Twilio Connectivity β Troubleshooting Guide
Audience: IT, Network, and Firewall Teams
Purpose: Validate network readiness for Twilio Voice and WebRTC services.
1. Mandatory Connectivity Test (Step 1)
All customers must run the official Twilio WebRTC diagnostics test.
π Test URL:
π
https://networktest.twilio.com/
Expected Result
ALL tests must show PASS, especially:
- TURN UDP Connectivity
- Voice Test (PCMU)
- Voice Test (Opus)
If ALL Tests Pass
β
Network connectivity is NOT the issue.
Proceed to application-level troubleshooting.
If ANY Test Fails
β A network firewall or security policy is blocking Twilio traffic.
Proceed to Section 2 β Firewall Validation.
2. Firewall & Network Requirements (Mandatory)
2.1 Required Ports & Protocols
Ensure the following outbound traffic is allowed:
| Protocol | Port(s) | Purpose |
|---|---|---|
| TCP | 443 | HTTPS, TLS signaling |
| UDP | 3478 | STUN |
| UDP | 5349 | TURN |
| UDP | 10000β20000 | Twilio media (RTP audio) |
2.2 Required Domains (FQDNs)
Allow outbound access to:
*.twilio.com
If your firewall requires explicit FQDN allow-listing, ensure wildcard support is enabled.
3. Next-Generation Firewall (App-ID) Configuration
For Palo Alto, Fortinet, Check Point, Sophos, or other NGFWs, ensure Application-ID rules are not blocking Twilio traffic.
| App-ID | Role in Twilio / WebRTC |
|---|---|
| dtls | Key exchange for SRTP encryption |
| stun | NAT traversal & ICE negotiation |
| rtp | Real-time media transport |
| rtcp | Media control traffic |
| webrtc | Covers DTLS, RTP, STUN |
| ssl | HTTPS / TLS signaling |
| web-browsing | Twilio Console / browser UI |
| dns | Domain name resolution |
| sip (optional) | Only for SIP Trunking / BYOC |
π Best Practice:
Allow App-ID + Port-based rules together. App-ID detection may fail on encrypted traffic; ports provide fallback.
4. Common Misconfigurations to Check
- β UDP traffic blocked (most common issue)
- β RTP ports restricted or incorrectly narrowed
- β STUN / TURN App-ID blocked
- β SSL inspection breaking DTLS / WebRTC
- β Outdated Twilio IP or FQDN allow-list
5. If Tests Still Fail
- Firewall logs showing blocked traffic
- Destination IP / FQDN
- Port and protocol
- App-ID (if applicable)
Confirm:
- Outbound UDP allowed
- No SSL inspection on WebRTC traffic
- Twilio FQDNs or IPs in policy
6. Quick Validation Checklist (For IT Teams)
- β Twilio Network Test β All PASS
- β TCP 443 outbound allowed
- β UDP 3478 & 5349 allowed
- β UDP 10000β20000 allowed
- β
*.twilio.comallowed - β STUN / DTLS / RTP / WebRTC App-IDs not blocked
- β No SSL decryption for WebRTC
7. Summary
- Twilio requires UDP for voice quality
- All tests must PASS on the Twilio network test page
- Most failures are caused by firewall App-ID or UDP restrictions
- Use Port + App-ID rules together for best results