You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: remove static RTP Media IP addresses from SIP networking docs (#953)
Vapi does not have static IP addresses for RTP Media. This commit
removes the IPs 44.229.228.186 and 44.238.177.138 from all RTP
media sections and updates the documentation to clearly communicate
that RTP media uses dynamic IPs. SIP signalling IPs are unchanged.
DEVREL-513
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
You can also use the DNS hostname `sip.vapi.ai`, which resolves to both IP addresses listed above.
31
+
You can also use the DNS hostname `sip.vapi.ai`, which resolves to the SIP signalling IP addresses listed above.
32
32
33
33
## SIP signalling
34
34
@@ -58,10 +58,11 @@ The hostname `sip.vapi.ai` resolves to both signalling IP addresses. You can con
58
58
59
59
## SIP media (RTP)
60
60
61
-
RTP media (voice audio) is sourced from the same infrastructure as SIP signalling. The media IP addresses are:
61
+
Vapi does not use static IP addresses for RTP media (voice audio). The media source IP addresses are dynamically assigned and may change between calls. Because of this, you should not rely on allowlisting specific IPs for RTP media traffic.
62
62
63
-
-`44.229.228.186/32`
64
-
-`44.238.177.138/32`
63
+
<Warning>
64
+
Unlike SIP signalling, RTP media does **not** originate from a fixed set of IP addresses. Your firewall rules for RTP media should allow traffic based on port ranges rather than specific source IPs.
65
+
</Warning>
65
66
66
67
### Port range
67
68
@@ -81,7 +82,7 @@ Vapi uses **UDP ports 40000 through 60000** for RTP media traffic.
81
82
82
83
## Firewall rules
83
84
84
-
Configure your firewall to allow the following traffic. Both IP addresses must be allowlisted, as Vapi may use either one for any given call.
85
+
Configure your firewall to allow the following traffic. Both SIP signalling IP addresses must be allowlisted, as Vapi may use either one for any given call. For RTP media, allow traffic on the full port range without IP restrictions since Vapi uses dynamic IPs for media.
85
86
86
87
### Inbound rules (traffic from Vapi to your network)
87
88
@@ -91,7 +92,7 @@ Allow these if your SIP provider or PBX needs to receive traffic from Vapi:
91
92
| --- | --- | --- | --- | --- |
92
93
| SIP signalling |`44.229.228.186`, `44.238.177.138`| Your SIP server |`5060`| UDP |
93
94
| SIP signalling (TLS) |`44.229.228.186`, `44.238.177.138`| Your SIP server |`5061`| TLS |
94
-
| RTP media |`44.229.228.186`, `44.238.177.138`| Your media server |`40000`-`60000`| UDP |
95
+
| RTP media |Any (dynamic)| Your media server |`40000`-`60000`| UDP |
95
96
96
97
### Outbound rules (traffic from your network to Vapi)
97
98
@@ -101,23 +102,23 @@ Allow these if your firewall restricts outbound connections:
101
102
| --- | --- | --- | --- | --- |
102
103
| SIP signalling | Your SIP server |`44.229.228.186`, `44.238.177.138`|`5060`| UDP |
103
104
| SIP signalling (TLS) | Your SIP server |`44.229.228.186`, `44.238.177.138`|`5061`| TLS |
104
-
| RTP media | Your media server |`44.229.228.186`, `44.238.177.138`|`40000`-`60000`| UDP |
105
+
| RTP media | Your media server |Any (dynamic)|`40000`-`60000`| UDP |
105
106
106
107
<Warning>
107
-
Both IP addresses must be allowed in your firewall rules. Vapi may use either address for signalling or media on any given call. Missing one address can cause intermittent call failures.
108
+
Both SIP signalling IP addresses must be allowed in your firewall rules. Vapi may use either address for signalling on any given call. Missing one address can cause intermittent call failures. For RTP media, since Vapi uses dynamic IPs, configure your firewall to allow the full port range (`40000`-`60000` UDP) without restricting by source or destination IP.
108
109
</Warning>
109
110
110
111
## FAQ
111
112
112
113
<AccordionGroup>
113
114
<Accordiontitle="Can I use DNS instead of IP addresses in my firewall rules?">
114
-
The hostname `sip.vapi.ai` resolves to both Vapi SIP IP addresses. However, if your firewall supports only IP-based rules, add both `44.229.228.186` and `44.238.177.138` explicitly. DNS-based firewall rules depend on TTL and caching behavior, which can lead to gaps during DNS updates.
115
+
The hostname `sip.vapi.ai` resolves to both Vapi SIP signalling IP addresses. However, if your firewall supports only IP-based rules, add both `44.229.228.186` and `44.238.177.138` explicitly for signalling. DNS-based firewall rules depend on TTL and caching behavior, which can lead to gaps during DNS updates. Note that this DNS hostname applies to SIP signalling only; RTP media uses dynamic IPs that cannot be resolved via DNS.
115
116
</Accordion>
116
117
<Accordiontitle="Do I need to open the full 40000-60000 port range?">
117
118
Yes. Vapi's RTP stack dynamically allocates ports within this range for each call. You cannot predict which specific port a given call will use, so the entire range must be open for reliable media flow.
118
119
</Accordion>
119
120
<Accordiontitle="Are the signalling and media IPs the same?">
120
-
Yes. Vapi's SIP signalling and RTP media are served from the same infrastructure and use the same pair of public IP addresses (`44.229.228.186` and `44.238.177.138`).
121
+
No. Vapi's SIP signalling uses the static IP addresses `44.229.228.186` and `44.238.177.138`, but RTP media does not use static IP addresses. Media source IPs are dynamically assigned and may vary between calls.
121
122
</Accordion>
122
123
<Accordiontitle="Does Vapi support SRTP (encrypted media)?">
123
124
Vapi supports TLS for SIP signalling on port 5061. For encrypted media (SRTP), configure your SIP trunk gateway with the `tls/srtp` outbound protocol option. See the [gateway configuration reference](/advanced/sip/troubleshoot-sip-trunk-credential-errors#gateway-configuration-reference) for details.
0 commit comments