term retention and archiving of log data, especially for organizations with compliance programs that require log data to be auditable in its native format. After log data is in an S3 bucket, define lifecycle rules to automatically enforce retention policies and move these objects to other, cost-effective storage classes, such as Amazon S3 Standard - Infrequent Access (Standard - IA) or Amazon Glacier.

The AWS cloud provides flexible infrastructure and tools to support both sophisticated in cooperation with offerings and self-managed centralized-logging solutions. This includes solutions such as Amazon OpenSearch Service and Amazon CloudWatch Logs. 

Fraud detection and prevention for incoming contacts can be implemented by customizing Amazon Connect Flows per the customer requirements. As an example, customers can check incoming contacts against previous contact activity in DynamoDB, and then take action, such as disconnecting a contact because they are a blocked contact.

## Infrastructure protection
<a name="infrastructureprotection"></a>

Although there is no infrastructure to manage in Amazon Connect, there could be scenarios where your Amazon Connect instance needs to interact with other components or applications deployed in infrastructure residing on-premises. Consequently, it is important to ensure that networking boundaries are considered under this assumption. Review and implement specific Amazon Connect infrastructure security considerations. Also, review contact center agent and supervisor desktops or VDI solutions for security considerations. 

You can configure a Lambda function to connect to private subnets in a virtual private cloud (VPC) in your account. Use Amazon Virtual Private Cloud to create a private network for resources such as databases, cache instances, or internal services. Amazon Connect your function to the VPC to access private resources during execution.

## Data protection
<a name="dataprotection"></a>

Customers should analyze the data traversing through and interacting with the contact center solution.
+ Third party and external data
+ On-premises data in hybrid Amazon Connect architectures

After analyzing the scope of the data, data classifications should be performed paying attention to identifying sensitive data. Amazon Connect conforms to the AWS shared responsibility model. [Data protection in Amazon Connect](data-protection.md) includes best practices like using MFA and TLS and the use of other AWS services, including Amazon Macie. 

Amazon Connect [handles variety of data related to contact centers](data-handled-by-connect.md). This includes phone call media, call recordings, chat transcripts, contact metadata as well as flows, routing profiles and queues. Amazon Connect handles data at rest by segregating data by account ID and instance ID. All data exchanged with Amazon Connect is protected in transit between the user's web browser and Amazon Connect using open standard TLS encryption. 

You can specify AWS KMS keys to be used for encryption including bring your own key (BYOK). Additionally, you can use key management options within Amazon S3.

### Protecting Data Using Client-Side Encryption
<a name="protectingdata"></a>

Your use case may require encryption of sensitive data that is collected by flows. For example, to gather appropriate personal information to customize the customer experience when they interact with your IVR. To do this you can use public-key cryptography with the [AWS Encryption SDK](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html). The AWS Encryption SDK is a client-side encryption library designed to make it efficient for everyone to encrypt and decrypt data using open standards and best practices. 

### Input validation
<a name="inputvalidation"></a>

Perform input validation to ensure that only properly formed data is entering the flow. This should happen as early as possible in the flow. For example, when prompting a customer to say or enter a telephone number, they may or may not include the country code.

## Amazon Connect security vectors
<a name="securityvectors"></a>

Amazon Connect security can be divided into three logical layers as illustrated in the following diagram:

![\[Amazon Connect security vectors.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/securityvectors.png)


1. **Agent workstation**. The agent workstation layer is not managed by AWS and consists of any physical equipment and third-party technologies, services, and endpoints that facilitate your agent’s voice, data, and access the Amazon Connect interface layer.

   Follow your security best practices for this layer with special attention to the following:
   + Plan identity management keeping in mind best practices noted in [Security Best Practices for Amazon Connect](security-best-practices.md).
   + Mitigate insider threat and compliance risk associated with workloads that handle sensitive information, by creating a secure IVR solution that enables you to bypass agent access to sensitive information. By encrypting contact input in your flows, you’re able to capture information securely without exposing it to your agents, their workstations, or their operating environments. For more information, see [Encrypt sensitive customer input in Amazon Connect](encrypt-data.md).
   + You are responsible for maintaining the allowlist of AWS IP addresses, ports, and protocols needed to use Amazon Connect. 

1. **AWS**: The AWS layer includes Amazon Connect and AWS integrations including AWS Lambda, Amazon DynamoDB, Amazon API Gateway, Amazon S3, and other services. Follow the security pillar guidelines for AWS services, with special attention to the following:
   + Plan identity management, keeping in mind best practices noted in [Security Best Practices for Amazon Connect](security-best-practices.md).
   + Integrations with other AWS services: Identify each AWS service in the use case as well as any third-party integration points applicable for this use case. 
   + Amazon Connect can integrate with AWS Lambda functions that run inside of a customer VPC through the [VPC endpoints for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html). 

   

1. **External**: The External layer includes contact points including chat, click-to-call endpoints, and the PSTN for voice calls, integrations you may have with legacy contact center solutions in a Hybrid contact center architecture, and integrations you may have with other third-party solutions. Any entry point or exit point for a third party in your workload is considered the external layer.

   This layer also covers integrations customers may have with other third-party solutions and applications such as CRM systems, work force management (WFM), and reporting and visualization tools and applications, such as Tableau and Kibana. You should consider the following areas when securing the external layer:
   + You can [create contact filters for repeat and fraudulent contacts](https://aws.amazon.com/blogs/contact-center/how-to-protect-against-spam-calls-for-click-to-dial/) using AWS Lambda to write contact details to DynamoDB from within your flow, including ANI, IP address for click-to-dial and chat endpoints, and any other identifying information to track how many contact requests occur during a given period of time. This approach allows you to query and add contacts to deny lists, automatically disconnecting them if they exceed reasonable levels. 
   + ANI Fraud detection solutions using [Amazon Connect telephony metadata](connect-attrib-list.md#telephony-call-metadata-attributes) and [partner solutions](https://aws.amazon.com/connect/partners/) can be used to protect against caller ID spoofing. 
   + [Amazon Connect Voice ID](voice-id.md) and other voice biometric partner solutions can be used to enhance and streamline the authentication process. Active voice biometric authentication allows contacts the option to speak specific phrases and use those for voice signature authentication. Passive voice biometrics allow contacts to register their unique voiceprint and use their voiceprint to authenticate with any voice input that meets sufficient length requirements for authentication.
   + Maintain the [application integration](app-integration.md) section in the Amazon Connect console for adding any third-party application or integration points to your allowlist, and remove unused endpoints.
   + Send only the data necessary to meet minimum requirements to external systems that handle sensitive data. For example, if you have only one business unit using your call recording analytics solution, you can set an AWS Lambda trigger in your S3 bucket to process contact records, check for the business unit’s specific queues in the contact record data, and if it is a queue that belongs to the unit, send only that call recording to the external solution. With this approach, you only send the data necessary and avoid the cost and overhead associated with processing unnecessary recordings.

     For an integration that enables Amazon Connect to communicate with Amazon Kinesis and Amazon Redshift to enable the streaming of contact records, see [Amazon Connect integration: Data streaming](https://aws.amazon.com/quickstart/connect/data-streaming/).

## Resources
<a name="securityvectors-resources-bp"></a>

**Documentation**
+ [AWS Cloud Security](https://aws.amazon.com/security/) 
+ [Security in Amazon Connect](security.md)
+ [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
+ [AWS Compliance](https://aws.amazon.com/compliance/)
+ [AWS Security blog](https://aws.amazon.com/blogs/security/)

**Articles**
+ [Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html) 
+ [Introduction to AWS Security](https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/introduction-aws-security.pdf)
+ [AWS Security Best Practices](https://aws.amazon.com/architecture/security-identity-compliance/) 

**Videos**
+ [AWS Security State of the Union](https://www.youtube.com/watch?v=Wvyc-VEUOns) 
+  [AWS Compliance - The Shared Responsibility Model](https://www.youtube.com/watch?v=U632-ND7dKQ) 

# Load and penetration / security testing policies for Amazon Connect
<a name="load-and-penetration-testing"></a>

Amazon Connect regularly performs rigorous testing to ensure our service delivers the security, reliability, and availability required to support world-class contact centers of all sizes. 

Amazon Connect has developed policies and requirements governing your the ability to conduct your own security assessments (such as penetration tests) and load testing to validate your environments and ensure they are production-ready. This topic explains the policies and requirements.

## Security and penetration testing
<a name="securityandpenetrationtesting"></a>

Due to the inherent risk of damage from security testing, Amazon Connect does not support any customer security or penetration tests, as explained on this AWS Cloud Security page: [Penetration Testing](https://aws.amazon.com/security/penetration-testing). It is not listed as a permitted service under **Customer Service Policy for Penetration Testing**.

Amazon Connect has a rigorous security and penetration test routine. If you have requirements related to security, ask your AWS account team (Technical Account Manager or Solution Architect) for assistance.

## Load testing
<a name="loadtesting"></a>

Amazon Connect considers load tests as any tests that: 
+ Target specific endpoints
+ Generate synthetic traffic targeted at concentrated sources
+ Maintain a higher than normal sustained volume of traffic
+ Can accidentally exceed expected limits

These differences present potential risks for unintended impact to external endpoints, other customers, or AWS services. You are required to follow our load test policy for any plans that meet this criteria.

Our load test policy requires that customers:
+ Only test out of hours: from 6PM-6AM in the local timezone of the AWS Region being tested.
+ Identify an emergency contact who is reachable during the load test.
+ Provide a document and detailed view of the planned load test.

**Important**  
**You must receive approval from AWS for your load test a minimum of two weeks in advance of the test date.**

**To submit a request for a load test**

1. Send email to **amazon-connect-load-test-requests@amazon.com** **and copy your AWS account team (Technical Account Manager or Solution Architect).**

1. Upon receipt, the Amazon Connect team will provide you with the Load Test Request intake form.

   The Amazon Connect load test team responds to emails within 48 working hours. If you do not receive a response within that time, please follow up.

The Amazon Connect team will review your request. We will:
+ Determine whether there are any risks.
+ Validate whether there are any considerations with the load test having the ability to be detected and/or reported as being abusive.
+ Given where the test is designed, determine whether it might be unintentionally abusive and/or impactful to other entities.
+ Determine whether you have mitigations applied to your instances, which can impact your tests as well as your production workloads.

If we determine there is not likely to be an impact, we will provide a **written approval** to proceed. 

For tests that might have impact, we will ask you to take additional steps, such as:
+ Running the instance generating traffic from a separate AWS account or Region.
+ Adjusting the tests to minimize risk, or working with AWS closely to understand the scenarios and processes.

**Important**  
Even with approval from AWS, you are responsible for:  
Any damages to AWS, other AWS customers, or external entities that are caused by your testing activities.
Compliance with applicable laws in jurisdictions in which you operate, including laws and regulations governing cybersecurity or misuse of IT systems.
Any load test run without approval from AWS will result in mitigation actions being taken against the AWS account up to and including suspension of service. Unauthorized testing may also be considered a violation of law and subject to criminal prosecution.

# Reliability in Amazon Connect
<a name="reliability-bp"></a>

Reliability includes the ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues. As resiliency is handled as part of the service, there are no reliability practices unique to Amazon Connect beyond of what is covered in [Operational excellence in Amazon Connect workloads](operational-excellence.md). You can find prescriptive guidance on implementation in the [Reliability Pillar](https://d0.awsstatic.com/whitepapers/architecture/AWS-Reliability-Pillar.pdf) whitepaper.

## Resources
<a name="reliability-resources-bp"></a>

**Documentation**
+ [AWS Service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) 
+ [Resilience in Amazon Connect](disaster-recovery-resiliency.md)
+ [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html) 

**Whitepaper**
+ [Reliability Pillar](https://d0.awsstatic.com/whitepapers/architecture/AWS-Reliability-Pillar.pdf)

**Video**
+  [Embracing Failure: Fault-Injection and Service Reliability](https://www.youtube.com/watch?v=wrY7XoOnysg) 

**Product**
+ [Trusted advisor](https://aws.amazon.com/premiumsupport/technology/trusted-advisor/): An online tool that provides you real-time guidance to help you provision your resources following AWS best practices.

# Performance efficiency for Amazon Connect workloads
<a name="performance-efficiency-bp"></a>

Performance efficiency includes the ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve. This section provides an overview of design principles, best practices, and questions surrounding performance efficiency for Amazon Connect workloads. You can find prescriptive guidance on implementation in the [Performance Efficiency Pillar](                 https://d0.awsstatic.com/whitepapers/architecture/AWS-Performance-Efficiency-Pillar.pdf) whitepaper.

## Architectural design
<a name="performance-efficiency-architecturaldesignbp"></a>

There are two fundamental architectural design principles to consider when designing experiences for the contact center: 
+ Reductionism is a philosophical tenet stating that by analyzing a system to its ultimate component parts, you can unravel it at deeper levels. 
+ Holism, in contrast, states that by considering the whole picture one gets a deeper and more complete view of a situation than by analyzing it into its component parts 

The reductionist approach focuses on each individual component (IVR, ACD, Speech Recognition) on its own and often results in a disjointed customer experience that, when evaluated individually, may meet performance requirements for the use case. However, when evaluated end-to-end, can result in decreased quality of experience for your contacts while funneling development efforts into operational silos. This approach complicates regression testing, increases time to market, and limits the development of cross-discipline operational resources critical to the success of your contact center.

A holistic view of the contact center is shown in the following diagram:

![\[A holistic view of the contact center.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/architecturaldesign.png)


The holistic approach results focus on a more complete and cohesive experience for customers, and not which technology will provide which part of that experience. 

Let the customer and what they want define and guide your efforts. The experiences that you create for your contacts should not be static or an end state, but should serve as a starting point that should be iterated on continuously based on customer feedback. The regular collection and review of operational and tuning data surrounding how your contacts are interacting and navigating throughout their journey should drive that iteration. Your goal should be dynamic and personalized experiences for contacts reaching your company. This can be accomplished through dynamic data-driven contact design and routing, resulting in an experience that conforms to your contact and their individual needs.

You can start with the default experience, building out your flows, but refactoring your single flow into two to enable future segmentation:

![\[Refactoring your single flow into two.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/architecturaldesign2.png)


In your next iteration, identify additional experiences that you need to plan for and build routing and, if necessary, flows for each. For example, you may want to play different prompts for a contact that is past due on their bill or that may have tried to contact multiple times for the same purpose. With this approach, you are working towards personalized, dynamic experiences that are pertinent to your contacts and why they are contacting you. In addition to improving the quality of experience for your contacts and decreasing handle times, you’re encouraging contact self-service by providing a more intelligent and flexible experience. Your next iteration may look like the following illustration:

![\[Next iteration of flow.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/architecturaldesign3.png)


## Flow design
<a name="contactflowdesign-bp"></a>

A flow defines the customer experience with your contact center from start to finish. Your flow configuration can have a direct impact on performance, operational efficiency, and ease of maintenance. 

Many Large businesses support multiple phone numbers, business units, prompts, queues, and other Amazon Connect resources. While it is possible to have unique flows for each phone number and line of business, it can lead to a one-to-one mapping of phone numbers and flows. This results in unnecessary service quota requests and a large number of flows to support and maintain. A one-to-one mapping of DNIS and Flow implementation is illustrated in the following figure:

![\[Flow design example showing a one-to-one mapping of a DNIS and Flow implementation.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/contactflowdesign.png)


Alternatively, you should consider an approach that results in Multiple DNIS to one or few flows by using the dynamic nature of Amazon Connect Flows. With this approach, you can store configuration information like Prompts, Queues, Business Hours, Whisper Prompts/Flows, Queues, Queue Treatments and Hold Messages etc., in NoSQL Database DynamoDB. In Amazon Connect, you can associate multiple phone numbers to the same flow and use the Lambda function to look up configurations for that phone number. This allows you to dynamically define the contact’s experience based on the attributes returned from DynamoDB. 

For example, you can play prompts or use Text-to-Speech (TTS) to greet callers based upon the lookups in DynamoDB or associate queues using dynamic attributes supported in flow blocks. The result with this approach is a flow implementation that is efficient to build, maintain, and support: 

![\[An example flow design for using prompts and Text-to-Speech to greet callers.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/contactflowdesign2.png)


## Load testing
<a name="loadtesting-bp"></a>

If you need to run load or scale testing, you can employ third-party or partner solutions to run load tests, or develop your own custom solution using the Amazon Connect [StartOutboundVoiceContact](https://docs.aws.amazon.com/connect/latest/APIReference/API_StartOutboundVoiceContact.html) API to generate calls combined with browser automation scripts to simulate agent behavior. Before to performing load tests, review and follow [Load and penetration / security testing policies for Amazon Connect](load-and-penetration-testing.md). 

## Agent enablement
<a name="agentenablement-bp"></a>

Amazon Connect provides a readily available browser-based Contact Control Panel (CCP) for agents to interact with customer contacts. Your agents use the CCP to accept contacts, chat with contacts, transfer them to other agents, put them on hold, and perform other key tasks. You can realize significant performance efficiency through the creation of custom agent desktop solutions using the [Amazon Connect Streams](https://github.com/aws/amazon-connect-streams) API. Consider using the Streams API to increase performance efficiency in the following areas:
+ CRM integration - The Streams API allows you to embed the CCP in your CRM application, create your own interface, or integrate with other AWS services and partner solutions to provide your agents with the tools and resources they need to service your contacts. With a custom desktop, like the Amazon Connect and [Salesforce integration](salesforce-integration.md), your agents can get a comprehensive view of customer and contact in a single interface without managing multiple screens and interfaces. 
+ Authentication - You can configure SAML for identity management in Amazon Connect and use IAM Identity Center (SSO) to allow your agents to use the same credentials they use to access your other systems and avoid the need to enter them multiple times. 
+ Agent automation - In addition to streamlining your agent experience, you can automate common, repeatable tasks. For example, automatically creating cases or pre-filling webforms and offering a screen pop with relevant information when a contact is offered. This can reduce handle times and improve the quality of experience for your agents and contacts. 
+ Enhanced capabilities - You can also enhance/extend the CCP functionality to include real-time [Transcriptions, Translations, Suggested Actions and Knowledge base integrations](https://aws.amazon.com/solutions/implementations/ai-powered-speech-analytics-for-amazon-connect/). Integrating enhanced capabilities with your agent desktop will allow skilled agents to service contacts more efficiently and unskilled agents to provide service when skilled agents aren’t available. For example, you can use this approach to automatically translate a chat contact for unskilled agent that doesn’t know the language. When your agent replies, you can automatically translate the text to the contact’s language, allowing for real-time bilingual communication. 

## Using other AWS services
<a name="leveragingotherservices-bp"></a>

This section discusses AWS services that you can use to improve performance, identify areas of opportunity, and gain valuable insights into your contact data. 

### AWS Lambda
<a name="lambda-bp"></a>

You can use AWS Lambda in your Amazon Connect Flows to perform data dips for customer information, send SMS text messages, and with other services like Amazon S3 to automatically distribute scheduled reports. For more information, see [Best Practices for Working with AWS Lambda functions](https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html). 

### Direct Connect
<a name="directconnect-bp"></a>

Direct Connect is a cloud service solution that makes it more efficient to establish a dedicated network connection from your premises to AWS. It provides a durable, consistent connection rather than relying on your ISP to dynamically route requests to AWS resources. It allows you to configure your edge router to redirect AWS traffic across dedicated fiber rather than traversing the public WAN and establish private connectivity between AWS and your data center, office, or colocation environment. In many cases, this can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections. 

While Direct Connect does not solve issues specific to private LAN/WAN traversal to your edge router, it can help solve for latency and connectivity issues between your edge router and AWS resources. It can also solve for latency and poor call quality between your edge router and AWS resources. 

Depending on your VDI environment, you may not be able to take advantage of Direct Connect as it requires you to configure your edge router to redirect AWS traffic across dedicated fiber rather than traversing the public WAN. If the VDI environment is hosted outside of your local DXC-enabled network, you may not be able to take full advantage of Direct Connect.

Do not use Direct Connect for "QoS" or "increased security." Direct Connect can cause performance degradation in cases where the latency from the agent workstation is higher than the ISP’s path to the Amazon Connect instance. Direct Connect does not offer additional security when compared to an ISP as Amazon Connect voice and data is already encrypted.

### Amazon Polly
<a name="amazonpolly-bp"></a>

Amazon Connect offers a native integration with Amazon Polly, allowing you to play dynamic and natural Text-to-Speech (TTS), use Speech Synthesis Markup Language (SSML), and take advantage of Neural Text-to-Speech (NTTS) to achieve the most natural and human-like text-to-speech voices possible. 

### Amazon Lex
<a name="amazonlex-bp"></a>

Your contact’s path to service can be a challenging experience that doesn’t always meet up to their expectations. Your contacts may wait on hold, repeat information, need to be transferred, and ultimately, spend too much time getting what they need. AI is playing a role in improving this customer experience in call centers to include engagement through chatbots — intelligent, natural language virtual assistants. These chatbots are able to recognize human speech and understand the caller’s intent without requiring the caller to speak in specific phrases. Contacts can perform tasks such as changing a password, requesting a balance on an account, or scheduling an appointment without ever speaking to an agent.

Amazon Lex is a service that allows you to create intelligent conversational chatbots. It lets you turn your Amazon Connect contact center flows into natural conversations that provide personalized experiences for your callers. Using the same technology that powers Amazon Alexa, an Amazon Lex chatbot can be attached to your Amazon Connect Flow to recognize the intent of your caller, ask follow-up questions, and provide answers. Amazon Lex maintains context and manages the dialogue, dynamically adjusting the responses based on the conversation, so your contact center can perform common tasks for callers, to address many customer inquiries through self-service interactions. Additionally, Amazon Lex chatbots support an optimal (8 kHz) telephony audio sampling rate, to provide increased speech recognition accuracy and fidelity for your contact center voice interactions.

Building an effective Amazon Lex bot requires providing simple and realistic utterances as training sets to the bot, periodically reviewing your bot’s performance, updating your utterance set, and modifying the bot based on such a review. For more information, see the following resources: 
+ [Monitoring in Amazon Lex](https://docs.aws.amazon.com/lex/latest/dg/monitoring-aws-lex.html)
+ [Building Better bots using Amazon Lex](https://aws.amazon.com/blogs/machine-learning/building-better-bots/)

### Amazon Kinesis
<a name="amazonkinesis-bp"></a>

For situations where you need to gain additional insight from your contact metrics and real-time data from Amazon Connect, you can:
+ Export your contact record data to Amazon Redshift using Amazon Kinesis.
+ Use Amazon Kinesis video stream (KVS) and AWS Lambda to transcribe call recordings or voice contacts in real-time using Amazon Transcribe and send the resulting text to Amazon Comprehend for sentiment analysis.
+ Leverage the [Amazon Connect Agent Event Kinesis Stream](agent-event-streams.md) for real-time agent CTI and schedule adherence data.

### Amazon OpenSearch Service and Kibana
<a name="kibana-bp"></a>

Using Amazon OpenSearch Service and Kibana to process real-time Amazon Connect data gives you a flexible way to query and visualize real-time and historical Amazon Connect data beyond native reporting capabilities.

### Amazon Connect Contact Lens
<a name="contactlens-bp"></a>

Contact Lens is a set of machine learning (ML) capabilities integrated into Amazon Connect that allow contact center supervisors to better understand the sentiment, trends, and compliance risks of customer conversations to effectively train agents, replicate successful interactions, and identify crucial company and product feedback. Contact Lens transcribes contact center calls to create a fully searchable archive and surface valuable customer insights.

## Resources
<a name="performance-resources-bp"></a>

**Documentation**
+ [Best practices design patterns: optimizing Amazon S3 performance](https://docs.aws.amazon.com/AmazonS3/latest/userguide/optimizing-performance.html) 
+ [ Amazon EBS volume performance on Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSPerformance.html)

**Whitepaper**
+ [Performance Efficiency Pillar](                         https://d0.awsstatic.com/whitepapers/architecture/AWS-Performance-Efficiency-Pillar.pdf)

**Video**
+ [AWS re:Invent 2016: Scaling Up to Your First 10 Million Users (ARC201)](https://www.youtube.com/watch?v=n28lDDdlnVg) 
+ [AWS re:Invent 2017: Deep Dive on Amazon EC2 Instances](https://www.youtube.com/watch?v=mZy6E2I5Rek) 

# Cost optimization for Amazon Connect workloads
<a name="cost-optimization-bp"></a>

Cost Optimization includes the ability to run systems to deliver business value at the lowest price point. This section provides an overview of design principles, best practices, and questions surrounding cost optimization for Amazon Connect workloads. You can find prescriptive guidance on implementation in the [Cost Optimization Pillar - AWS Well-Architected Framework](https://docs.aws.amazon.com/wellarchitected/latest/cost-optimization-pillar/welcome.html) . 

Consider the following areas for cost optimization for Amazon Connect workloads.

## Region selection
<a name="regionselection-co"></a>

Amazon Connect Region selection is one of the first decision customers make when adopting Amazon Connect for their contact center workloads. While latency and voice quality are important aspects to Region selection, you should evaluate Region selection from a cost perspective as well. Telephony pricing for Claimed Phone Numbers Per Day and Per Minute Inbound Usage can be different for countries depending upon the AWS Region in which you select to instantiate your Amazon Connect Instance. You can find telephony price for each Region at [Amazon Connect Pricing](https://aws.amazon.com/connect/pricing/) page. 

## Callbacks
<a name="callbacks-co"></a>

You can provide a callback in your flow for callers during high call volume periods or long wait times. You can use callbacks to reduce cost and improve the quality of experience for your contacts. When your contact opts-in for the callback, Amazon Connect will retain the position in the queue and allow the caller to disconnect. When an agent becomes available to service your contact, Amazon Connect will place an outbound call to the number configured to connect the contact to your agent. A sample callback flow is included in every instance at creation. You can also use AWS Lambda and Amazon DynamoDB to prevent duplicate callback requests.

## Storage
<a name="storage-co"></a>

With Amazon Connect, you can configure your instance and flows to store call recordings and chat transcripts of caller’s interactions for compliance, quality monitoring, and training purposes. Voice contacts are not recorded unless an agent is connected to the caller. If multiple agents are connected, each will have an associated call recording or transcript. Amazon Connect stores voice recordings in Amazon S3 according to your Amazon S3 Lifecycle policy configuration. With the call recordings stored in Amazon S3, you can use Amazon S3 tiers of storage to manage retention and optimize cost. For example, you can transition objects using Amazon S3 Lifecycle to move call recordings and transcripts over three months old to Amazon Glacier to reduce storage cost.

## Self-service
<a name="selfservice-co"></a>

Amazon Connect’s pay-as-you-go pricing model can result in lower costs as compared to traditional licensing-based contact centers. However, the traditional contact center infrastructure that spans automatic call distribution (ACD) systems, IVR, telephony and work force management (WFM) systems plays a proportionately small contribution to the overall cost of contact center operations. The largest contributor to the cost of the contact center often comes from human capital and the real estate required to provide an operating environment for your agents. Amazon Connect flows can be used natively with Amazon Lex for NLU, NLP, and ASR and Amazon Polly for lifelike Text-to-Speech (TTS) to build highly engaging user experiences and natural conversational interactions across voice and text. By using an Amazon Lex chatbot in your Amazon Connect call center, callers can perform tasks such as changing a password, requesting a balance on an account, or scheduling an appointment, without needing to speak to an agent. These self-service options result in better customer experience and lowers your cost per contact.

![\[Diagram showing self-service options reducing costs and improving customer experience.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/selfservice.png)


## Click-to-call
<a name="clicktocall-co"></a>

You can use click-to-call in Amazon Connect to initiate a voice call using the [StartOutboundVoiceContact](https://docs.aws.amazon.com/connect/latest/APIReference/API_StartOutboundVoiceContact.html) API for authentication through web or mobile application to reduce call handle times and improve the quality of experience. With this approach, you’re able to offer your contact the ability to bypass IVR authentication, pass contextual information like URLs, recent web/mobile activity, and user data to your flows to create dynamic, personalized experiences. For example, a contact browsing your website to purchase an item or member of a financial institution who is already authenticated in the mobile app and wants to speak with an agent about a recent transaction.

## Redirect voice contacts to chat
<a name="redirectvoiccecontactstochat-co"></a>

With Amazon Connect, you can allow agents to handle multiple chat conversations simultaneously where they would only able to handle one voice conversation. When you don't have a voice agent available, you can send an SMS text message to your customer to offer a link to chat with an agent right away.

## Use softphones instead of deskphones
<a name="softphone-co"></a>

We recommend agents use softphones instead of deskphones. Deskphones have a cost associated with them as the calls and audio are extended to the agents over PSTN.

## Resources
<a name="costoptimization-resources-bp"></a>

**Documentation**
+  [Analyzing Your Costs with Cost Explorer](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/ce-what-is.html) 
+  [AWS Cloud Economics Center](https://aws.amazon.com/economics/) 
+ [What are AWS Cost and Usage Reports](https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.html) 

**Whitepaper**
+ [Cost Optimization Pillar](https://d0.awsstatic.com/whitepapers/architecture/AWS-Cost-Optimization-Pillar.pdf)