LiveKit uses several ports to communicate with clients. Exposed ports below need to be open on the firewall.
|API, WebSocket||7880||no||This port should be placed behind a load balancer that can terminate SSL. LiveKit APIs are homogenous: any client could connect to any backend instance, regardless of the room they are in.|
|ICE/UDP||50000-60000||yes||LiveKit advertises these ports as WebRTC host candidates (each participant in the room will use two ports)|
|ICE/TCP||7881||yes||Used when the client could not connect via UDP (e.g. VPN, corporate firewalls)|
|ICE/UDP Mux||7882||yes||(optional) It's possible to handle all UDP traffic on a single port. When this is set, rtc.port_range_start/end are not used|
|TURN/TLS||5349||when not using LB||(optional) For a distributed setup, use a network load balancer in front of the port. If not using LB, this port needs to be set to 443.|
When hosting in cloud environments, the ports configured above will have to be opened in the firewall.
- Google Cloud
- Digital Ocean
Navigate to the VPC dashboard, choose
Security Groups, and select the security group that LiveKit is deployed to.
Inbound rules tab and select
Edit Inbound Rules
Then add the following rules (assuming use of default ports):
Navigate to VPC network, then select
Firewall on the left. Then select
Create Firewall Rule in the top menu.
The firewall rule should look something like this:
By default, Droplets are not placed behind a firewall, as long as they have a public IP address.
If using a firewall, ensure the inbound rules are edited to match the required ports