You and Twilio will have to configure our respective IPSec VPN components to encrypt traffic traversing the Internet.
VPN gateway.A network device (e.g. router, firewall) supporting IPSec protocol suite. The device needs to be assigned an IPv4 address routable on the Internet.
Encryption Domain (IP routes).One or more of your IP networks that will have access to Twilio. Your border devices (e.g. IP-PBX, SIP-PRI IAD, Session Border Controller, NAT gateway, etc.) will reside in these networks. Your VPN gateway and IP routes behind it form the encryption domain. Note that your IP routes have to be globally unique ("public IPs") - as opposed to RFC 1918 address ranges - to avoid conflicts with other networks that Twilio platform is peered with. In other words, your IP routes have to be outside of the following ranges:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Firewall.Your firewall will have to allow your border devices to communicate with Twilio network.
VPN gateway.Twilio has a fixed VPN gateway at each Twilio Interconnect Exchange location.
Encryption Domain [IP routes].All Twilio signaling and media traffic will be initiated from fixed IP networks. Each Twilio Interconnect Exchange location has its own unique IP routes. Our VPN gateway and IP routes behind it form the encryption domain.
Twilio Interconnect connection.Twilio will provision bandwidth for your connection at Twilio Interconnect Exchange location specified by you. See connection bandwidth and location options listed below. For high availability, we strongly recommend connecting to at least two of our geographically redundant Twilio Interconnect locations. For example, you can select a 100-Mbps connection in Ashburn, Virginia and a 100-Mbps connection in San Jose, California to create redundant connections to Twilio on both coasts of the United States.
|US - Ashburn, Virginia||✅||✅||🚫||✅|
|US - San Jose, California||✅||✅||🚫||✅|
|UK - London||✅||✅||✅||✅|
|Frankfurt - Germany||✅||✅||✅||✅|
|Tokyo - Japan||✅||✅||✅||✅|
|Sydney - Australia||✅||✅||✅||✅|
IPSec pre-shared key (PSK).Twilio will issue a pre-shared key for IKE phase I authentication and send the key to you via a secure communication channel.
|VPN gateway||to establish an IPSec tunnel between your and Twilio networks||router or firewall supporting IPSec VPN could be procured from network equipment manufacturers such as Cisco and Juniper|
|IPSec phase I and II specs||to configure your VPN gateway||you will receive Twilio's IPSec VPN specification|
|Connection bandwidth and location requirements||so that Twilio can provision adequate bandwidth for your needs||to estimate bandwidth, convert your maximum number of concurrent calls to the required throughput in Mbps. Many of our customers found the following ratio helpful: 1 Mbps of bandwidth is roughly equal to 10 concurrent [G.711 encoded] calls. Choose Twilio Interconnect location closest to your VPN gateway.|
|Pre-shared key||to authenticate your router when creating the IPSec tunnel||you will receive a pre-shared key from Twilio via secure file exchange|
|Your IP routes||so that Twilio can allow traffic from your network||ask your network administrator for the routes|
|Twilio’s VPN gateway IP||to establish an IPSec tunnel to Twilio||you will receive our VPN gateway IP with Twilio's IPSec VPN specification|
|Twilio’s IP routes||to allow traffic from Twilio's network to yours||ask your network administrator to permit traffic from Twilio's routes/ports|
|Twilio account SID||so that we know which Twilio account is authorized to use your private connection and financially responsible for it||see your Console dashboard|
- Desired Exchange location and bandwidth
- VPN gateway IP
- Encryption Domain/IP routes
- Twilio account SID
- Email address to send pre-shared key to via secure file exchange
Your on-boarding contact at Twilio will share our IPSec VPN specification and your pre-shared key.
Configure your VPN gateway using Twilio's IPSec VPN specification. Advertise Twilio IP routes to your internal network (i.e reverse route injection). This will allow your SIP-enabled elements route traffic to Twilio.