Cloud / Firewall Configuration

Configuring firewalls

Corporate firewalls

LiveKit uses WebSocket and WebRTC to transmit data and media. All transmissions are encrypted with TLS and DTLS.

LiveKit Cloud requires access to a few domains in order to establish a connection. If you are behind a corporate firewall, please ensure outbound traffic is allowed to the following addresses and ports:

*.livekit.cloudTCP: 443Signal connection over secure WebSocket
*.turn.livekit.cloudTCP: 443TURN/TLS. Used when UDP connection isn't viable
all hosts (optional)UDP: 3478STUN servers that assist in establishing connectivity
all hosts (optional)UDP: 50000-60000UDP connection for WebRTC

In order to obtain the best audio and video quality, we recommend allowing access to the UDP ports listed above. Additionally, please ensure UDP hole-punching is enabled (or disable symmetric NAT). This helps machines behind the firewall to establish a direct connection to a LiveKit Cloud media server.

Minimum requirements

If wildcard hostnames are not allowed by your firewall or security policy, the following are the mimimum set of hostnames required to connect to LiveKit Cloud:

<your-subdomain>.livekit.cloudTCP: 443
sfo3.turn.livekit.cloudTCP: 443
nyc3.turn.livekit.cloudTCP: 443
fra1.turn.livekit.cloudTCP: 443
sgp1.turn.livekit.cloudTCP: 443
lapnortheasta.turn.livekit.cloudTCP: 443
lapsoutha.turn.livekit.cloudTCP: 443
lapsoutheasta.turn.livekit.cloudTCP: 443
lapwesta.turn.livekit.cloudTCP: 443
lcacentrala.turn.livekit.cloudTCP: 443
leuwesta.turn.livekit.cloudTCP: 443
leucentrala.turn.livekit.cloudTCP: 443
luswesta.turn.livekit.cloudTCP: 443
luscentrala.turn.livekit.cloudTCP: 443
lussoutheasta.turn.livekit.cloudTCP: 443
luseasta.turn.livekit.cloudTCP: 443

The list of domains is subject to change.