# Creating SRT outputs in listener mode
<a name="creating-srt-listener-output"></a>

This section describes how to create SRT outputs in listener mode, where downstream systems initiate connections to MediaLive.

**Topics**
+ [Prerequisites for listener mode](srt-listener-prerequisites.md)
+ [Create the SRT output in listener mode](creating-srt-listener-output-group.md)
+ [Additional setup for MediaLive Anywhere channels](srt-listener-emla-setup.md)
+ [Provide connection information to downstream systems](srt-listener-provide-info.md)
+ [Validation rules for listener mode](srt-listener-validation.md)

# Prerequisites for listener mode
<a name="srt-listener-prerequisites"></a>

Before you create SRT outputs in listener mode, you must complete the following prerequisites:

1. **Create or identify a channel security group (Public delivery method only)**: For channels using the Public delivery method, you must attach a channel security group to the channel. The channel security group controls which downstream systems (SRT callers) are allowed to connect to the MediaLive listener endpoints. For information about channel security groups, see [Using channel security groups](feature-channel-security-groups.md).

   For channels using VPC delivery or MediaLive Anywhere channels, the channel security group is not required. Instead, you must configure your network to allow SRT connections from the caller destination to reach the listener endpoints.

1. **Coordinate with downstream systems**: Discuss the following with the operator of each downstream system:
   + The IP addresses that the downstream systems will connect from. You need these addresses to create or update the input security group that the channel security group references.
   + The encryption algorithm: AES 128, AES 192, or AES 256.
   + The passphrase for encryption. The passphrase can be 10 to 79 Unicode characters.
   + The preferred latency (in milliseconds) for packet loss and recovery. The valid range is 120 to 15000 milliseconds.
   + The stream ID, if the downstream system uses this identifier. The stream ID is optional.

1. **Store the passphrase in Secrets Manager**: Follow the steps in [Set up the passphrase in AWS Secrets Manager](srt-output-encryption-asm.md) to store the passphrase in AWS Secrets Manager.

# Create the SRT output in listener mode
<a name="creating-srt-listener-output-group"></a>

After you have completed the prerequisites and coordinated with the downstream systems, you can create the SRT output in listener mode.

1. On the **Create channel** page, choose **Channel and input details** in the navigation pane.

1. **For channels using Public delivery method only**: In the **General settings** section, find the **Channel security groups** field.

1. **For channels using Public delivery method only**: From the dropdown list, select the input security group that you want to use as the channel security group.

1. Navigate to the **Output groups** section and choose **Add**.

1. In the **Add output group** section, choose **SRT**, and then choose **Confirm**.

1. In the **SRT settings** section, complete the fields:
   + **Name**: Enter a name for the output group.
   + **Input loss action**: Choose a value. For details, see [Handling loss of video input](feature-input-loss.md).

1. In the **SRT outputs** section, choose the **Settings** link for the output.

1. In the **Destinations** section, configure the listener mode settings:
   + **Connection mode**: Select **LISTENER**.
   + **Listener port**: Enter the port number that MediaLive will listen on. The valid range is 5000 to 5200.

     You must have unique ports for each of the SRT listener outputs on your channel.

     For a standard channel with two pipelines, you must have unique listener ports for each pipeline destination as well.
   + **Stream ID**: Optional. Enter the stream ID if you agreed on one with the downstream systems.
   + **Encryption passphrase secret ARN**: Select the ARN of the secret you created in Secrets Manager.

1. Complete the **Output settings** and **Stream settings** sections as described in [Output > Output settings](creating-srt-caller-output-group.md#srt-caller-output-settings) and [Output > Stream settings](srt-streams.md).

1. After you have finished setting up this output group and its outputs, you can create another output group (of any type), if your plan requires it. Otherwise, go to [Save the channel](creating-a-channel-step9.md).

# Additional setup for MediaLive Anywhere channels
<a name="srt-listener-emla-setup"></a>

If you are creating an SRT listener output on a MediaLive Anywhere channel, there are additional configuration requirements:
+ **Logical interface name**: In the **Destinations** section, you must specify the logical interface for each output in listener mode. This field appears when you create a channel on a MediaLive Anywhere cluster. The logical interface determines which physical network interface on the MediaLive Anywhere node will be used for the SRT listener.
+ **Node interface IPs**: After you create the channel, the destination information will include the node interface IPs. This field displays the IP address that the downstream system should use to connect to the MediaLive Anywhere node. The IP address is associated with the physical interface that is mapped to the logical interface you selected.
  + **In the console**: The node interface IPs are displayed in the **Destinations** table under the **SRT destination settings** section.
  + **Using the API**: The node interface IPs are included in the node describe call as `PhysicalInterfaceIpAddresses`.

  You must provide this IP address to the downstream systems so they can configure their SRT callers to connect to the correct MediaLive Anywhere node interface.

# Provide connection information to downstream systems
<a name="srt-listener-provide-info"></a>

After you create the channel with SRT outputs in listener mode, you must provide connection information to the operators of the downstream systems so they can configure their SRT callers to connect to MediaLive.

**To obtain the connection information**

1. After you have created the channel, select the channel by its name. The channel details appear.

1. Choose the **Destinations** tab.

1. In the **Output destinations** section, find the SRT output group.

1. For each output in the group, note the connection information that downstream systems will need. For a standard channel, there are two sets of information (one for each pipeline). For a single-pipeline channel, there is one set.

   **For MediaLive channels**:
   + In the **Egress endpoints** section under the **Destinations** tab, note the **Source IP** address. This is the IP address that downstream systems should connect to.
   + In the **SRT destination settings** section, note the **Listener port**.
   + Provide the destination to downstream operators in the format `srt://source-ip:listener-port`.

   **For MediaLive Anywhere channels**:
   + In the **SRT destination settings** section under the **Destinations** tab, note the **Node interface IPs**. This is the IP address that downstream systems should connect to.
   + In the same section, note the **Listener port**.
   + Provide the destination to downstream operators in the format `srt://node-interface-ip:listener-port`.

1. Provide these destination URLs to the operators of the downstream systems. The operators must configure their SRT callers to connect to these addresses.

Make sure that the operators at the downstream systems set up as follows:
+ They configure the correct number of connections:
  + If the MediaLive channel is a standard channel, they must connect to both destination addresses for redundancy.
  + If the MediaLive channel is a single-pipeline channel, they must connect to the single destination address.
+ They configure their SRT callers to use the same encryption algorithm and passphrase that you agreed on.
+ They configure their SRT callers to use a latency value. SRT will negotiate and use the maximum of the latency values configured on both sides.
+ If you specified a stream ID in the output configuration, the downstream systems can optionally send a stream ID value during connection. MediaLive accepts connections with any stream ID value (or no stream ID). The stream ID is logged for monitoring and troubleshooting purposes only.
+ Their source IP addresses must be included in the CIDR allow list of the input security group that the channel security group references. Otherwise, MediaLive will reject their connection attempts.

# Validation rules for listener mode
<a name="srt-listener-validation"></a>

MediaLive enforces the following validation rules when you create or update SRT outputs in listener mode:
+ **Channel security group required (Public delivery method only)**: For channels using the Public delivery method, if the channel includes at least one SRT output configured in listener mode, you must attach a channel security group to the channel. If you attempt to create or start a channel using Public delivery with SRT outputs in listener mode but no channel security group, MediaLive returns an error. For channels using VPC delivery or MediaLive Anywhere channels, the channel security group is not required; you must configure your network to allow SRT connections from the caller destination.
+ **Port uniqueness**: Within a single channel, each SRT output in listener mode must use a unique port number. If you attempt to create two outputs with the same port, MediaLive returns an error.
+ **Listener port range**: The port number must be in the range 5000 to 5200 inclusive. 
+ **Cannot remove channel security group**: If the channel has SRT outputs in listener mode, you cannot remove the channel security group. You must first remove all SRT outputs configured in listener mode, or change them to caller mode.
+ **Cannot change mode on running channel**: You cannot change an output's connection mode (from caller to listener or vice versa) while the channel is running. You must stop the channel first.