Alarm Network Settings

Learn about the required network settings for Verkada Alarms

Updated over a week ago

This article outlines the required settings that your Verkada Alarm hubs, panels, and consoles need to communicate with Verkada Command and to operate properly.

Requirement: Verkada devices are incompatible with LANs that require the use of proxy servers or that require Secure Socket Layer (SSL)/Transport Layer Security (TLS) inspection. If either are in use, a bypass for all Verkada devices must be implemented for Verkada devices to communicate with Command.

Power

Alarms devices are powered through Power over Ethernet (PoE), AC power, or battery depending on the device. See the datasheet for specifics on Verkada alarm models.

IP address

Alarm devices need an IPv4 address to communicate to Command through the internet. They use Dynamic Host Configuration Protocol (DHCP), User Datagram Protocol (UDP) ports 67 and 68, to obtain their IP addresses and network configurations.

If you want to have a specific IP address on your alarm hub, panel, or console, set a DHCP reservation using the device’s MAC address (found on the device's label).

Domain Name System

Alarm hubs, panels, and consoles use the DNS server to resolve Verkada’s fully qualified domain names (FQDN) to IP addresses in order to communicate with them. Your DHCP server will tell the device where the DNS server is on the network and the device will communicate using UDP port 53.

Note: DNS over HTTPS (DoH) is currently not supported.

Firewall settings

Verkada devices require access to many endpoints to have the full-featured experience. Many customers may want to restrict devices to only communicate with the specific required endpoints.

These are the general domains to allow, applicable for all organization-regions:

  • *.verkada.com - UDP/123 + TCP+UDP/443

  • 34.216.15.26 - UDP/123

  • *.appcenter.ms - TCP/443

  • global.turn.twilio.com - TCP/443

If your firewall does not allow wildcard masking, or you prefer to have the entire FQDN of the endpoint in your firewall rules, these are the domains to allowlist, by region:

Region: United States

Note: Your region is selected when you create an organization in Command.

  • api.global-prod.control.verkada.com - TCP+UDP/443

  • valarm.global-prod.command.verkada.com - TCP+UDP/443

  • alarms.global-prod.control.verkada.com - TCP+UDP/443

  • vconductor.global-prod.command.verkada.com - TCP+UDP/443

  • vmdm.global-prod.command.verkada.com - TCP+UDP/443

  • valarm.command.verkada.com - TCP+UDP/443

  • alarms.control.verkada.com - TCP+UDP/443

  • vconductor.command.verkada.com - TCP+UDP/443

  • vmdm.command.verkada.com - TCP+UDP/443

  • global.turn.twilio.com - TCP/443

  • *.appcenter.ms - TCP/443

  • relay.global-prod.control.verkada.com - TCP+UDP/443

  • api.control.verkada.com - TCP+UDP/443

  • relay.control.verkada.com - TCP+UDP/443

  • index.control.verkada.com - TCP+UDP/443

  • firmware.control.verkada.com - TCP+UDP/443

  • update.control.verkada.com - TCP+UDP/443

  • time.control.verkada.com - UDP/123

  • user.pyramid.verkada.com - TCP+UDP/443

  • device.pyramid.verkada.com - TCP+UDP/443

  • nlb.verkada.com - TCP+UDP/443

  • device-nlb.verkada.com - TCP+UDP/443

  • 34.216.15.26 - UDP/123

Region: Europe

  • api.global-prod.control.verkada.com - TCP+UDP/443

  • valarm.global-prod.command.verkada.com - TCP+UDP/443

  • alarms.global-prod.control.verkada.com - TCP+UDP/443

  • vconductor.global-prod.command.verkada.com - TCP+UDP/443

  • vmdm.global-prod.command.verkada.com - TCP+UDP/443

  • vbroadcast.command.verkada.com - TCP+UDP/443

  • api.prod2.control.verkada.com - TCP+UDP/443

  • valarm.prod2.command.verkada.com - TCP+UDP/443

  • alarms.prod2.control.verkada.com - TCP+UDP/443

  • vconductor.prod2.command.verkada.com - TCP+UDP/443

  • vbroadcast.prod2.control.verkada.com - TCP+UDP/443

  • vmdm.prod2.command.verkada.com - TCP+UDP/443

  • relay.global-prod.control.verkada.com - TCP+UDP/443

  • vconductor.global-prod.command.verkada.com - TCP+UDP/443

  • relay.prod2.control.verkada.com - TCP+UDP/443

  • index.prod2.control.verkada.com - TCP+UDP/443

  • update.control.verkada.com - TCP+UDP/443

  • vconductor.prod2.command.verkada.com - TCP+UDP/443

  • time.control.verkada.com - UDP/123

All regions

BC51s in all regions require these additional endpoints

  • *.apple.com - TCP/80

  • *.apple.com - TCP/443

  • *.apple.com - TCP/2197

  • *.apple.com - TCP/5223

  • *.apple.com - UDP/123

  • *.mzstatic.com - TCP/80

  • *.mzstatic.com - TCP/443

  • crl.entrust.net - TCP/80

  • crl3.digicert.com - TCP/80

  • crl4.digicert.com - TCP/80

  • ocsp.digicert.com - TCP/80

  • ocsp.entrust.net - TCP/80

  • global.stun.twilio.com - UDP/3478

  • global.turn.twilio.com - UDP/3478

BZ11s in all regions require these additional endpoints:

  • global.stun.twilio.com - UDP/3478

  • global.turn.twilio.com - UDP/3478

Related resources


Need more help? Contact Verkada Support

Did this answer your question?