Configuring firewalls

How to connect into realtime interview from your corporate secured network.

Written By Jozef

Last updated 1 day ago

JobMojito for the realtime conversation uses LiveKit Cloud.

Corporate firewalls

LiveKit uses WebSocket and WebRTC to transmit data and media. All transmissions are encrypted with TLS and DTLS .

LiveKit Cloud requires access to a few domains in order to establish a connection. If you are behind a corporate firewall, please ensure outbound traffic is allowed to the following addresses and ports:

		HOSTPORTPURPOSE
*.livekit.cloud	TCP: 443	Signal connection over secure WebSocket
*.turn.livekit.cloud	TCP: 443	TURN /TLS. Used when UDP connection isn't viable
*.host.livekit.cloud	UDP: 3478	TURN/UDP servers that assist in establishing connectivity
all hosts (recommended)	UDP: 50000-60000	UDP connection for WebRTC
all hosts (recommended)	TCP: 7881	TCP connection for WebRTC

In order to obtain the best audio and video quality, LiveKit recommends allowing access to the UDP ports listed above. Additionally, please ensure UDP hole-punching is enabled (or disable symmetric NAT). This helps machines behind the firewall to establish a direct connection to a LiveKit Cloud media server.

Minimum requirements

If wildcard hostnames are not allowed by your firewall or security policy, the following are the minimum set of hostnames required to connect to LiveKit Cloud:

	HOSTPORT
`jobmojito-aws-production-swjxp9ce.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.sfo3.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.dsfo3a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.dsfo3b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.dfra1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.dfra1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.dblr1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.dblr1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.dsgp1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.dsgp1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.dsyd1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.dsyd1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.osaopaulo1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.osaopaulo1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.oashburn1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.oashburn1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.omarseille1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.omarseille1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.otokyo1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.otokyo1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ophoenix1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ophoenix1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.olondon1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.olondon1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ochicago1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ochicago1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.osingapore1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.osingapore1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.odubai1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.odubai1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ohyderabad1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ohyderabad1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ojohannesburg1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ojohannesburg1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.omumbai1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.omumbai1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ofrankfurt1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ofrankfurt1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ojerusalem1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ojerusalem1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.osydney1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.osydney1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ozurich1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ozurich1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.osanjose1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.osanjose1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ojeddah1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.ojeddah1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.oosaka1a.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.oosaka1b.production.livekit.cloud`	TCP 443
`jobmojito-aws-production-swjxp9ce.turn.livekit.cloud`	TCP 443
`sfo3.turn.livekit.cloud`	TCP 443
`dsfo3a.turn.livekit.cloud`	TCP 443
`dsfo3b.turn.livekit.cloud`	TCP 443
`dfra1a.turn.livekit.cloud`	TCP 443
`dfra1b.turn.livekit.cloud`	TCP 443
`dblr1a.turn.livekit.cloud`	TCP 443
`dblr1b.turn.livekit.cloud`	TCP 443
`dsgp1a.turn.livekit.cloud`	TCP 443
`dsgp1b.turn.livekit.cloud`	TCP 443
`dsyd1a.turn.livekit.cloud`	TCP 443
`dsyd1b.turn.livekit.cloud`	TCP 443
`osaopaulo1a.turn.livekit.cloud`	TCP 443
`osaopaulo1b.turn.livekit.cloud`	TCP 443
`oashburn1a.turn.livekit.cloud`	TCP 443
`oashburn1b.turn.livekit.cloud`	TCP 443
`omarseille1a.turn.livekit.cloud`	TCP 443
`omarseille1b.turn.livekit.cloud`	TCP 443
`otokyo1a.turn.livekit.cloud`	TCP 443
`otokyo1b.turn.livekit.cloud`	TCP 443
`ophoenix1a.turn.livekit.cloud`	TCP 443
`ophoenix1b.turn.livekit.cloud`	TCP 443
`olondon1a.turn.livekit.cloud`	TCP 443
`olondon1b.turn.livekit.cloud`	TCP 443
`ochicago1a.turn.livekit.cloud`	TCP 443
`ochicago1b.turn.livekit.cloud`	TCP 443
`osingapore1a.turn.livekit.cloud`	TCP 443
`osingapore1b.turn.livekit.cloud`	TCP 443
`odubai1a.turn.livekit.cloud`	TCP 443
`odubai1b.turn.livekit.cloud`	TCP 443
`ohyderabad1a.turn.livekit.cloud`	TCP 443
`ohyderabad1b.turn.livekit.cloud`	TCP 443
`ojohannesburg1a.turn.livekit.cloud`	TCP 443
`ojohannesburg1b.turn.livekit.cloud`	TCP 443
`omumbai1a.turn.livekit.cloud`	TCP 443
`omumbai1b.turn.livekit.cloud`	TCP 443
`ofrankfurt1a.turn.livekit.cloud`	TCP 443
`ofrankfurt1b.turn.livekit.cloud`	TCP 443
`ojerusalem1a.turn.livekit.cloud`	TCP 443
`ojerusalem1b.turn.livekit.cloud`	TCP 443
`osydney1a.turn.livekit.cloud`	TCP 443
`osydney1b.turn.livekit.cloud`	TCP 443
`ozurich1a.turn.livekit.cloud`	TCP 443
`ozurich1b.turn.livekit.cloud`	TCP 443
`osanjose1a.turn.livekit.cloud`	TCP 443
`osanjose1b.turn.livekit.cloud`	TCP 443
`ojeddah1a.turn.livekit.cloud`	TCP 443
`ojeddah1b.turn.livekit.cloud`	TCP 443
`oosaka1a.turn.livekit.cloud`	TCP 443
`oosaka1b.turn.livekit.cloud`	TCP 443

Note

This list of domains is subject to change. Last updated 2026-03-09.

Frequently asked questions

Why am I seeing IPs outside the region I expect?

LiveKit's default DNS address, like jobmojito-aws-production-swjxp9ce.livekit.cloud, resolves to the cluster closest to the connecting client. If the client is outside an EU, US, or India, that cluster might not be covered by the static IP ranges above.

To force connections into a covered region, connect using regional addresses:

jobmojito-aws-production-swjxp9ce.eu.rtc.livekit.cloud
jobmojito-aws-production-swjxp9ce.us.rtc.livekit.cloud
jobmojito-aws-production-swjxp9ce.india.rtc.livekit.cloud

The same region prefix works for service-specific subdomains, including *.eu.turn.livekit.cloud and *.eu.sip.livekit.cloud. Region DNS only exists with a service in the name; there is no eu.livekit.cloud without a service prefix.

For example, if your project is region-pinned to the US and an end user connects from London, the default jobmojito-aws-production-swjxp9ce.livekit.cloud lookup may resolve to a London cluster outside the static IP range. Pointing the client to wss://jobmojito-aws-production-swjxp9ce.us.rtc.livekit.cloudkeeps the connection on US infrastructure and inside the static range.