On this page

Networking Considerations for Video Applications

In real-time video applications, clients must be able to exchange audio, video, and other media with one another with as low latency as possible. When clients connect to a video Room, the Twilio Video SDK tries to establish that direct media connection between a client and Twilio's media server (also called a Selective Forwarding Unit, or SFU).

In an ideal situation, clients can connect directly to Twilio's SFU to exchange media.

Firewalls and Network Address Translation (NAT) can impact the quality and performance of your application if they block direct communication of media.

If a direct connection cannot be established between a client and Twilio's media servers, Twilio uses a TURN relay to exchange media. Using TURN adds additional latency to the application, as it adds an extra hop between the client sending the media and the client receiving the media.

When a direct connection is not possible between a client and Twilio's SFU, a TURN relay can exchange media.

Common reasons why a direct connection could fail are firewalls that restrict UDP traffic on Twilio's specified ports or non-BEHAVE-compliant NATs (where it is not possible to traverse the NAT using standardized methods).

(information)

What is a BEHAVE-compliant NAT?

A BEHAVE-compliant NAT is one that meets the requirements defined in RFC4787 and RFC5382. These RFCs standardize the ways that NAT traversal can happen, so a non BEHAVE-compliant NAT is one that cannot be traversed using the formally defined methods. This blocks direct media exchange.

Protocols and ports used to exchange media

Below are the protocols and ports through which Twilio will attempt to establish a connection for media exchange, in order of preference. Using TURN-TLS on port 443 adds the highest amount of latency to the transmission of media, because in addition to requiring a TURN relay, it adds in delivery acknowledgments and packet retransmission. It is a last fallback if other communication methods are blocked.

(information)

Info

You can also see the IP addresses that Twilio uses to communicate.

Protocol	Port Range
STUN and UDP/TLS/RTP/SAVPF	10000 - 60000
STUN, TURN-UDP	3478
TURN-TLS	443

When Participants connect to a Room, Twilio's media server dynamically assigns ports for UDP communication. If direct connectivity checks fail on the assigned ports, then TURN-UDP on port 3478 and TURN-TLS on port 443 are used as fallbacks.

The scenarios below describe situations where a client, Alice, connects to a Room and exchanges media with Twilio's media servers under different network environments.

1. UDP traffic allowed on ports 10000 - 60000

In a non-restrictive network environment or a restricted environment where UDP ports 10000 - 60000 are allowlisted, Alice can establish a direct media connection with the Twilio media server using the specified UDP port range. This is optimal for latency.

diagram of UDP Port Range Restricted Client Network Environment.

2. UDP traffic blocked on ports 10000 - 60000 but allowed on port 3478

In an environment where only UDP port 3478 is allowed, Alice must relay media through a TURN server in order to connect with the Twilio SFU. This adds marginal latency (< 50ms) because the TURN server is now relaying media between Alice and the Twilio media server, rather than Alice directly communicating with the media server.

diagram of UDP Single Port Restricted Client Network Environment.

3. All traffic blocked except TCP port 443

In an environment where only TCP/TLS port 443 is allowed, the client must relay through the TURN server in order to connect with the SFU. This adds higher latency (> 50ms) because the TURN server is now relaying media using TCP/TLS between the client and the media server. TCP/TLS adds delivery acknowledgements and retransmission, which can further delay transmission of real-time media.

diagram of TCP Restricted Client Network Environment.