For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
WebsiteStatusSupportDashboard
DocumentationAPI ReferenceMCPSDKsCLI (new)What's New?
DocumentationAPI ReferenceMCPSDKsCLI (new)What's New?
  • Get started
    • Introduction
    • Phone calls
    • Web calls
    • Vapi Guides
    • Composer
    • CLI quickstart
  • Assistants
    • Quickstart
    • Tools
    • Custom keywords
    • Custom voices
    • Custom transcriber
    • Custom TTS
  • Observability
    • Boards
  • Squads
    • Quickstart
    • Overview
    • Handoff tool
    • Passing data between assistants
  • Best practices
    • Prompting guide
    • Debugging voice agents
    • Enterprise environments (DEV/UAT/PROD)
    • IVR navigation
  • Phone numbers
    • Free Vapi number
    • Inbound SMS
      • SIP telephony
      • SIP trunking
      • Networking and firewall
      • Troubleshoot SIP trunk credential errors
    • Phone Number Hooks
  • Calls
    • Call end reasons
    • Troubleshoot call errors
  • Outbound Campaigns
    • Quickstart
    • Overview
  • Chat
    • Quickstart
    • Streaming
    • Non-streaming
    • OpenAI compatibility
    • Session management
    • Variable substitution
    • SMS chat
    • Web widget
    • Webhooks
  • Workflows
    • Quickstart
    • Overview
LogoLogo
WebsiteStatusSupportDashboard
On this page
  • Overview
  • Quick reference
  • SIP signalling
  • Ports
  • Hostnames and allowlisting
  • SIP media (RTP)
  • Port range
  • Firewall rules
  • Inbound rules (traffic from Vapi to your network)
  • Outbound rules (traffic from your network to Vapi)
  • FAQ
  • Next steps
Phone numbersSIP integration

SIP networking and firewall configuration

Learn to configure your network to allow SIP signalling and media traffic with Vapi
Was this page helpful?
Edit this page
Previous

Twilio SIP Integration

How to integrate Twilio SIP with Vapi
Next
Built with

Overview

When you integrate a SIP trunk with Vapi, your firewall and network infrastructure must allow SIP signalling and media (RTP) traffic to flow between your environment and Vapi’s SIP servers. This page provides the complete set of IP addresses, ports, and protocols you need to configure.

In this reference, you’ll find:

  • All IP addresses and ports used by Vapi for SIP signalling
  • RTP media port ranges, directionality details, and dynamic IP behavior
  • Recommended firewall rules for inbound and outbound traffic

These networking details apply to all SIP trunk integrations with Vapi, regardless of your SIP provider. For provider-specific setup instructions, see the SIP trunking guide.

Quick reference

The table below summarizes every IP address, port, and protocol you need to allowlist. Use the row that matches the Vapi region where your organization is hosted.

Traffic typeRegionHostnameIP addressesPortsProtocolDirection
SIP signallingUSsip.vapi.ai44.229.228.186, 44.238.177.1385060UDPBidirectional
SIP signallingEUsip.eu.vapi.ai44.233.34.47, 44.233.34.485060UDPBidirectional
SIP signalling (TLS)USsip.vapi.ai44.229.228.186, 44.238.177.1385061TLSBidirectional
SIP signalling (TLS)EUsip.eu.vapi.ai44.233.34.47, 44.233.34.485061TLSBidirectional
RTP mediaAll regionsN/ANo static IPs (dynamic)40000-60000UDPBidirectional

Use your region’s SIP hostname when configuring SIP URIs or SIP peers. If your firewall or SIP provider requires IP-based allowlisting, add the signalling IP addresses for your region explicitly.

SIP signalling

Vapi’s SIP infrastructure uses two static IP addresses for signalling traffic in each region:

RegionHostnameIP addresses
USsip.vapi.ai44.229.228.186/32, 44.238.177.138/32
EUsip.eu.vapi.ai44.233.34.47/32, 44.233.34.48/32

These are the public IPs of Vapi’s SBC (Session Border Controller) nodes. All SIP INVITE, REGISTER, BYE, and other signalling messages originate from and are received at the addresses for your region.

Ports

PortProtocolUse case
5060UDPDefault SIP signalling
5061TLSSIP over TLS (SIPS) for encrypted signalling

Use port 5060 unless your provider or security requirements mandate encrypted signalling, in which case use port 5061 with TLS.

Hostnames and allowlisting

Configure your SIP client or PBX to point to the hostname for your region. For firewall rules and carrier allowlists, use the static signalling IP addresses listed for your region.

Allowlist both IP addresses for your region explicitly. DNS A records may not match every static signalling IP that Vapi can use for carrier or firewall allowlisting.

SIP media (RTP)

Vapi does not use static IP addresses for RTP media (voice audio). The media source IP addresses are dynamically assigned and may change between calls. Because of this, you should not rely on allowlisting specific IPs for RTP media traffic.

Unlike SIP signalling, RTP media does not originate from a fixed set of IP addresses. Your firewall rules for RTP media should allow traffic based on port ranges rather than specific source IPs.

Port range

Vapi uses UDP ports 40000 through 60000 for RTP media traffic.

SettingValue
Local RTP port range40000-60000 (UDP)
DirectionBidirectional
  • Inbound RTP: Vapi listens on ports 40000-60000 for incoming media packets.
  • Outbound RTP: Vapi sends media from ports in the 40000-60000 range. The destination IP and port are determined by the remote SDP offer/answer, so Vapi can send to any IP and port your provider advertises.

Vapi does not restrict the remote RTP port range. Your provider may use any port for its RTP traffic. The 40000-60000 range applies only to Vapi’s local ports.

Firewall rules

Configure your firewall to allow the following traffic. Both SIP signalling IP addresses for your region must be allowlisted, as Vapi may use either one for any given call. For RTP media, allow traffic on the full port range without IP restrictions since Vapi uses dynamic IPs for media.

Inbound rules (traffic from Vapi to your network)

Allow these if your SIP provider or PBX needs to receive traffic from Vapi:

RuleRegionSource IPDestinationPort(s)Protocol
SIP signallingUS44.229.228.186, 44.238.177.138Your SIP server5060UDP
SIP signallingEU44.233.34.47, 44.233.34.48Your SIP server5060UDP
SIP signalling (TLS)US44.229.228.186, 44.238.177.138Your SIP server5061TLS
SIP signalling (TLS)EU44.233.34.47, 44.233.34.48Your SIP server5061TLS
RTP mediaAll regionsAny (dynamic)Your media server40000-60000UDP

Outbound rules (traffic from your network to Vapi)

Allow these if your firewall restricts outbound connections:

RuleRegionSourceDestination IPPort(s)Protocol
SIP signallingUSYour SIP server44.229.228.186, 44.238.177.1385060UDP
SIP signallingEUYour SIP server44.233.34.47, 44.233.34.485060UDP
SIP signalling (TLS)USYour SIP server44.229.228.186, 44.238.177.1385061TLS
SIP signalling (TLS)EUYour SIP server44.233.34.47, 44.233.34.485061TLS
RTP mediaAll regionsYour media serverAny (dynamic)40000-60000UDP

Both SIP signalling IP addresses for your region must be allowed in your firewall rules. Vapi may use either address for signalling on any given call. Missing one address can cause intermittent call failures. For RTP media, since Vapi uses dynamic IPs, configure your firewall to allow the full port range (40000-60000 UDP) without restricting by source or destination IP.

FAQ

Can I use DNS instead of IP addresses in my firewall rules?

Use your region’s hostname for SIP URI and peer configuration. For IP-based firewall rules, add both static signalling IP addresses for your region explicitly. DNS-based firewall rules depend on TTL and caching behavior, and DNS A records may not match every static signalling IP that Vapi can use for allowlisting. RTP media uses dynamic IPs that cannot be resolved via DNS.

Do I need to open the full 40000-60000 port range?

Yes. Vapi’s RTP stack dynamically allocates ports within this range for each call. You cannot predict which specific port a given call will use, so the entire range must be open for reliable media flow.

Are the signalling and media IPs the same?

No. Vapi’s SIP signalling uses static IP addresses for each region, but RTP media does not use static IP addresses. Media source IPs are dynamically assigned and may vary between calls.

Does Vapi support SRTP (encrypted media)?

Vapi supports TLS for SIP signalling on port 5061. For encrypted media (SRTP), configure your SIP trunk gateway with the tls/srtp outbound protocol option. See the gateway configuration reference for details.

Next steps

Now that you have your network configured for Vapi SIP traffic:

  • Set up a SIP trunk: Follow the SIP trunking guide to create your trunk credential and phone number
  • Configure a provider: Set up with Twilio, Telnyx, Plivo, or Zadarma
  • Troubleshoot errors: Resolve gateway issues with the SIP trunk credential troubleshooting guide