Ports and Firewall

On this page


LiveKit uses several ports to communicate with clients. Exposed ports below need to be open on the firewall.

API, WebSocket7880portnoThis port should be placed behind a load balancer that can terminate SSL. LiveKit APIs are homogenous: any client could connect to any backend instance, regardless of the room they are in.
ICE/UDP50000-60000rtc.port_range_start, rtc.port_range_endyesLiveKit advertises these ports as WebRTC host candidates (each participant in the room will use two ports)
ICE/TCP7881rtc.tcp_portyesUsed when the client could not connect via UDP (e.g. VPN, corporate firewalls)
ICE/UDP Mux7882rtc.udp_portyes(optional) It's possible to handle all UDP traffic on a single port. When this is set, rtc.port_range_start/end are not used
TURN/TLS5349turn.tls_portwhen not using LB(optional) For a distributed setup, use a network load balancer in front of the port. If not using LB, this port needs to be set to 443.
TURN/UDP3478turn.udp_portyes(optional) To use the embedded TURN/UDP server. When enabled, it also serves as a STUN server.


When hosting in cloud environments, the ports configured above will have to be opened in the firewall.

Navigate to the VPC dashboard, choose Security Groups, and select the security group that LiveKit is deployed to. Open the Inbound rules tab and select Edit Inbound Rules

AWS inbound rules

Then add the following rules (assuming use of default ports):

AWS add rules