# Using channel security groups
<a name="feature-channel-security-groups"></a>

You can configure a MediaLive channel to use a channel security group. A channel security group controls inbound traffic associated with the channel's outputs. This feature enables pull-style outputs, where downstream systems initiate connections to MediaLive.

Channel security groups are required when you configure SRT outputs in listener mode. In listener mode, MediaLive acts as the server, listening on a local socket for external systems to establish connections.

**Topics**
+ [About channel security groups](channel-security-groups-about.md)
+ [When to use channel security groups](channel-security-groups-use-cases.md)
+ [How channel security groups work](channel-security-groups-how-it-works.md)
+ [Rules and constraints](channel-security-groups-rules.md)
+ [Setting up a channel security group](channel-security-groups-setup.md)
+ [Managing channel security groups](channel-security-groups-manage.md)

# About channel security groups
<a name="channel-security-groups-about"></a>

A channel security group allows you to control which IP addresses can connect to your MediaLive channel outputs. This is similar to how input security groups control which IP addresses can push content to MediaLive inputs.

To configure a channel security group, you select an input security group from your account. MediaLive uses the CIDR allow list rules from that input security group to control which downstream systems can connect to the channel's outputs.

**Key characteristics**
+ A channel security group references an input security group and applies its CIDR rules to the channel's outputs.
+ You can attach at most one channel security group to a channel.
+ The same input security group can be referenced by multiple channels as their channel security group.
+ When you update the CIDR rules in an input security group, those changes automatically apply to all channels that reference it as their channel security group.

# When to use channel security groups
<a name="channel-security-groups-use-cases"></a>

Channel security groups are required in the following situations:
+ **SRT outputs in listener mode** – When you configure an SRT output in listener mode, you must attach a channel security group to the channel. The channel security group defines which downstream systems (SRT callers) are allowed to connect to the MediaLive listener endpoint.

Channel security groups are not used in the following situations:
+ **SRT caller outputs** – When MediaLive acts as the caller (initiating connections to downstream listeners), no channel security group is needed because MediaLive is making outbound connections.
+ **Other output types** – Channel security groups are not applicable to other output types such as HLS, MediaPackage, Archive, or UDP outputs.
+ **MediaLive Anywhere channels** – Channel security groups cannot be used with AWS Elemental MediaLive Anywhere channels. MediaLive Anywhere channels use different security mechanisms.

# How channel security groups work
<a name="channel-security-groups-how-it-works"></a>

When you attach a channel security group to a channel, MediaLive performs the following actions:

1. MediaLive retrieves the CIDR allow list rules from the input security group that you selected.

1. MediaLive creates or updates security group rules to control access to the channel's outputs.

1. These rules allow inbound traffic from the specified CIDR blocks to the ports configured in your SRT outputs that are in listener mode.

**Relationship to input security groups**

Channel security groups and input security groups serve similar purposes but apply to different parts of the channel:
+ **Input security groups** – Control inbound traffic to channel inputs. They define which upstream systems can push content to MediaLive.
+ **Channel security groups** – Control inbound traffic to channel outputs. They define which downstream systems can connect to MediaLive to pull content.

Both use the same underlying mechanism: CIDR allow lists stored in input security groups. This design allows you to reuse existing input security groups for channel security, simplifying management.

# Rules and constraints
<a name="channel-security-groups-rules"></a>

The following rules apply to channel security groups:
+ **Maximum one per channel** – You can attach at most one channel security group to a channel.
+ **Required for SRT outputs in listener mode** – If your channel includes at least one SRT output configured in listener mode, you must attach a channel security group to the channel.
+ **Not allowed without SRT outputs in listener mode** – You cannot attach a channel security group to a channel that has no SRT outputs configured in listener mode.
+ **Not supported for MediaLive Anywhere** – Channel security groups cannot be used with AWS Elemental MediaLive Anywhere channels.
+ **Not supported for VPC channels** – Channel security groups cannot be used with channels that have VPC output delivery configured.
+ **Cannot change on running channel** – You can add, change, or remove a channel security group only when the channel is stopped.
+ **Input security group must exist** – The input security group you select must already exist in your account before you can use it as a channel security group.
+ **Automatic updates** – When you update the CIDR rules in an input security group, those changes automatically apply to all channels using that input security group as a channel security group. You don't need to restart the channels.
+ **Cannot delete in-use input security group** – You cannot delete an input security group if it is being used as a channel security group by any channel. You must first remove the channel security group from all channels, or delete those channels.

# Setting up a channel security group
<a name="channel-security-groups-setup"></a>

To use a channel security group, you must first have an input security group with the appropriate CIDR allow list rules. Then you can attach that input security group to your channel as a channel security group.

**Note**  
The information in this section assumes that you are familiar with the general steps for [creating a channel](creating-channel-scratch.md) and with [working with input security groups](working-with-input-security-groups.md).

# Step 1: Create or identify an input security group
<a name="channel-security-groups-create-isg"></a>

Before you create the channel, you must have an input security group that contains the CIDR allow list rules for the downstream systems that will connect to your SRT outputs configured in listener mode.

1. Identify the IP addresses of the downstream systems (SRT callers) that will connect to your MediaLive channel. These are the systems that will initiate connections to MediaLive.

1. If you don't already have an input security group with these IP addresses, create one. For instructions, see [Creating an input security group](create-input-security-groups.md).

   If you already have an input security group with the appropriate CIDR rules, you can reuse it. The same input security group can be used for both input security and channel security.

1. Make a note of the input security group ID. You will need this when you create the channel.

# Step 2: Attach the channel security group to the channel
<a name="channel-security-groups-attach"></a>

When you create a channel with SRT outputs in listener mode, you must attach a channel security group.

1. On the **Create channel** page, choose **Channel and input details** in the navigation pane.

1. In the **General settings** section, find the **Channel security groups** field.

1. From the dropdown list, select the input security group that you want to use as the channel security group.

   The dropdown list shows all input security groups in your account, identified by their ID and any tags.

1. Continue creating the channel, including configuring your SRT outputs in listener mode. For information about creating SRT outputs, see [Creating an SRT output group](opg-srt.md).

**Result**

When you create the channel, MediaLive retrieves the CIDR rules from the input security group and applies them to control access to the channel's outputs. Downstream systems with IP addresses in the allow list can now connect to the SRT listener endpoints on your channel.

# Managing channel security groups
<a name="channel-security-groups-manage"></a>

After you have created a channel with a channel security group, you can view, update, or remove the channel security group.

# Viewing channel security group details
<a name="channel-security-groups-view"></a>

**To view the channel security group for a channel**

1. Open the MediaLive console.

1. In the navigation pane, choose **Channels**.

1. Choose the channel name to view its details.

1. In the **Details** tab, find the **Channel security groups** field. This field shows the ID of the input security group being used as the channel security group.

1. To view the CIDR rules in the input security group, choose the input security group ID link. This opens the input security group details page.

# Updating or removing a channel security group
<a name="channel-security-groups-update"></a>

You can change which input security group is used as the channel security group, or you can remove the channel security group entirely. However, you can only make these changes when the channel is stopped.

**To update or remove a channel security group**

1. Stop the channel if it is running.

1. In the navigation pane, choose **Channels**.

1. Select the channel, and then choose **Edit**.

1. Choose **Channel and input details** in the navigation pane.

1. In the **General settings** section, find the **Channel security groups** field.

1. To change the channel security group, select a different input security group from the dropdown list.

   To remove the channel security group, clear the selection. Note that you can only remove the channel security group if you also remove all SRT outputs configured in listener mode from the channel.

1. Choose **Update channel**.

# Updating CIDR rules
<a name="channel-security-groups-update-rules"></a>

To update the CIDR allow list rules for a channel security group, you update the underlying input security group. The changes automatically apply to all channels using that input security group as a channel security group.

**To update CIDR rules for a channel security group**

1. In the navigation pane, choose **Input security groups**.

1. Select the input security group that is being used as a channel security group, and then choose **Edit**.

1. Update the CIDR rules as needed. For instructions, see [Editing an input security group](edit-input-security-group.md).

1. Choose **Update**.

**Result**

MediaLive automatically applies the updated CIDR rules to all channels using this input security group as a channel security group. You don't need to restart the channels. The changes take effect immediately.