Twilio makes HTTP requests to your server to fetch your app's TwiML instructions. Some users prefer to know which IP address the request from Twilio is coming from in order to open up specific ports in a firewall. However, due to the fluid nature of our cloud architecture, we don't have a set range of IPs that requests are sent from or know in advance what they will be.
Because Twilio's requests will be coming from different IP addresses, we instead recommend that you validate that a request came from Twilio by other means:
- If you are interested in confirming the origin of requests coming to your server, each HTTP request contains a cryptographic signature header which can be used to validate that the request is legitimately from Twilio. Please see our documentation on securing your application for more details.
- If your internal network environment requires you to add each connecting IP to an allow list, we suggest hosting a server outside your network (e.g. in a network DMZ) to proxy requests from Twilio into the internal network.
If the inability to have a request come from a static IP address is a serious concern for your enterprise, please contact our sales department to discuss your security needs and other options which might be available.
For more information, see All About Twilio IP Addresses