# Setting up a channel security group
<a name="channel-security-groups-setup"></a>

To use a channel security group, you must first have an input security group with the appropriate CIDR allow list rules. Then you can attach that input security group to your channel as a channel security group.

**Note**  
The information in this section assumes that you are familiar with the general steps for [creating a channel](creating-channel-scratch.md) and with [working with input security groups](working-with-input-security-groups.md).

# Step 1: Create or identify an input security group
<a name="channel-security-groups-create-isg"></a>

Before you create the channel, you must have an input security group that contains the CIDR allow list rules for the downstream systems that will connect to your SRT outputs configured in listener mode.

1. Identify the IP addresses of the downstream systems (SRT callers) that will connect to your MediaLive channel. These are the systems that will initiate connections to MediaLive.

1. If you don't already have an input security group with these IP addresses, create one. For instructions, see [Creating an input security group](create-input-security-groups.md).

   If you already have an input security group with the appropriate CIDR rules, you can reuse it. The same input security group can be used for both input security and channel security.

1. Make a note of the input security group ID. You will need this when you create the channel.

# Step 2: Attach the channel security group to the channel
<a name="channel-security-groups-attach"></a>

When you create a channel with SRT outputs in listener mode, you must attach a channel security group.

1. On the **Create channel** page, choose **Channel and input details** in the navigation pane.

1. In the **General settings** section, find the **Channel security groups** field.

1. From the dropdown list, select the input security group that you want to use as the channel security group.

   The dropdown list shows all input security groups in your account, identified by their ID and any tags.

1. Continue creating the channel, including configuring your SRT outputs in listener mode. For information about creating SRT outputs, see [Creating an SRT output group](opg-srt.md).

**Result**

When you create the channel, MediaLive retrieves the CIDR rules from the input security group and applies them to control access to the channel's outputs. Downstream systems with IP addresses in the allow list can now connect to the SRT listener endpoints on your channel.