Corporate firewalls
LiveKit uses WebSocket and WebRTC to transmit data and media. All transmissions are encrypted with TLS and DTLS.
LiveKit Cloud requires access to a few domains in order to establish a connection. If you are behind a corporate firewall, please ensure outbound traffic is allowed to the following addresses and ports:
| Host | Port | Purpose |
|---|---|---|
| *.livekit.cloud | TCP: 443 | Signal connection over secure WebSocket |
| *.turn.livekit.cloud | TCP: 443 | TURN/TLS. Used when UDP connection isn't viable |
| all hosts (optional) | UDP: 3478 | STUN servers that assist in establishing connectivity |
| all hosts (optional) | UDP: 50000-60000 | UDP connection for WebRTC |
In order to obtain the best audio and video quality, we recommend allowing access to the UDP ports listed above. Additionally, please ensure UDP hole-punching is enabled (or disable symmetric NAT). This helps machines behind the firewall to establish a direct connection to a LiveKit Cloud media server.
Minimum requirements
If wildcard hostnames are not allowed by your firewall or security policy, the following are the mimimum set of hostnames required to connect to LiveKit Cloud:
| Host | Port |
|---|---|
| <your-subdomain>.livekit.cloud | TCP: 443 |
| <your-subdomain>.sfo3.production.livekit.cloud | TCP: 443 |
| <your-subdomain>.nyc3.production.livekit.cloud | TCP: 443 |
| <your-subdomain>.fra1.production.livekit.cloud | TCP: 443 |
| <your-subdomain>.sgp1.production.livekit.cloud | TCP: 443 |
| <your-subdomain>.gapnortheasta.production.livekit.cloud | TCP: 443 |
| <your-subdomain>.gapsoutha.production.livekit.cloud | TCP: 443 |
| <your-subdomain>.gapsoutheasta.production.livekit.cloud | TCP: 443 |
| <your-subdomain>.gapwesta.production.livekit.cloud | TCP: 443 |
| <your-subdomain>.gcacentrala.production.livekit.cloud | TCP: 443 |
| <your-subdomain>.geuwesta.production.livekit.cloud | TCP: 443 |
| <your-subdomain>.geucentrala.production.livekit.cloud | TCP: 443 |
| <your-subdomain>.guswesta.production.livekit.cloud | TCP: 443 |
| <your-subdomain>.guscentrala.production.livekit.cloud | TCP: 443 |
| <your-subdomain>.gussoutheasta.production.livekit.cloud | TCP: 443 |
| <your-subdomain>.guseasta.production.livekit.cloud | TCP: 443 |
| sfo3.turn.livekit.cloud | TCP: 443 |
| nyc3.turn.livekit.cloud | TCP: 443 |
| fra1.turn.livekit.cloud | TCP: 443 |
| sgp1.turn.livekit.cloud | TCP: 443 |
| gapnortheasta.turn.livekit.cloud | TCP: 443 |
| gapsoutha.turn.livekit.cloud | TCP: 443 |
| gapsoutheasta.turn.livekit.cloud | TCP: 443 |
| gapwesta.turn.livekit.cloud | TCP: 443 |
| gcacentrala.turn.livekit.cloud | TCP: 443 |
| geuwesta.turn.livekit.cloud | TCP: 443 |
| geucentrala.turn.livekit.cloud | TCP: 443 |
| guswesta.turn.livekit.cloud | TCP: 443 |
| guscentrala.turn.livekit.cloud | TCP: 443 |
| gussoutheasta.turn.livekit.cloud | TCP: 443 |
| guseasta.turn.livekit.cloud | TCP: 443 |
The list of domains is subject to change.
