Skip to main content

Configuring firewalls

Learn how to configure firewalls for LiveKit Cloud.

On this page

Corporate firewallsMinimum requirementsStatic IPsFrequently asked questionsWhy am I seeing IPs outside the region I expect?Does the static IP guarantee include TURN?

Corporate firewalls

LiveKit uses WebSocket and WebRTC to transmit data and media. All transmissions are encrypted with TLS  and DTLS .

LiveKit Cloud requires access to a few domains in order to establish a connection. If you are behind a corporate firewall, please ensure outbound traffic is allowed to the following addresses and ports:

HostPortPurpose
*.livekit.cloudTCP: 443Signal connection over secure WebSocket
*.turn.livekit.cloudTCP: 443TURN /TLS. Used when UDP connection isn't viable
*.host.livekit.cloudUDP: 3478TURN/UDP servers that assist in establishing connectivity
all hosts (recommended)UDP: 50000-60000UDP connection for WebRTC
all hosts (recommended)TCP: 7881TCP connection for WebRTC

In order to obtain the best audio and video quality, LiveKit recommends allowing access to the UDP ports listed above. Additionally, please ensure UDP hole-punching is enabled (or disable symmetric NAT). This helps machines behind the firewall to establish a direct connection to a LiveKit Cloud media server.

Minimum requirements

If wildcard hostnames are not allowed by your firewall or security policy, the following are the minimum set of hostnames required to connect to LiveKit Cloud:

HostPort
<your-subdomain>.livekit.cloudTCP 443
<your-subdomain>.sfo3.production.livekit.cloudTCP 443
<your-subdomain>.dsfo3a.production.livekit.cloudTCP 443
<your-subdomain>.dsfo3b.production.livekit.cloudTCP 443
<your-subdomain>.dfra1a.production.livekit.cloudTCP 443
<your-subdomain>.dfra1b.production.livekit.cloudTCP 443
<your-subdomain>.dblr1a.production.livekit.cloudTCP 443
<your-subdomain>.dblr1b.production.livekit.cloudTCP 443
<your-subdomain>.dsgp1a.production.livekit.cloudTCP 443
<your-subdomain>.dsgp1b.production.livekit.cloudTCP 443
<your-subdomain>.dsyd1a.production.livekit.cloudTCP 443
<your-subdomain>.dsyd1b.production.livekit.cloudTCP 443
<your-subdomain>.osaopaulo1a.production.livekit.cloudTCP 443
<your-subdomain>.osaopaulo1b.production.livekit.cloudTCP 443
<your-subdomain>.oashburn1a.production.livekit.cloudTCP 443
<your-subdomain>.oashburn1b.production.livekit.cloudTCP 443
<your-subdomain>.omarseille1a.production.livekit.cloudTCP 443
<your-subdomain>.omarseille1b.production.livekit.cloudTCP 443
<your-subdomain>.otokyo1a.production.livekit.cloudTCP 443
<your-subdomain>.otokyo1b.production.livekit.cloudTCP 443
<your-subdomain>.ophoenix1a.production.livekit.cloudTCP 443
<your-subdomain>.ophoenix1b.production.livekit.cloudTCP 443
<your-subdomain>.olondon1a.production.livekit.cloudTCP 443
<your-subdomain>.olondon1b.production.livekit.cloudTCP 443
<your-subdomain>.ochicago1a.production.livekit.cloudTCP 443
<your-subdomain>.ochicago1b.production.livekit.cloudTCP 443
<your-subdomain>.osingapore1a.production.livekit.cloudTCP 443
<your-subdomain>.osingapore1b.production.livekit.cloudTCP 443
<your-subdomain>.odubai1a.production.livekit.cloudTCP 443
<your-subdomain>.odubai1b.production.livekit.cloudTCP 443
<your-subdomain>.ohyderabad1a.production.livekit.cloudTCP 443
<your-subdomain>.ohyderabad1b.production.livekit.cloudTCP 443
<your-subdomain>.ojohannesburg1a.production.livekit.cloudTCP 443
<your-subdomain>.ojohannesburg1b.production.livekit.cloudTCP 443
<your-subdomain>.omumbai1a.production.livekit.cloudTCP 443
<your-subdomain>.omumbai1b.production.livekit.cloudTCP 443
<your-subdomain>.ofrankfurt1a.production.livekit.cloudTCP 443
<your-subdomain>.ofrankfurt1b.production.livekit.cloudTCP 443
<your-subdomain>.ojerusalem1a.production.livekit.cloudTCP 443
<your-subdomain>.ojerusalem1b.production.livekit.cloudTCP 443
<your-subdomain>.osydney1a.production.livekit.cloudTCP 443
<your-subdomain>.osydney1b.production.livekit.cloudTCP 443
<your-subdomain>.ozurich1a.production.livekit.cloudTCP 443
<your-subdomain>.ozurich1b.production.livekit.cloudTCP 443
<your-subdomain>.osanjose1a.production.livekit.cloudTCP 443
<your-subdomain>.osanjose1b.production.livekit.cloudTCP 443
<your-subdomain>.ojeddah1a.production.livekit.cloudTCP 443
<your-subdomain>.ojeddah1b.production.livekit.cloudTCP 443
<your-subdomain>.oosaka1a.production.livekit.cloudTCP 443
<your-subdomain>.oosaka1b.production.livekit.cloudTCP 443
<your-subdomain>.turn.livekit.cloudTCP 443
sfo3.turn.livekit.cloudTCP 443
dsfo3a.turn.livekit.cloudTCP 443
dsfo3b.turn.livekit.cloudTCP 443
dfra1a.turn.livekit.cloudTCP 443
dfra1b.turn.livekit.cloudTCP 443
dblr1a.turn.livekit.cloudTCP 443
dblr1b.turn.livekit.cloudTCP 443
dsgp1a.turn.livekit.cloudTCP 443
dsgp1b.turn.livekit.cloudTCP 443
dsyd1a.turn.livekit.cloudTCP 443
dsyd1b.turn.livekit.cloudTCP 443
osaopaulo1a.turn.livekit.cloudTCP 443
osaopaulo1b.turn.livekit.cloudTCP 443
oashburn1a.turn.livekit.cloudTCP 443
oashburn1b.turn.livekit.cloudTCP 443
omarseille1a.turn.livekit.cloudTCP 443
omarseille1b.turn.livekit.cloudTCP 443
otokyo1a.turn.livekit.cloudTCP 443
otokyo1b.turn.livekit.cloudTCP 443
ophoenix1a.turn.livekit.cloudTCP 443
ophoenix1b.turn.livekit.cloudTCP 443
olondon1a.turn.livekit.cloudTCP 443
olondon1b.turn.livekit.cloudTCP 443
ochicago1a.turn.livekit.cloudTCP 443
ochicago1b.turn.livekit.cloudTCP 443
osingapore1a.turn.livekit.cloudTCP 443
osingapore1b.turn.livekit.cloudTCP 443
odubai1a.turn.livekit.cloudTCP 443
odubai1b.turn.livekit.cloudTCP 443
ohyderabad1a.turn.livekit.cloudTCP 443
ohyderabad1b.turn.livekit.cloudTCP 443
ojohannesburg1a.turn.livekit.cloudTCP 443
ojohannesburg1b.turn.livekit.cloudTCP 443
omumbai1a.turn.livekit.cloudTCP 443
omumbai1b.turn.livekit.cloudTCP 443
ofrankfurt1a.turn.livekit.cloudTCP 443
ofrankfurt1b.turn.livekit.cloudTCP 443
ojerusalem1a.turn.livekit.cloudTCP 443
ojerusalem1b.turn.livekit.cloudTCP 443
osydney1a.turn.livekit.cloudTCP 443
osydney1b.turn.livekit.cloudTCP 443
ozurich1a.turn.livekit.cloudTCP 443
ozurich1b.turn.livekit.cloudTCP 443
osanjose1a.turn.livekit.cloudTCP 443
osanjose1b.turn.livekit.cloudTCP 443
ojeddah1a.turn.livekit.cloudTCP 443
ojeddah1b.turn.livekit.cloudTCP 443
oosaka1a.turn.livekit.cloudTCP 443
oosaka1b.turn.livekit.cloudTCP 443
Note

This list of domains is subject to change. Last updated 2026-03-09.

Static IPs

Static IPs are currently available for the following regions:

RegionIP blocks
EU143.223.88.0/21 161.115.160.0/19
India143.223.88.0/21 161.115.160.0/19
US143.223.88.0/21 161.115.160.0/19
Note

All other regions must use wildcard domains.

Static IPs apply to the following services:

  • Realtime
  • SIP signalling and media
  • Webhooks

Frequently asked questions

Why am I seeing IPs outside the region I expect?

LiveKit's default DNS address, like <subdomain>.livekit.cloud, resolves to the cluster closest to the connecting client. If the client is outside an EU, US, or India, that cluster might not be covered by the static IP ranges above.

To force connections into a covered region, connect using regional addresses:

  • <subdomain>.eu.rtc.livekit.cloud
  • <subdomain>.us.rtc.livekit.cloud
  • <subdomain>.india.rtc.livekit.cloud

The same region prefix works for service-specific subdomains, including *.eu.turn.livekit.cloud and *.eu.sip.livekit.cloud. Region DNS only exists with a service in the name; there is no eu.livekit.cloud without a service prefix.

For example, if your project is region-pinned to the US and an end user connects from London, the default <subdomain>.livekit.cloud lookup may resolve to a London cluster outside the static IP range. Pointing the client to wss://<subdomain>.us.rtc.livekit.cloud keeps the connection on US infrastructure and inside the static range.

For details on protocol-level region selection, see Region pinning.

Does the static IP guarantee include TURN?

Yes. In the EU, US, and India regions, traffic for all services, including TURN, egresses from the static IP ranges as long as the client connects via region DNS such as *.eu.turn.livekit.cloud.

Outside those regions, traffic for TURN and other services egresses from cluster IPs that aren't part of the static guarantee.