Configuring firewalls

Corporate firewalls

LiveKit uses WebSocket and WebRTC to transmit data and media. All transmissions are encrypted with TLS and DTLS.

LiveKit Cloud requires access to a few domains in order to establish a connection. If you are behind a corporate firewall, please ensure outbound traffic is allowed to the following addresses and ports:

*.livekit.cloudTCP: 443Signal connection over secure WebSocket
*.turn.livekit.cloudTCP: 443TURN/TLS. Used when UDP connection isn't viable
*.host.livekit.cloudUDP: 3478TURN/UDP servers that assist in establishing connectivity
all hosts (optional)UDP: 50000-60000UDP connection for WebRTC

In order to obtain the best audio and video quality, we recommend allowing access to the UDP ports listed above. Additionally, please ensure UDP hole-punching is enabled (or disable symmetric NAT). This helps machines behind the firewall to establish a direct connection to a LiveKit Cloud media server.

Minimum requirements

If wildcard hostnames are not allowed by your firewall or security policy, the following are the mimimum set of hostnames required to connect to LiveKit Cloud:

<your-subdomain>.livekit.cloudTCP 443
<your-subdomain>.sfo3.production.livekit.cloudTCP 443
<your-subdomain>.dfra1a.production.livekit.cloudTCP 443
<your-subdomain>.dblr1a.production.livekit.cloudTCP 443
<your-subdomain>.dsgp1a.production.livekit.cloudTCP 443
<your-subdomain>.dsyd1a.production.livekit.cloudTCP 443
<your-subdomain>.osaopaulo1a.production.livekit.cloudTCP 443
<your-subdomain>.oashburn1a.production.livekit.cloudTCP 443
<your-subdomain>.omarseille1a.production.livekit.cloudTCP 443
<your-subdomain>.ofrankfurt1a.production.livekit.cloudTCP 443
<your-subdomain>.otokyo1a.production.livekit.cloudTCP 443
<your-subdomain>.ophoenix1a.production.livekit.cloudTCP 443
<your-subdomain>.olondon1a.production.livekit.cloudTCP 443
<your-subdomain>.ochicago1a.production.livekit.cloudTCP 443
sfo3.turn.livekit.cloudTCP 443
dfra1a.turn.livekit.cloudTCP 443
dblr1a.turn.livekit.cloudTCP 443
dsgp1a.turn.livekit.cloudTCP 443
dsyd1a.turn.livekit.cloudTCP 443
osaopaulo1a.turn.livekit.cloudTCP 443
oashburn1a.turn.livekit.cloudTCP 443
omarseille1a.turn.livekit.cloudTCP 443
ofrankfurt1a.turn.livekit.cloudTCP 443
otokyo1a.turn.livekit.cloudTCP 443
ophoenix1a.turn.livekit.cloudTCP 443
olondon1a.turn.livekit.cloudTCP 443
ochicago1a.turn.livekit.cloudTCP 443

This list of domains is subject to change. Last updated 2024-05-14.