> For clean Markdown of any page, append .md to the page URL. > For a complete documentation index, see https://docs.vapi.ai/llms.txt. > For full documentation content, see https://docs.vapi.ai/llms-full.txt. > For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.vapi.ai/_mcp/server. # SIP networking and firewall configuration ## Overview When you integrate a SIP trunk with Vapi, your firewall and network infrastructure must allow SIP signalling and media (RTP) traffic to flow between your environment and Vapi's SIP servers. This page provides the complete set of IP addresses, ports, and protocols you need to configure. **In this reference, you'll find:** * All IP addresses and ports used by Vapi for SIP signalling * RTP media port ranges, directionality details, and dynamic IP behavior * Recommended firewall rules for inbound and outbound traffic These networking details apply to **all** SIP trunk integrations with Vapi, regardless of your SIP provider. For provider-specific setup instructions, see the [SIP trunking](/advanced/sip/sip-trunk) guide. ## Quick reference The table below summarizes every IP address, port, and protocol you need to allowlist. Use the row that matches the Vapi region where your organization is hosted. | Traffic type | Region | Hostname | IP addresses | Ports | Protocol | Direction | | -------------------- | ----------- | ---------------- | ---------------------------------- | --------------- | -------- | ------------- | | SIP signalling | US | `sip.vapi.ai` | `44.229.228.186`, `44.238.177.138` | `5060` | UDP | Bidirectional | | SIP signalling | EU | `sip.eu.vapi.ai` | `44.233.34.47`, `44.233.34.48` | `5060` | UDP | Bidirectional | | SIP signalling (TLS) | US | `sip.vapi.ai` | `44.229.228.186`, `44.238.177.138` | `5061` | TLS | Bidirectional | | SIP signalling (TLS) | EU | `sip.eu.vapi.ai` | `44.233.34.47`, `44.233.34.48` | `5061` | TLS | Bidirectional | | RTP media | All regions | N/A | No static IPs (dynamic) | `40000`-`60000` | UDP | Bidirectional | Use your region's SIP hostname when configuring SIP URIs or SIP peers. If your firewall or SIP provider requires IP-based allowlisting, add the signalling IP addresses for your region explicitly. ## SIP signalling Vapi's SIP infrastructure uses two static IP addresses for signalling traffic in each region: | Region | Hostname | IP addresses | | ------ | ---------------- | ---------------------------------------- | | US | `sip.vapi.ai` | `44.229.228.186/32`, `44.238.177.138/32` | | EU | `sip.eu.vapi.ai` | `44.233.34.47/32`, `44.233.34.48/32` | These are the public IPs of Vapi's SBC (Session Border Controller) nodes. All SIP `INVITE`, `REGISTER`, `BYE`, and other signalling messages originate from and are received at the addresses for your region. ### Ports | Port | Protocol | Use case | | -------- | -------- | -------------------------------------------- | | **5060** | UDP | Default SIP signalling | | **5061** | TLS | SIP over TLS (SIPS) for encrypted signalling | Use port **5060** unless your provider or security requirements mandate encrypted signalling, in which case use port **5061** with TLS. ### Hostnames and allowlisting Configure your SIP client or PBX to point to the hostname for your region. For firewall rules and carrier allowlists, use the static signalling IP addresses listed for your region. Allowlist both IP addresses for your region explicitly. DNS A records may not match every static signalling IP that Vapi can use for carrier or firewall allowlisting. ## SIP media (RTP) Vapi does not use static IP addresses for RTP media (voice audio). The media source IP addresses are dynamically assigned and may change between calls. Because of this, you should not rely on allowlisting specific IPs for RTP media traffic. Unlike SIP signalling, RTP media does **not** originate from a fixed set of IP addresses. Your firewall rules for RTP media should allow traffic based on port ranges rather than specific source IPs. ### Port range Vapi uses **UDP ports 40000 through 60000** for RTP media traffic. | Setting | Value | | -------------------- | --------------------- | | Local RTP port range | `40000`-`60000` (UDP) | | Direction | Bidirectional | * **Inbound RTP**: Vapi listens on ports `40000`-`60000` for incoming media packets. * **Outbound RTP**: Vapi sends media from ports in the `40000`-`60000` range. The destination IP and port are determined by the remote SDP offer/answer, so Vapi can send to any IP and port your provider advertises. Vapi does not restrict the remote RTP port range. Your provider may use any port for its RTP traffic. The `40000`-`60000` range applies only to Vapi's local ports. ## Firewall rules Configure your firewall to allow the following traffic. Both SIP signalling IP addresses for your region must be allowlisted, as Vapi may use either one for any given call. For RTP media, allow traffic on the full port range without IP restrictions since Vapi uses dynamic IPs for media. ### Inbound rules (traffic from Vapi to your network) Allow these if your SIP provider or PBX needs to receive traffic from Vapi: | Rule | Region | Source IP | Destination | Port(s) | Protocol | | -------------------- | ----------- | ---------------------------------- | ----------------- | --------------- | -------- | | SIP signalling | US | `44.229.228.186`, `44.238.177.138` | Your SIP server | `5060` | UDP | | SIP signalling | EU | `44.233.34.47`, `44.233.34.48` | Your SIP server | `5060` | UDP | | SIP signalling (TLS) | US | `44.229.228.186`, `44.238.177.138` | Your SIP server | `5061` | TLS | | SIP signalling (TLS) | EU | `44.233.34.47`, `44.233.34.48` | Your SIP server | `5061` | TLS | | RTP media | All regions | Any (dynamic) | Your media server | `40000`-`60000` | UDP | ### Outbound rules (traffic from your network to Vapi) Allow these if your firewall restricts outbound connections: | Rule | Region | Source | Destination IP | Port(s) | Protocol | | -------------------- | ----------- | ----------------- | ---------------------------------- | --------------- | -------- | | SIP signalling | US | Your SIP server | `44.229.228.186`, `44.238.177.138` | `5060` | UDP | | SIP signalling | EU | Your SIP server | `44.233.34.47`, `44.233.34.48` | `5060` | UDP | | SIP signalling (TLS) | US | Your SIP server | `44.229.228.186`, `44.238.177.138` | `5061` | TLS | | SIP signalling (TLS) | EU | Your SIP server | `44.233.34.47`, `44.233.34.48` | `5061` | TLS | | RTP media | All regions | Your media server | Any (dynamic) | `40000`-`60000` | UDP | Both SIP signalling IP addresses for your region must be allowed in your firewall rules. Vapi may use either address for signalling on any given call. Missing one address can cause intermittent call failures. For RTP media, since Vapi uses dynamic IPs, configure your firewall to allow the full port range (`40000`-`60000` UDP) without restricting by source or destination IP. ## FAQ Use your region's hostname for SIP URI and peer configuration. For IP-based firewall rules, add both static signalling IP addresses for your region explicitly. DNS-based firewall rules depend on TTL and caching behavior, and DNS A records may not match every static signalling IP that Vapi can use for allowlisting. RTP media uses dynamic IPs that cannot be resolved via DNS. Yes. Vapi's RTP stack dynamically allocates ports within this range for each call. You cannot predict which specific port a given call will use, so the entire range must be open for reliable media flow. No. Vapi's SIP signalling uses static IP addresses for each region, but RTP media does not use static IP addresses. Media source IPs are dynamically assigned and may vary between calls. Vapi supports TLS for SIP signalling on port 5061. For encrypted media (SRTP), configure your SIP trunk gateway with the `tls/srtp` outbound protocol option. See the [gateway configuration reference](/advanced/sip/troubleshoot-sip-trunk-credential-errors#gateway-configuration-reference) for details. ## Next steps Now that you have your network configured for Vapi SIP traffic: * **Set up a SIP trunk:** Follow the [SIP trunking](/advanced/sip/sip-trunk) guide to create your trunk credential and phone number * **Configure a provider:** Set up with [Twilio](/advanced/sip/twilio), [Telnyx](/advanced/sip/telnyx), [Plivo](/advanced/sip/plivo), or [Zadarma](/advanced/sip/zadarma) * **Troubleshoot errors:** Resolve gateway issues with the [SIP trunk credential troubleshooting](/advanced/sip/troubleshoot-sip-trunk-credential-errors) guide