Rate this page:

Thanks for rating this page!

We are always striving to improve our documentation quality, and your feedback is valuable to us. How could this documentation serve you better?

Getting Started With VPN

You and Twilio will have to configure our respective IPSec VPN components to encrypt traffic traversing the Internet.


Your components

  • VPN gateway. A network device (e.g. router, firewall) supporting IPSec protocol suite. The device needs to be assigned an IPv4 address routable on the Internet.

  • Encryption Domain (IP routes). One or more of your IP networks that will have access to Twilio. Your border devices (e.g. IP-PBX, SIP-PRI IAD, Session Border Controller, NAT gateway, etc.) will reside in these networks. Your VPN gateway and IP routes behind it form the encryption domain. Note that your IP routes have to be globally unique ("public IPs") - as opposed to RFC 1918 address ranges - to avoid conflicts with other networks that Twilio platform is peered with. In other words, your IP routes have to be outside of the following ranges: - - -

  • Firewall. Your firewall will have to allow your border devices to communicate with Twilio network.

Twilio components

  • VPN gateway. Twilio has a fixed VPN gateway at each Twilio Interconnect Exchange location.

  • Encryption Domain [IP routes]. All Twilio signaling and media traffic will be initiated from fixed IP networks. Each Twilio Interconnect Exchange location has its own unique IP routes. Our VPN gateway and IP routes behind it form the encryption domain.

  • Twilio Interconnect connection. Twilio will provision bandwidth for your connection at Twilio Interconnect Exchange location specified by you. See connection bandwidth and location options listed below. For high availability, we strongly recommend connecting to at least two of our geographically redundant Twilio Interconnect locations. For example, you can select a 100-Mbps connection in Ashburn, Virginia and a 100-Mbps connection in San Jose, California to create redundant connections to Twilio on both coasts of the United States.

Location 10-Mbps 100-Mbps 500-Mbps 1-Gbps
US - Ashburn, Virginia 🚫
US - San Jose, California 🚫
UK - London
Frankfurt - Germany
Tokyo - Japan
Sydney - Australia
  • IPSec pre-shared key (PSK). Twilio will issue a pre-shared key for IKE phase I authentication and send the key to you via a secure communication channel.

What you will need to create a Twilio Interconnect connection

What Why How
VPN gateway to establish an IPSec tunnel between your and Twilio networks router or firewall supporting IPSec VPN could be procured from network equipment manufacturers such as Cisco and Juniper
IPSec phase I and II specs to configure your VPN gateway you will receive Twilio's IPSec VPN specification
Connection bandwidth and location requirements so that Twilio can provision adequate bandwidth for your needs to estimate bandwidth, convert your maximum number of concurrent calls to the required throughput in Mbps. Many of our customers found the following ratio helpful: 1 Mbps of bandwidth is roughly equal to 10 concurrent [G.711 encoded] calls. Choose Twilio Interconnect location closest to your VPN gateway.
Pre-shared key to authenticate your router when creating the IPSec tunnel you will receive a pre-shared key from Twilio via secure file exchange
Your IP routes so that Twilio can allow traffic from your network ask your network administrator for the routes
Twilio’s VPN gateway IP to establish an IPSec tunnel to Twilio you will receive our VPN gateway IP with Twilio's IPSec VPN specification
Twilio’s IP routes to allow traffic from Twilio's network to yours ask your network administrator to permit traffic from Twilio's routes/ports
Twilio account SID so that we know which Twilio account is authorized to use your private connection and financially responsible for it see your Console dashboard

Configuring your private connection to Twilio

Step 1: Let your Twilio onboarding contact know your:

  • Desired Exchange location and bandwidth
  • VPN gateway IP
  • Encryption Domain/IP routes
  • Twilio account SID
  • Email address to send pre-shared key to via secure file exchange

Step 2: Receive IPSec VPN specification and pre-shared key from Twilio

Your on-boarding contact at Twilio will share our IPSec VPN specification and your pre-shared key.

Step 3: Bring the IPSec tunnel up

Configure your VPN gateway using Twilio's IPSec VPN specification. Advertise Twilio IP routes to your internal network (i.e reverse route injection). This will allow your SIP-enabled elements route traffic to Twilio.

Next step

Rate this page:

Need some help?

We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd browsing the Twilio tag on Stack Overflow.