SIP networking and firewall configuration

Overview

When you integrate a SIP trunk with Vapi, your firewall and network infrastructure must allow SIP signalling and media (RTP) traffic to flow between your environment and Vapi’s SIP servers. This page provides the complete set of IP addresses, ports, and protocols you need to configure.

In this reference, you’ll find:

All IP addresses and ports used by Vapi for SIP signalling
RTP media port ranges, directionality details, and regional IP behavior
Recommended firewall rules for inbound and outbound traffic

These networking details apply to all SIP trunk integrations with Vapi, regardless of your SIP provider. For provider-specific setup instructions, see the SIP trunking guide.

Quick reference

The table below summarizes every IP address, port, and protocol you need to allowlist. Use the row that matches the Vapi region where your organization is hosted.

Traffic type	Region	Hostname	IP addresses	Ports	Protocol	Direction
SIP signalling	US	`sip.vapi.ai`	`44.229.228.186`, `44.238.177.138`	`5060`	UDP/TCP	Bidirectional
SIP signalling	EU	`sip.eu.vapi.ai`	`63.182.83.170`	`5060`	UDP/TCP	Bidirectional
SIP signalling (TLS)	US	`sip.vapi.ai`	`44.229.228.186`, `44.238.177.138`	`5061`	TLS	Bidirectional
SIP signalling (TLS)	EU	`sip.eu.vapi.ai`	`63.182.83.170`	`5061`	TLS	Bidirectional
RTP media	US	N/A	No static IPs (dynamic)	`40000`-`60000`	UDP	Bidirectional
RTP media	EU	N/A	`63.182.83.170`	`40000`-`60000`	UDP	Bidirectional

Use your region’s SIP hostname when configuring SIP URIs or SIP peers. If your firewall or SIP provider requires IP-based allowlisting, add the static signalling IP addresses for your region. For media, EU traffic can be allowlisted to 63.182.83.170; US media uses dynamic source IPs and should be allowed by UDP port range.

SIP signalling

Vapi’s SIP infrastructure uses static IP addresses for signalling traffic in each region:

Region	Hostname	IP addresses
US	`sip.vapi.ai`	`44.229.228.186/32`, `44.238.177.138/32`
EU	`sip.eu.vapi.ai`	`63.182.83.170/32`

These are the public IPs of Vapi’s SBC (Session Border Controller) nodes. All SIP INVITE, REGISTER, BYE, and other signalling messages originate from and are received at the addresses for your region.

Ports

Port	Protocol	Use case
5060	UDP/TCP	Default SIP signalling. UDP and TCP are both supported in US and EU.
5061	TLS	SIP over TLS (SIPS) signalling.

Use port 5060 unless your provider or security requirements mandate encrypted signalling. For TLS/SIPS in either region, use port 5061 with TLS.

Hostnames and allowlisting

Configure your SIP client or PBX to point to the hostname for your region. For firewall rules and carrier allowlists, use the static IP addresses listed for your region. In the EU, sip.eu.vapi.ai currently resolves to 63.182.83.170.

Allowlist every IP address for your region explicitly. DNS A records may not match every static IP that Vapi can use for carrier or firewall allowlisting.

Do not use sip-web.eu.vapi.ai for SIP signalling or media. It is used for portal and API traffic and resolves through Cloudflare/WAF, not to Vapi’s SIP infrastructure.

SIP media (RTP)

RTP media IP behavior depends on your region:

US: Vapi does not use static IP addresses for RTP media. Media source IPs are dynamically assigned and may change between calls.
EU: RTP media uses the same static public IP as SIP signalling: 63.182.83.170.

For US RTP media, allow traffic based on port ranges rather than specific source IPs. For EU RTP media, allowlist 63.182.83.170 with the full UDP port range.

Port range

Vapi uses UDP ports 40000 through 60000 for RTP media traffic.

Setting	Value
Local RTP port range	`40000`-`60000` (UDP)
Direction	Bidirectional

Inbound RTP: Vapi listens on ports 40000-60000 for incoming media packets.
Outbound RTP: Vapi sends media from ports in the 40000-60000 range. The destination IP and port are determined by the remote SDP offer/answer, so Vapi can send to any IP and port your provider advertises.

Vapi does not restrict the remote RTP port range. Your provider may use any port for its RTP traffic. The 40000-60000 range applies only to Vapi’s local ports.

Firewall rules

Configure your firewall to allow the following traffic. Every SIP signalling IP address for your region must be allowlisted. For RTP media, allow traffic on the full port range. US media uses dynamic IPs; EU media uses 63.182.83.170.

Inbound rules (traffic from Vapi to your network)

Allow these if your SIP provider or PBX needs to receive traffic from Vapi:

Rule	Region	Source IP	Destination	Port(s)	Protocol
SIP signalling	US	`44.229.228.186`, `44.238.177.138`	Your SIP server	`5060`	UDP/TCP
SIP signalling	EU	`63.182.83.170`	Your SIP server	`5060`	UDP/TCP
SIP signalling (TLS)	US	`44.229.228.186`, `44.238.177.138`	Your SIP server	`5061`	TLS
SIP signalling (TLS)	EU	`63.182.83.170`	Your SIP server	`5061`	TLS
RTP media	US	Any (dynamic)	Your media server	`40000`-`60000`	UDP
RTP media	EU	`63.182.83.170`	Your media server	`40000`-`60000`	UDP

Outbound rules (traffic from your network to Vapi)

Allow these if your firewall restricts outbound connections:

Rule	Region	Source	Destination IP	Port(s)	Protocol
SIP signalling	US	Your SIP server	`44.229.228.186`, `44.238.177.138`	`5060`	UDP/TCP
SIP signalling	EU	Your SIP server	`63.182.83.170`	`5060`	UDP/TCP
SIP signalling (TLS)	US	Your SIP server	`44.229.228.186`, `44.238.177.138`	`5061`	TLS
SIP signalling (TLS)	EU	Your SIP server	`63.182.83.170`	`5061`	TLS
RTP media	US	Your media server	Any (dynamic)	`40000`-`60000`	UDP
RTP media	EU	Your media server	`63.182.83.170`	`40000`-`60000`	UDP

Allow every SIP signalling IP address for your region in your firewall rules. For RTP media, configure your firewall to allow the full port range (40000-60000 UDP). US RTP media uses dynamic IPs. EU RTP media uses 63.182.83.170. Contact support if you need a stricter media firewall policy.

FAQ

Can I use DNS instead of IP addresses in my firewall rules?

Use your region’s hostname for SIP URI and peer configuration. For IP-based firewall rules, add the static IP addresses for your region explicitly. DNS-based firewall rules depend on TTL and caching behavior, and DNS A records may not match every static IP that Vapi can use for allowlisting. US RTP media uses dynamic IPs that cannot be resolved via DNS. EU RTP media uses 63.182.83.170.

Do I need to open the full 40000-60000 port range?

Yes. Vapi’s RTP stack dynamically allocates ports within this range for each call. You cannot predict which specific port a given call will use, so the entire range must be open for reliable media flow.

Are the signalling and media IPs the same?

It depends on the region. In the EU, SIP signalling and RTP media both use 63.182.83.170. In the US, SIP signalling uses static IP addresses, but RTP media source IPs are dynamically assigned and may vary between calls.

Does Vapi support SRTP (encrypted media)?

Vapi supports TLS for SIP signalling on port 5061 in both US and EU regions. For encrypted media (SRTP), configure your SIP trunk gateway with the tls/srtp outbound protocol option. See the gateway configuration reference for details.

What do SIP 403 and 404 responses mean?

These are standard SIP response codes. A 403 Forbidden usually means your request was refused, most often because IP allowlisting or authentication failed. A 404 Not Found usually means the request could not be matched to an account or called number. If you receive a 403, confirm that your region’s signalling IP addresses are allowlisted. If you receive a 404, confirm the called number is configured in Vapi.

Next steps

Now that you have your network configured for Vapi SIP traffic:

Set up a SIP trunk: Follow the SIP trunking guide to create your trunk credential and phone number
Configure a provider: Set up with Twilio, Telnyx, Plivo, or Zadarma
Troubleshoot errors: Resolve gateway issues with the SIP trunk credential troubleshooting guide