FAQ
Cloudflare TURN pricing is based on the data sent from the Cloudflare edge to the TURN client, as described in RFC 8656 Figure 1 ↗. This means data sent from the TURN server to the TURN client and captures all data, including TURN overhead, following successful authentication.
Pricing for Cloudflare Realtime TURN service is $0.05 per GB of data used.
Cloudflare's STUN service at stun.cloudflare.com is free and unlimited.
There is a free tier of 1,000 GB before any charges start. Cloudflare Realtime billing appears as a single line item on your Cloudflare bill, covering both SFU and TURN.
Traffic between Cloudflare Realtime TURN and Cloudflare Realtime SFU or Cloudflare Stream (WHIP/WHEP) does not incur any charges.
---
title: Cloudflare Realtime TURN pricing
---
flowchart LR
    Client[TURN Client]
    Server[TURN Server]
    Client -->|"Ingress (free)"| Server
    Server -->|"Egress (charged)"| Client
    Server <-->|Not part of billing| PeerA[Peer A]
Please view Cloudflare's certifications and compliance resources ↗ and contact your Cloudflare enterprise account manager for more information.
TURN protocol, RFC 8656 ↗, does not discuss encryption beyond wrapper protocols such as TURN over TLS. If you are using TURN with WebRTC will encrypt data at the WebRTC level.
Cloudflare Realtime TURN server runs on Cloudflare's global network ↗ - a growing global network of thousands of machines distributed across hundreds of locations, with the notable exception of the Cloudflare's China Network.
Does Cloudflare Realtime TURN use the Cloudflare Backbone or is there any "magic" Cloudflare do to speed connection up?
Cloudflare Realtime TURN allocations are homed in the nearest available Cloudflare data center to the TURN client via anycast routing. If both ends of a connection are using Cloudflare Realtime TURN, Cloudflare will be able to control the routing and, if possible, route TURN packets through the Cloudflare backbone.
What is the difference between Cloudflare Realtime TURN with a enterprise plan vs self-serve (pay with your credit card) plans?
There is no performance or feature level difference for Cloudflare Realtime TURN service in enterprise or self-serve plans, however those on enterprise plans ↗ will get the benefit of priority support, predictable flat-rate pricing and SLA guarantees.
Cloudflare's China Network does not participate in serving Realtime traffic and TURN traffic from China will connect to Cloudflare locations outside of China.
TURN usage shows up in analytics in 30 seconds.
I need to allowlist (whitelist) Cloudflare Realtime TURN IP addresses. Which IP addresses should I use?
Cloudflare Realtime TURN is easy to use by IT administrators who have strict firewalls because it requires very few IP addresses to be allowlisted compared to other providers. You must allowlist both IPv6 and IPv4 addresses.
Please allowlist the following IP addresses:
- 2a06:98c1:3200::1/128
- 2606:4700:48::1/128
- 141.101.90.1/32
- 162.159.207.1/32
Although this is not recommended, we understand there is a very small set of circumstances where hardcoding IP addresses might be useful. In this case, you must set up alerting that detects changes the DNS response from turn.cloudflare.com (A and AAAA records) and update the hardcoded IP address(es) accordingly within 14 days of the DNS change. Note that this DNS response could return more than one IP address. In addition, you must set up a failover to a DNS query if there is a problem connecting to the hardcoded IP address. Cloudflare tries to, but cannot guarantee that the IP address used for the TURN service won't change unless this is in your enterprise contract. For more details about static IPs, guarantees and other arrangements please discuss with your enterprise account team.
TURN service at turn.cloudflare.com will also respond to binding requests ("STUN requests").
Does Cloudflare Realtime TURN support the expired IETF RFC draft "draft-uberti-behave-turn-rest-00"?
The Cloudflare Realtime credential generation function returns a JSON structure similar to the expired RFC draft "draft-uberti-behave-turn-rest-00" ↗, but it does not include the TTL value. If you need a response in this format, you can modify the JSON from the Cloudflare Realtime credential generation endpoint to the required format in your backend server or Cloudflare Workers.
Packet loss is normal in UDP and can happen occasionally even on reliable connections. However, if you observe systematic packet loss, consider the following:
- Are you sending or receiving data at a high rate (>50-100Mbps) from a single TURN client? Realtime TURN might be dropping packets to signal you to slow down.
- Are you sending or receiving large amounts of data with very small packet sizes (high packet rate > 5-10kpps) from a single TURN client? Cloudflare Realtime might be dropping packets.
- Are you sending packets to new unique addresses at a high rate resembling to port scanning ↗ behavior?
There is no defined limit for credential issuance. Start at 500 credentials/sec and scale up linearly. Ensure you use more than 50% of the issued credentials.
You can set a expiration time for a credential up to 48 hours in the future. If you need your TURN allocation to last longer than this, you will need to update ↗ the TURN credentials.
Yes. Cloudflare Realtime is available over both IPv4 and IPv6 for TURN Client to TURN server communication, however it does not issue relay addresses in IPv6 as described in RFC 6156 ↗.
No. Realtime TURN will not respect REQUESTED-ADDRESS-FAMILY STUN attribute if specified and will issue IPv4 addresses only.
No. Realtime does not implement RFC6062 ↗ and will not respect REQUESTED-TRANSPORT STUN attribute.
I am unable to make CreatePermission or ChannelBind requests with certain IP addresses. Why is that?
Cloudflare Realtime denies CreatePermission or ChannelBind requests if private IP ranges (e.g loopback addresses, linklocal unicast or multicast blocks) or IP addresses that are part of BYOIP are used.
If you are a Cloudflare BYOIP customer and wish to connect to your BYOIP ranges with Realtime TURN, please reach out to your account manager for further details.
There is no maximum duration limit for a TURN allocation. Per RFC 8656 Section 3.2 ↗, once a relayed transport address is allocated, a client must keep the allocation alive. To do this, the client periodically sends a Refresh request to the server. The Refresh request needs to be authenticated with a valid TURN credential. The maximum duration for a credential is 48 hours. If a longer allocation is required, a new credential must be generated at least every 48 hours.
How often does Cloudflare perform maintenance on a server that is actively handling a TURN allocation? What is the impact of this?
Even though this is not common, in certain scenarios TURN allocations may be disrupted. This could be caused by maintenance on the Cloudflare server handling the allocation or could be related to Internet network topology changes that cause TURN packets to arrive at a different Cloudflare datacenter. Regardless of the reason, ICE restart ↗ support by clients is highly recommended.
Cloudflare Realtime will immediately stop billing and recording usage for analytics. After a short delay, the connection will be disconnected.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark