# Delivering outputs via your VPC
<a name="delivery-out-vpc"></a>

You can set up a MediaLive channel to have output endpoints in Amazon Virtual Private Cloud (Amazon VPC). This delivery mode is useful if an important output destination for your channel is an address in your VPC.

The output destination in your VPC is typically an address in Amazon EC2. It could also be a bucket in Amazon Simple Storage Service (Amazon S3), if you have set up VPC endpoints for Amazon S3. You might want to send output to your VPC so that you can perform post-processing, or so that you can deliver the video over AWS Direct Connect. 

If you don't have a VPC, you can stop reading this section. You will always set up the channel in the regular way, with endpoints in MediaLive. You don't have to perform any special setup in order to set up channels in the regular way.

## Rules and constraints
<a name="vpc-out-rules"></a>

The following rules apply to a channel that is set up for delivery via your VPC:
+ You can't change an existing channel to either start delivering to your VPC or stop delivering via your VPC.
+ The [channel class](plan-redundancy-mode.md) can be either standard or single-pipeline.
+ You can't change the channel class on an existing channel.
+ You can't include multiplex output groups in the channel.
+ The channel can have output groups with destinations in your VPC, with destinations at other locations (such as AWS Elemental MediaPackage), and with destinations on the public internet.

**Note**  
The information in this section assumes that you are very familiar with Amazon Virtual Private Cloud, with AWS PrivateLink, with AWS Direct Connect, and with general networking practices. 

**Topics**
+ [Rules and constraints](#vpc-out-rules)
+ [How VPC delivery works](vpc-out-how-it-works.md)
+ [Getting ready](vpc-out-get-ready-subnets.md)
+ [Setting up for VPC delivery](vpc-out-setup-steps.md)
+ [Changing the setup](vpc-out-change.md)
+ [Identifying subnet and Availability Zone requirements](vpc-out-AZ-subnet-reqs.md)

# How VPC delivery works
<a name="vpc-out-how-it-works"></a>

VPC delivery applies to each MediaLive channel. You can have some channels that deliver via your VPC, and other channels that deliver in the regular way.

With VPC delivery, the endpoints for the channel are in your VPC, rather than in the VPC that MediaLive owns. This setup provides benefits including improved security, because the output doesn't have to go to the boundary of the public internet to reach the output destinations that are in your VPC.

The following diagram illustrates how VPC delivery works. The blue box is a channel with two pipelines. The orange box is your VPC. Notice that the endpoints for the two pipelines are in your VPC. In this example, you have only one output group, with a destination in EC2 in your VPC. This output group might be an HLS output group being sent to an HTTP server on your EC2 instance. 

![\[MediaLive channel diagram showing two pipelines with endpoints connecting to output destinations in a VPC.\]](http://docs.aws.amazon.com/medialive/latest/ug/images\vpc-delivery-overview.png)


The following diagram illustrates a channel with three output groups: 
+ The destination for one output group is on your EC2 instance. 
+ The destination for the output shown at the top is on MediaPackage. The output leaves the pipeline endpoint, goes to the boundary of AWS (the gray box), and comes back in, to the destination on AWS Elemental MediaPackage.
+ The destination for the output shown at the bottom is on the public internet. The output leaves the pipeline, then leaves AWS and enters the public internet.

![\[MediaLive channel diagram showing pipelines, endpoints, and destinations for EC2, MediaPackage, and public internet.\]](http://docs.aws.amazon.com/medialive/latest/ug/images\vpc-delivery-overview-multi-outputs.png)


You set up for delivery to your VPC as follows:
+ Identify subnets and security groups in your VPC for the channel endpoints.
+ Identify subnets and security groups for the output destinations, for those outputs groups with destinations in your VPC.
+ Determine if you need to identify Elastic IP addresses to associate with the channel.
+ Check the permissions that are required for your trusted entity role for MediaLive. You must update the role if your channel uses a custom trusted entity role, rather than the built-in MediaLiveAccessRole role that is available through the console. For more information, see [Access requirements for the trusted entity](trusted-entity-requirements.md).
+ Update the IAM policies for users. For more information, see [Reference: summary of non-administrator user access requirements](setup-users-step-1-summary.md).
+ When you create a channel, you must include this subnet, security group, and Elastic IP address information in the channel configuration.

The following sections describe this setup in detail.

# Getting ready
<a name="vpc-out-get-ready-subnets"></a>

An Amazon VPC user must set up the VPC and identify subnets and security groups for the MediaLive channel. 

**To set up the VPC**

1. Provide your Amazon VPC user with the following guidelines:
   + Guideline for the subnets and Availability Zones – See [Identifying subnet and Availability Zone requirements](vpc-out-AZ-subnet-reqs.md)
   + Guideline for the security group for channel endpoints subnets – The security group or groups must follow these rules: 
     + The combined rules of the security groups must allow outbound traffic from the endpoint to all the output destinations. These destinations might be on your VPC, destinations on AWS services, and destinations on the public internet.
   + Guideline for the security group for destination subnets – The security group or groups must follow these rules: 
     + The combined rules of the security groups must allow inbound traffic from the channel endpoints. 

1. Determine if you need to identify EIPs to associate with the channel. If the channel has output groups with destinations outside your VPC, you must provide a mechanism for the content to leave the VPC. One way to do this is to associate EIPs with the channel endpoints. These endpoints appear in the diagram in [How VPC delivery works](vpc-out-how-it-works.md) Speak to the Amazon VPC user about your requirements. 

   If you decide to associate EIPs with the channel endpoints, identify those EIPs. 

1. After the Amazon VPC user has performed the setup, obtain the following information:
   + The ID of the VPC or VPCs.
   + The IDs of the subnets and Availability Zones for the channel endpoints.
   + The IDs of the subnets and Availability Zones for the destinations. 
   + The IDs of the security groups for the subnets.
   + The elastic IP address to associate with the elastic network interfaces of the channel endpoints.

1. Delivery via the VPC depends on appropriate setup for routing and DNS. of the VPC network. Provide the Amazon VPC user with these guidelines:
   + If you expect addresses with a domain name to reach the VPC, or if you expect the VPC to reach addresses with a domain name, you must set up a DNS to resolve those domain names. This requirement applies equally to AWS services that might have domain names.
   + If any communication with the public internet is expected, you will need either a NAT or an Internet Gateway in your VPC.
   + Inside the VPC, you must configure routing tables, to allow communication between the subnets you intend to use.
   + All IP addresses must be IPV4.

# Setting up for VPC delivery
<a name="vpc-out-setup-steps"></a>

**Note**  
The information in this section assumes that you are familiar with the general steps for [creating a channel](creating-channel-scratch.md). It also assumes that you have read [Planning a MediaLive workflow](container-planning-workflow.md) and have planned the workflow for the MediaLive channel.

**To set up for VPC delivery**

Follow these steps at some point when you are creating the channel.

1. On the **Create channel** page, choose **Channel and input details** in the navigation pane.

1. Complete the **Output delivery** section:
   + **Delivery method** – Choose **VPC**.
   + **VPC settings** – Choose **Select subnets and security groups**. 
   + **Subnets** – Choose one of the subnets that you obtained. The dropdown list shows subnets in all VPCs, identified as follows:

     `<subnet ID> <Availability Zone of subnet> <IPv4 CIDR block of subnet> <VPC ID> <Subnet tag called "Name", if it exists>`

     For example:

     **subnet-1122aabb us-west-2a 10.1.128.0/24 vpc-3f139646 Subnet for VPC endpoints**

     If the list of subnets is empty, choose **Specify custom VPC**, and enter the subnet ID in the field. (You need to enter only the subnet ID, for example, **subnet-1122aabb**.) 

     MediaLive associates this subnet with pipeline 0.
   + If your channel is a standard channel, add another subnet. Still in **Subnets**, choose the second subnet. This second time, the dropdown list shows only the subnets in the same VPC as the first subnet.

     MediaLive associates this subnet with pipeline 1.
   + **Security groups** – Choose the security group or groups that you obtained, following the same process as for the subnets. The dropdown list shows security groups belonging to the VPC that you chose, identified as follows:

     `<security group ID> <description attached to this security group> <VPC ID>`
   + **EIPs for endpoints** – If applicable, enter the Elastic IP addresses that you obtained. MediaLive takes the first Elastic IP address that you specify and associates it with pipeline 0. It associates the second Elastic IP address (if applicable) with pipeline 1.

1. Follow these guidelines when you create the output groups in the channel:
   + For the channel output groups that have destinations in your VPC or on Amazon S3, obtain the URL or bucket path. You don't have to modify the destination syntax. If the Amazon VPC user has set up the routing correctly, the outputs will successfully find these outputs in the VPC.
   + For the channel output groups that have destinations that are not in your VPC, follow the usual procedure. You don't have to modify the destination syntax. If the Amazon VPC user has set up the routing correctly, the outputs will successfully find the outputs that are outside the VPC. 

**Result**

When you set up for delivery via your VPC, MediaLive creates one or two elastic network interfaces in your VPC. It creates one elastic network interface for a single-pipeline channel, and two for a standard channel.

If you choose to use Elastic IP addresses, MediaLive also associates those Elastic IP addresses with the elastic network interface.

You can view the setup of the delivery point in the [details for the channel](monitoring-console-general.md#monitoring-console). 

# Changing the setup
<a name="vpc-out-change"></a>

If you have set up a MediaLive channel for VPC delivery, note the following:
+ You can't change an existing channel to either start delivering via your VPC or stop delivering via your VPC.
+ You can't change the [channel class](plan-redundancy-mode.md) on an existing channel that is set up for delivery via your VPC.
+ If you add another input that uses your VPC, make sure that it follows the already [established rules](vpc-out-AZ-subnet-reqs.md) for VPCs, subnets, and Availability Zones.
+ If you delete the channel or if you delete all the output groups, MediaLive deletes the elastic interface points that it created in your Amazon EC2 instance.

# Identifying subnet and Availability Zone requirements
<a name="vpc-out-AZ-subnet-reqs"></a>

Subnets and Availability Zones apply as follows:
+ **Inputs **– Some MediaLive input types are in your VPC, which means that they are in a specific subnet. For example, an RTMP input can be in your VPC. For more information, see [Input types, protocols, and upstream systems](inputs-supported-formats.md).
+ **Endpoints** – The channel endpoints are in a subnet. 
+ **Destinations** –The IP addresses for outputs in the VPC are in a subnet.

You must identify the VPCs and subnets for the MediaLive endpoints and for those of your output destinations that are an address in your VPC. You must consider the following:
+ You must make sure that the setup follows the rules for allocation across subnets and across Availability Zones. See [Use case A – no VPC inputs](vpc-out-caseA.md) and the section that follows it.
+ Each subnet must have a private CIDR block (a range of IP addresses).
+ Each subnet must have at least two unused addresses in that block. 

**Topics**
+ [Use case A – no VPC inputs](vpc-out-caseA.md)
+ [Use case B – channel includes VPC inputs](vpc-out-caseB.md)

# Use case A – no VPC inputs
<a name="vpc-out-caseA"></a>

This use case applies if the MediaLive channel won't have inputs that use the VPC:
+ No MediaConnect inputs
+ No MediaConnect Router inputs
+ No CDI inputs
+ No RTMP VPC inputs
+ No RTP VPC inputs 

Here is a diagram of the setup, when the channel is a standard channel. In this example, the channel has two output groups. Assume that the destinations of both the output groups are on EC2 on your VPC. 

![\[MediaLive channel diagram showing two pipelines with endpoints and destinations for HLS and Microsoft Smooth.\]](http://docs.aws.amazon.com/medialive/latest/ug/images\vpc-delivery-1.png)


**Single-pipeline channels**

You must identify subnets for the following locations:
+ The channel endpoint for pipeline 0 (in the blue box).
+ The destinations for pipeline 0 (in the orange box).

Your setup must observe these rules for VPCs and subnets:
+ You can set up the locations on any number of VPCs.
+ There is no requirement for any of the VPCs or subnets to be the same or different.

Your setup must observe these rules for the Availability Zones of the subnets that you identify:
+ The channel endpoint can be in the same Availability Zone as the destination (or destinations)or in a different Availability Zone. If it is in a different Availability Zone, you will incur outgoing data transfer charges. For more information about pricing, see [https://aws.amazon.com/medialive/pricing/](https://aws.amazon.com/medialive/pricing/). 

**Standard channels**

You must identify subnets for the following:
+ The two channel endpoints (in the blue box).
+ All the destinations (in the orange box).

Your setup must observe these rules for VPCs and subnets:
+ You can set up the locations on any number of VPCs.
+ The subnets for the channel endpoints must be different from each other, but the two subnets must be on the same VPC.
+ There are no other requirements for subnet uniqueness in any of the subnets that you identify.

Your setup must observe these rules for the Availability Zones of the subnets that you identify:
+ The Availability Zones for the two channel endpoints must be different. 
+ Each channel endpoint can be in the same Availability Zone as the destination (or destinations). Or it can be in a different Availability Zone. If you choose to set up with different Availability Zones, you will incur outgoing data transfer charges. For more information about pricing, see [https://aws.amazon.com/medialive/pricing/](https://aws.amazon.com/medialive/pricing/). 

# Use case B – channel includes VPC inputs
<a name="vpc-out-caseB"></a>

This use case applies if the MediaLive channel includes inputs that use the VPC:
+ MediaConnect inputs
+ MediaConnect Router inputs
+ CDI inputs
+ RTMP VPC inputs
+ RTP VPC inputs 

Here is a diagram of the setup, when the channel is a standard channel. In this example, the channel has at least one VPC input. It also has two output groups. Assume that the destinations of both the output groups are on EC2 on your VPC.

![\[MediaLive channel diagram showing input, pipelines, and output destinations for HLS and Microsoft Smooth streaming.\]](http://docs.aws.amazon.com/medialive/latest/ug/images\vpc-delivery-2.png)


**Single-pipeline channels**

You must identify subnets for the following locations:
+ The endpoint for the VPC input for pipeline 0 (in the green box).
+ The channel endpoint for pipeline 0 (in the blue box).
+ The destinations for pipeline 0 (in the orange box).

Your setup must observe these rules for VPCs and subnets:
+ You can set up the locations on any number of VPCs.
+ There is no requirement for any of the VPCs or subnets to be the same or different.

Your setup must observe these rules for the Availability Zones of the subnets that you identify:
+ The endpoint of the VPC input and the channel endpoint must be in the same Availability Zone. This rule exists because both these endpoints are inside the channel pipeline, and the pipeline can't start in one Availability Zone and end in another.

  If the VPC input is already set up in the VPC, it is probably easiest to identify the Availability Zone of that subnet as the shared Availability Zone. 

  If the VPC input isn't yet set up, make sure that the two subnets are in the same Availability Zone.
+ The channel endpoint can be in the same Availability Zone as the destination (or destinations) or in a different Availability Zone. If it is in a different Availability Zone, you will incur outgoing data transfer charges. For more information about pricing, see [https://aws.amazon.com/medialive/pricing/](https://aws.amazon.com/medialive/pricing/). 

**Standard channels**

You must identify subnets for the following:
+ The endpoints for the VPC inputs (in the green box).
+ The channel endpoints (in the blue box).
+ The destinations (in the orange box).

Your setup must observe these rules for VPCs and subnets:
+ You can set up the locations on any number of VPCs.
+ The subnet for the VPC inputs in pipeline 0 and the VPC inputs in pipeline 1 must be on the same VPC. They can be on the same or different subnets.
+ The subnet for the channel endpoint in pipeline 0 and the channel endpoint in pipeline 1 must be different from each other, but the two subnets must be on the same VPC.
+ There are no other requirements for subnet uniqueness in any of the VPCs or subnets that you identify.

Your setup must observe these rules for Availability Zone:
+ The Availability Zones for the two channel endpoints must be different. 
+ Within each pipeline, the endpoint of the VPC input and the channel endpoint must be in the same Availability Zone. This rule exists because both these endpoints are inside the channel pipeline, and the pipeline can't start in one Availability Zone and end in another.

  If the VPC input is already set up in the VPC, it is probably easiest to identify the Availability Zone of that subnet as the shared Availability Zone. 

  If the VPC input isn't yet set up, make sure that the subnets are in the same Availability Zone. 
+ Within each pipeline, each channel endpoint can be in the same Availability Zone as the destination (or destinations). Or it can be in a different Availability Zone. If you choose to set up with different Availability Zones, you will incur outgoing data transfer charges. For more information about pricing, see [https://aws.amazon.com/medialive/pricing/](https://aws.amazon.com/medialive/pricing/).