WCS 5.21 in AWS - best practices behind a Load Balancer

[SysAdmin]

Good morning, I'm hoping you might have recommendations for running the WCS 5.21 behind Load Balancers in AWS. In particular, I'm trying to find a solution to having the server instance's ports open globally. What do you recommend for AWS-specific, security group and LB, handling of these ports:

TCP 1935
TCP 8443
TCP 31000-33000

Can they be locked down or served through a LB? Thanks very much.

 

[Max]

Hello.
The ports you ask can be served through LB using port forwarding. But there are some nuances, if you do not want to open those ports globally.
The port 1935 is a standard RTMP/RTMFP port. It can be forwarded as, for example, 11935 (external) -> 1935 (WCS), but broadcasting software and Flash clients must be configured in this case.
The port 8443 is a default Secure Websocket (wss) port. It can be forwarded as, for example, 18443 (external) -> 8443 (WCS), but web application scripts must be configured.
The ports 31000-33000 is a RTP ports range used for media traffic, the use of specific ports from this range is determined during the connection setup phase. So they can be forwarded as range and, if you want to use another range such as 41000-43000 then it must be configured in WCS_HOME/conf/flashphoner.properties file. Note that some protocols use their own range:

#RTP ports
media_port_from=31001
media_port_to=32000
#RTMP ports
rtmp_port_from=33001
rtmp_port_to=34000
#RTSP ports
rtsp_port_from=32001
rtsp_port_to=33000
#WCS WebRTC ports
wcs_agent_port_from=34001
wcs_agent_port_to=35000

All the ports used by WCS 5.1 are described on this and this pages.

 

[SysAdmin]

Thanks very much! Would you suggest the LB forward implementation over the global open for security?

 

[Max]

Yes. At servers point there is no difference between NAT and LB, in both cases the ports used should be forwarded through.