React
iOS
Android
Flutter
JavaScript
Unity
ESP32
Platform
Vision AgentsNetworking and Firewall
Stream Video leverages a combination of UDP and TCP protocols to deliver real-time video streams. By default, Stream uses UDP, which is the preferred protocol for real-time video transmission via WebRTC. However, some users may encounter restrictions on UDP due to firewall rules or networking configurations. If UDP is unavailable, the system automatically falls back to TCP. Although TCP provides a viable alternative, it is less ideal for real-time video, as it may result in decreased video quality.
For optimal performance, we recommend configuring firewalls to allow UDP and NAT as explained below.
Network and Port Requirements
Stream Video operates on an edge infrastructure with a dynamically managed list of servers for video call routing. For audio/video to work correctly, your network firewall must allow access to servers under the subdomains stream-io-video.com, stream-io-api.com and getstream.io (eg. video.stream-io-api.com, sfu-5a2a819a93e3-aws-sao1.stream-io-video.com).
Signaling (HTTP and WebSocket over TLS):
Access to signaling is required for all clients to establish a connection. Signaling uses a combination of WSS and HTTPs (TCP/443). Without this, clients will not be able to connect to the server.
You can test this by opening this link in your browser: https://video.stream-io-api.com/, this should show a JSON error response. If the page does not load or return some sort of HTML message, it is likely that your firewall is blocking access to the signaling server.
WebRTC
For audio/video to work you need clients to be able to connect to one of our video servers. The best connection is achieved when clients can connect to the server via UDP and NAT is configured correctly on your network. There are several fallback options available if UDP is blocked or unavailable, if NAT is not configured correctly, or if traffic is only allowed on specific ports.
Open as many ports as your firewall policy allows — Stream will automatically use the best available option.
Optimal configuration
Allows direct UDP connections and full STUN/TURN support. Best call quality and fastest setup time.
| Protocol | Port(s) |
|---|---|
| Direct media | UDP 46884–60999 |
| STUN / TURN | UDP 3478 |
| TURN | UDP 443 |
| TURN | TCP 3478 |
| TURN TLS | TCP 443 |
Restricted UDP (specific ports only)
When the wide UDP range cannot be opened, clients fall back to TURN over UDP. Quality remains good since media is still carried over UDP.
| Protocol | Port(s) |
|---|---|
| STUN / TURN | UDP 3478 |
| TURN | UDP 443 |
| TURN | TCP 3478 |
| TURN TLS | TCP 443 |
Minimum (TCP only)
TCP 443 covers both signaling and TURN over TLS. Works in the most restrictive environments, but TCP is not efficient for real-time media and will result in higher latency and lower call quality. At least one UDP port above is strongly recommended.
| Protocol | Port(s) |
|---|---|
| TURN TLS | TCP 443 |
Recommended Firewall Rules
To ensure compatibility and quality, configure the following rules:
- Ensure NAT is configured correctly on your network
- Ensure that HTTPS/WSS traffic is allowed, at least for addresses resolved by
*.stream-io-video.com,*.stream-io-api.comand*.getstream.io - Ensure that your configuration of the port ranges used by WebRTC is allowed, at least for addresses resolved by
*.stream-io-video.com,*.stream-io-api.comand*.getstream.io
This configuration ensures robust connectivity for all clients, maintaining the highest possible video quality across varying network environments.
Testing Your Configuration
Opening the correct ports is not always sufficient. Traffic shaping policies are a common source of issues — they can throttle or drop UDP streams based on bandwidth limits, protocol heuristics, or QoS rules, without inspecting payload content. This means calls can degrade or drop even when all ports are technically open. Additionally, firewalls with Deep Packet Inspection (DPI) may drop UDP connections mid-call by enforcing short state timeouts or blocking traffic that does not match an expected pattern. For this reason, we recommend actively testing connectivity rather than relying solely on firewall rule verification.
Stream provides a connection test tool that verifies your network can reach Stream's servers.
After opening the test, check the Connectivity section. In a correctly configured network you should see:
- Protocol: UDP / TCP
- SFU node: a server geographically close to your location
- Connection liveness: healthy
If connectivity is failing or the protocol in use is unexpected for your configuration, cross-reference the port requirements above and verify the correct ports are open. If the issue persists, click Copy Report at the top of the test page to capture a full snapshot and share it with the Stream support team.