The Relay service offers many advantages over previous generations peer to peer services given that it uses outbound connections for all users including the host, negating the need for port forwarding. However, strict firewall policies, QoS rules, or routing configurations may still interrupt the service from working nominally.
The IP addresses for Relay allocations are dynamically assigned at runtime, a feature that significantly bolsters security by making it challenging for unauthorized users to conduct DDoS attacks or intercept traffic. This dynamic assignment, while offering a layer of protection, also means that static firewall rules targeting specific IP addresses aren't applicable.
To ensure the smooth operation of the Relay service, you'll need to configure your outbound firewall rules to permit connections to any destination IP address. This approach is designed for flexibility and optimal connectivity, allowing the Relay service to function seamlessly across various network environments.
Ports and Protocols
For API calls—such as creating an allocation, listing available regions, or querying the QoS discovery service—connections operate over TCP using HTTP or HTTPS on ports 80 or 443.
For standard connections to a Relay allocation, whether with or without DTLS enabled, the system uses a port range of 37000 to 37100. This range was refined from the previous broad spectrum of registered/ephemeral ports (1024-65535) to better align with various outbound firewall policies. While the port range is set to optimize compatibility and performance, it's worth noting that it's not adjustable, and specific ports can't be designated.
Most connections will use UDP, except in the case of WebSockets, which use TCP.
In the past, many other peer-to-peer gaming solutions required users to engage in port forwarding. This involved manually configuring firewall settings to direct incoming traffic on a specific port to the computer running the service. While effective, this approach was often technically challenging for the average user and raised potential security risks.
In contrast, Relay eliminates the need for such manual configurations by establishing outbound connections for everyone involved. This generally means that most users can use Relay right out of the box without needing to tweak their firewalls. However, be aware that stringent security policies involving outbound firewall rules or stateless firewalls might still necessitate additional adjustments.
Outbound Firewall Rules
Firewall settings often include both inbound and outbound rules. While inbound rules are more commonly configured, certain networks—particularly in corporate settings—operate under an implicit-deny policy for outbound connections. This policy blocks all outbound traffic by default unless specific permissions are set in the firewall's configuration.
If your network operates under such a policy, you or your network security team should configure the following rules to ensure successful connections to the Relay Service:
- Rule 1:
- Ports: 80, 443
- Protocol: TCP
- Destination: Any
- Rule 2:
- Ports: 37000-37100
- Protocol: TCP/UDP
- Destination: Any
Most modern firewalls are stateful meaning that they are able to match inbound and outbound connections. Therefore, if an outbound TCP connection is established, inbound data will be allowed given the outbound connection was allowed. This means that will need to configure inbound rules for your firewall. It should be noted that this is an extremely rare case and reduces security considerably, and you should only configure these rules if you know you have a stateless firewall. In order to do this, configure the same firewall rules as above, but configure them to be inbound and outbound.