Phone numbersSIP integration

SIP networking and firewall configuration

Learn to configure your network to allow SIP signalling and media traffic with Vapi

Overview

When you integrate a SIP trunk with Vapi, your firewall and network infrastructure must allow SIP signalling and media (RTP) traffic to flow between your environment and Vapi’s SIP servers. This page provides the complete set of IP addresses, ports, and protocols you need to configure.

In this reference, you’ll find:

  • All IP addresses and ports used by Vapi for SIP signalling
  • RTP media port ranges, directionality details, and dynamic IP behavior
  • Recommended firewall rules for inbound and outbound traffic

These networking details apply to all SIP trunk integrations with Vapi, regardless of your SIP provider. For provider-specific setup instructions, see the SIP trunking guide.

Quick reference

The table below summarizes every IP address, port, and protocol you need to allowlist.

Traffic typeIP addressesPortsProtocolDirection
SIP signalling44.229.228.186, 44.238.177.1385060UDPBidirectional
SIP signalling (TLS)44.229.228.186, 44.238.177.1385061TLSBidirectional
RTP mediaNo static IPs (dynamic)40000-60000UDPBidirectional

You can also use the DNS hostname sip.vapi.ai, which resolves to the SIP signalling IP addresses listed above.

SIP signalling

Vapi’s SIP infrastructure uses two static IP addresses for all signalling traffic:

  • 44.229.228.186/32
  • 44.238.177.138/32

These are the public IPs of Vapi’s SBC (Session Border Controller) nodes. All SIP INVITE, REGISTER, BYE, and other signalling messages originate from and are received at these addresses.

Ports

PortProtocolUse case
5060UDPDefault SIP signalling
5061TLSSIP over TLS (SIPS) for encrypted signalling

Use port 5060 unless your provider or security requirements mandate encrypted signalling, in which case use port 5061 with TLS.

DNS resolution

The hostname sip.vapi.ai resolves to both signalling IP addresses. You can configure your SIP client or PBX to point to sip.vapi.ai instead of using the IP addresses directly.

If your firewall rules are IP-based, allowlist both IP addresses explicitly rather than relying on DNS resolution. DNS-based rules may not update immediately if the resolution changes.

SIP media (RTP)

Vapi does not use static IP addresses for RTP media (voice audio). The media source IP addresses are dynamically assigned and may change between calls. Because of this, you should not rely on allowlisting specific IPs for RTP media traffic.

Unlike SIP signalling, RTP media does not originate from a fixed set of IP addresses. Your firewall rules for RTP media should allow traffic based on port ranges rather than specific source IPs.

Port range

Vapi uses UDP ports 40000 through 60000 for RTP media traffic.

SettingValue
Local RTP port range40000-60000 (UDP)
DirectionBidirectional
  • Inbound RTP: Vapi listens on ports 40000-60000 for incoming media packets.
  • Outbound RTP: Vapi sends media from ports in the 40000-60000 range. The destination IP and port are determined by the remote SDP offer/answer, so Vapi can send to any IP and port your provider advertises.

Vapi does not restrict the remote RTP port range. Your provider may use any port for its RTP traffic. The 40000-60000 range applies only to Vapi’s local ports.

Firewall rules

Configure your firewall to allow the following traffic. Both SIP signalling IP addresses must be allowlisted, as Vapi may use either one for any given call. For RTP media, allow traffic on the full port range without IP restrictions since Vapi uses dynamic IPs for media.

Inbound rules (traffic from Vapi to your network)

Allow these if your SIP provider or PBX needs to receive traffic from Vapi:

RuleSource IPDestinationPort(s)Protocol
SIP signalling44.229.228.186, 44.238.177.138Your SIP server5060UDP
SIP signalling (TLS)44.229.228.186, 44.238.177.138Your SIP server5061TLS
RTP mediaAny (dynamic)Your media server40000-60000UDP

Outbound rules (traffic from your network to Vapi)

Allow these if your firewall restricts outbound connections:

RuleSourceDestination IPPort(s)Protocol
SIP signallingYour SIP server44.229.228.186, 44.238.177.1385060UDP
SIP signalling (TLS)Your SIP server44.229.228.186, 44.238.177.1385061TLS
RTP mediaYour media serverAny (dynamic)40000-60000UDP

Both SIP signalling IP addresses must be allowed in your firewall rules. Vapi may use either address for signalling on any given call. Missing one address can cause intermittent call failures. For RTP media, since Vapi uses dynamic IPs, configure your firewall to allow the full port range (40000-60000 UDP) without restricting by source or destination IP.

FAQ

The hostname sip.vapi.ai resolves to both Vapi SIP signalling IP addresses. However, if your firewall supports only IP-based rules, add both 44.229.228.186 and 44.238.177.138 explicitly for signalling. DNS-based firewall rules depend on TTL and caching behavior, which can lead to gaps during DNS updates. Note that this DNS hostname applies to SIP signalling only; RTP media uses dynamic IPs that cannot be resolved via DNS.

Yes. Vapi’s RTP stack dynamically allocates ports within this range for each call. You cannot predict which specific port a given call will use, so the entire range must be open for reliable media flow.

No. Vapi’s SIP signalling uses the static IP addresses 44.229.228.186 and 44.238.177.138, but RTP media does not use static IP addresses. Media source IPs are dynamically assigned and may vary between calls.

Vapi supports TLS for SIP signalling on port 5061. For encrypted media (SRTP), configure your SIP trunk gateway with the tls/srtp outbound protocol option. See the gateway configuration reference for details.

Next steps

Now that you have your network configured for Vapi SIP traffic: