Voice Media IP Expansion Security FAQ
What is happening?
Twilio is migrating our public Voice media connectivity to a new range of IPs and an expanded port range. Our previously published region-specific IP/port ranges will be decommissioned and will no longer send or accept Voice media traffic. Beginning on 10 October 2023 Twilio Voice Media IPs will use a single global range; 184.108.40.206/18 with a UDP port range 10000-60000.
When is this happening?
Starting 26 September 2023 Twilio will be updating the media IPs and port ranges for SIP and Voice SDK calls in all regions to 220.127.116.11/18 and expanding the UDP port range to 10000-60000. You will need to update your network infrastructure to ensure that you have whitelisted the full IP and port ranges before the migration completes on 10 October 2023. Old IP and port ranges will no longer accept or send traffic after this date but will need to be kept open in your infrastructure until that time. Failure to do so will result in one-way audio and dropped calls.
Which Twilio products are impacted by this change?
Why does Twilio require voice customers to open so many IP addresses/UDP ports?
Due to the size of Twilio's Voice customer base and the growth of traffic on the platform, we have a large pool of IP addresses and a wide port range to provide reliability and scalability for the foreseeable future.
Isn't it a security risk for us to have so many IPs/Ports open?
It is a security risk to have any IPs/ports allowlisted. If an attacker can take over one IP or port from a given range they can take over others, so the threat doesn't increase with the number of IPs or ports open.
Additionally, this IP range is owned by Twilio and registered with ARIN. This is not an ephemeral IP range that is at risk of being recycled by our cloud providers and could potentially be used by another organization in the future; with this in mind it is Twilio's position that this is a security improvement over the previous paradigm, despite the larger range(s).
The size of the allowlist makes me nervous, you're asking us to blindly open our systems!?!
Every RTP media session is negotiated by one of a small number of trusted Twilio signaling edges. The IP/ports here refer to the Twilio media edge, you should allow UDP traffic to be sent and received from the published IP address ranges, but you do not need to open any additional IPs or ports on your side. The IP range is owned by Twilio and registered with ARIN, this is not an ephemeral IP range that is at risk of being recycled by our cloud providers and could potentially be used by another organization in the future; with this in mind it is Twilio's position that this is a security improvement over the previous paradigm.
Why doesn't Twilio offer region-specific/product-specific IP ranges?
The new media pool is not region- or product-specific by design. It allows Twilio to allocate IP addresses dynamically based on current capacity needs. For example, if there are traffic spikes in
us1 Twilio can dynamically re-allocated unused capacity from
sg1 which are likely to be dormant.
What are some security best practices customers can use to lower their risk?
Using secure RTP (Programmable SIP | Elastic SIP Trunking) will additionally lower the risk of RTP injection and hijacking attacks, as will disabling symmetric RTP on your SIP infrastructure unless it is absolutely necessary for NAT traversal.
Why don't other companies have such broad requirements?
We can't speak for the decision making processes of other companies or their architectural designs, but we do see other companies with broadly similar requirements; Telnyx for example has a single non-regional /19 IP range, and Zoom Phone and Zoom Contact Center has a UDP port range of 20000-64000.
Why is Twilio doing this all at once?
We are making changes to public media edges and private Interconnect media edges separately so there is some distribution of changes, but our thinking is to do a once-and-for-all change that migrates as much traffic as possible to the new media range to limit the number of discrete changes necessary to both customer and Twilio systems.
Why doesn't Twilio just use multiplexing or IP forwarding to reduce the number of IPs and ports that we need to receive traffic from?
Twilio does multiplexing and IP forwarding. The IP and port range requirements are based on our growth projections for the next ~10 years and take our multiplexing and IP forwarding capabilities into consideration.
This isn't going to work for us, we need to stay on the old IP addresses.
Unfortunately, this is not an option. Twilio needs to increase the size of our media fleet to ensure the reliability, resiliency, scalability, and stability of our network. Twilio offers a Network Traversal Service which provides media relay capabilities using TURN for Voice SDK calls to reduce the number of IP addresses and ports required.
Need some help?
We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Stack Overflow Collective or browsing the Twilio tag on Stack Overflow.