# Setting up a CDI input
<a name="input-create-cdi-push"></a>

This section describes how to create a CDI push input. With a CDI source, the upstream system *pushes* the content to MediaLive. 

To perform this setup, you must work with an Amazon VPC user, with an operator at the upstream system, and you must work within MediaLive.

**Note**  
Make sure that the content provider is using the latest version of the [AWS CDI SDK](https://aws.amazon.com/media-services/resources/cdi/) on their CDI source device.

**Topics**
+ [Request setup on the VPC](setup-vpc-cdi-vpc.md)
+ [Create a CDI input](setup-input-cdi-vpc.md)
+ [Ensure correct setup on the upstream system](setup-uss-cdi-vpc.md)
+ [Result of this procedure](setup-result-cdi-vpc.md)

# Request setup on the VPC
<a name="setup-vpc-cdi-vpc"></a>

An Amazon VPC user must set up the VPC, and identify subnets and security groups that both the upstream system and MediaLive will use. 

**To set up the VPC**

1. Provide the Amazon VPC user with the following guidelines.
   + Guideline for the subnets – Request two subnets. You need two subnets because a CDI input is always a [standard-class input](class-channel-input.md), even if your channel is a single-pipeline channel. For information about input classes, see [Choosing the channel class and input class](class-channel-input.md).

     These rules apply:
     + The two subnets must be in different Availability Zones.
     + Each subnet must have a private CIDR block (a range of IP addresses).
     + Each subnet must have at least two unused addresses in that block—one for the upstream system and one for the CDI input.
     + Any other VPC-based sources (source B) that you create for use in the same channel as this CDI source (source A) must be in subnets that are in the same Availability Zones as source A. The two subnets of the source B can be different from the source A, but the Availability Zones of those two subnets must be the same as the Availability Zones of source A.
   + Guideline for the security group – the security groups or groups for each subnet must follow these rules:
     + The combined inbound rules of the security groups must allow inbound traffic from the IP addresses of the upstream system that is in that subnet.
     + The subnet must have an EFA-enabled security group. To create this type of security group and for information about its rules, see the [Amazon Elastic Compute Cloud User Guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/efa-start.html). 

1. After the Amazon VPC user has performed the setup, obtain the following information:
   + The ID of the VPC. For example: `vpc-3f139646`
   + The IDs of the two subnets. For example, one subnet might have this ID: `subnet-1122aabb`
   + The IDs of the security groups for the subnet or subnets. For example: `sg-51530134`

# Create a CDI input
<a name="setup-input-cdi-vpc"></a>

After the Amazon VPC user has set up on the VPC, you can create the CDI input in MediaLive.

This section describes how to create a regular CDI input. Create this type of input if you don't plan to support automatic input failover for the CDI source attached to the channel. (If you do plan to implement it, create [CDI *partner inputs*](input-create-cdi-partners.md) instead. )

**Topics**
+ [Create the CDI input](#cdi-push-create)
+ [IAM role and ARN](#cdi-push-role-and-remember-arn)

## Create the CDI input
<a name="cdi-push-create"></a>

**To create a CDI push input**

1. Open the MediaLive console at [https://console.aws.amazon.com/medialive/](https://console.aws.amazon.com/medialive/).

1. In the navigation pane, choose **Inputs**. On the **Inputs** page, choose **Create input**. 

1. Complete the **Input details** section:
   + **Input** name – enter a name.
   + **Input type** – choose **AWS CDI**. 

1. Complete the **VPC settings** section:
   + Choose **Select subnets and security groups**. 
   + For **Subnets**, choose one of the subnets that you obtained. The dropdown list shows subnets in all VPCs, identified as follows:

     `<subnet ID> <Availability Zone of subnet> <IPv4 CIDR block of subnet> <VPC ID> <Subnet tag called "Name", if it exists>`

     For example:

     **subnet-1122aabb us-west-2a 10.30.30.0/24 vpc-3f139646 Subnet for MLive push inputs**

     If the list of subnets is empty, choose **Specify custom VPC**, and enter the subnet ID in the field. (You need to enter only the subnet ID, for example, **subnet-1122aabb**.) 
   + In **Subnets**, choose the second subnet. This second time, the dropdown list shows only the subnets in the same VPC as the first subnet.
   + For **Security groups**, choose the security group or groups that you obtained, following the same process as for the subnets. The dropdown list shows security groups belonging to the VPC that you chose, identified as follows:

     `<security group ID> <description attached to this security group> <VPC ID>`

     For example:

     **sg-51530134 Security group for MLive push inputs vpc-3f139646**

1. Complete the **Role ARN** section to choose a role for MediaLive to use with this input. For more information, see [IAM role and ARN](#cdi-push-role-and-remember-arn). 

1. In the **Tags **section, create tags if you want to associate tags with this input. For more information, see [Tagging resources](tagging.md).

1. Choose **Create**.

   MediaLive creates the input and automatically creates two endpoints on that input. These endpoints have a private IP address from the subnet range, and they specify port 5000. For example:

   `10.30.30.33:5000`

   `10.30.30.44:5000` 

1. Provide the upstream system with these endpoints:
   + If you will set up the channel as a standard channel, provide both endpoints. The upstream system must push the content to both endpoints.
   + If you will set up the channel as a single-pipeline channel, provide only the first endpoint. The upstream system must push to this one endpoint.

## IAM role and ARN
<a name="cdi-push-role-and-remember-arn"></a>

This section describes how to complete the **Role ARN** section on the **Create input** pane of the MediaLive console, when you create a CDI input.

You must choose a role for MediaLive to assume when it creates a CDI input. To create the input, MediaLive must obtain the network interfaces for the two endpoints in the input. These endpoints are in the CIDR range of the subnets that you identified. As soon as you choose **Create** for this input, MediaLive requests these network interfaces from Amazon VPC. The role that you choose ensures that MediaLive succeeds in its request to Amazon VPC.

**Note**  
This section on the MediaLive console is identical to the **IAM role** section on the **Create channel** page (also on the MediaLive console). The difference in the two usages is that on the **Create input** page, you are attaching the role to the input. On the **Create channel** page, you are attaching the role to the channel. You can use the same role (for example, the **MediaLiveAccessRole**) in both usages.

There are two general scenarios for choosing a role, depending on whether your organization has a designated administrator.

### Your organization has a designated administrator
<a name="cdi-push-role-scenario-1"></a>

Your organization might have an administrator who manages this service. That administrator has likely set up one or more roles: 
+ Ask the administrator or your manager which role to use. Or if only one role is listed in **Use existing role**, choose that role. 
+ If the only role that is listed is **MediaLiveAccessRole**, choose that role. In addition, if the **Update** button is displayed beside this role name, choose the button. (The button does not always appear, but whenever it does appear, choose it to refresh the role.)
+ If you want the selected role to appear first in the list next time, select **Remember ARN**. 

### Your organization has no administrator
<a name="cdi-push-role-scenario-2"></a>

Your organization might not have a designated service administrator. In this case, if none of your colleagues have set up a suitable role, you might have to create one yourself and then choose it. 
+ You can create the default role, called **MediaLiveAccessRole**. To first check if someone else has already created this role (only one person needs to create it for all users in your AWS account), look at **Create role from template**:
  + If this option is grayed out, this task has been done. In that case, choose **Use existing role**, and then choose **MediaLiveAccessRole** from the list. 
  + If this option is not grayed out, choose **Create role from template**, and then choose **Create IAM role**. Next, choose that role from the list. If MediaLive does not let you create the role, speak to an administrator in your organization about your IAM permissions. 
+ If the **MediaLiveAccessRole** has already been created and the **Update** button is displayed beside it, choose the button. (The button does not always appear, but whenever it does appear, choose it to refresh the role.)
+ If you want the selected role to appear first in the list next time, select **Remember ARN**.

# Ensure correct setup on the upstream system
<a name="setup-uss-cdi-vpc"></a>

After you create the CDI input, you must make sure that the operator at the upstream system sets up correctly with your VPC, and that they push content to the correct locations in MediaLive.

**To set up for a standard channel**

If the planned channel is a [standard channel](plan-redundancy.md), you must ensure that the operator at the upstream system provides two sources.

1. Provide the operator with this information:
   + The IDs of the VPC, two subnets, and the security groups that the Amazon VPC user gave you in [step 1](setup-vpc-cdi-vpc.md).
   + The two endpoints (URLs) that MediaLive generated when you created the CDI input. These endpoints are the addresses in the blue boxes in [the diagram after this procedure](setup-result-cdi-vpc.md). These URLs each have a private IP address from the subnet range, and they specify port 5000. For example: 

     `10.30.30.33:5000`

     `10.40.40.44:5000`

1. Make sure that the operator sets up properly for a standard channel. They must do the following:
   + Set up two output interfaces. Set up one upstream system with one output interface in one of the subnets, and set up the other upstream system with one output interface in the other subnet. These interfaces are the addresses in the purple boxes in [the diagram after this procedure](setup-result-cdi-vpc.md).
   + Make sure that the two content sources are identical in terms of video resolution and bitrate.
   + Push to the correct URLs on MediaLive. For example, they must push to:

     `10.30.30.33:5000`

     `10.40.40.44:5000`

**To set up for a single-pipeline channel**
+ There will be one upstream system that sends content to only one of the subnets in the VPC. 
+ The content will flow from the VPC to one of the endpoints on the input. The other endpoint will never be used. 
+ MediaLive will ingest the single source content.

1. Provide the operator with this information:
   + The IDs of the VPC, one of the subnets, and all of the security groups that the Amazon VPC user gave you.
   + Only the first of the two endpoints (URLs) that MediaLive generated when you created the CDI input. These endpoints are the addresses in the blue box in [the diagram after this procedure](setup-result-cdi-vpc.md). The URL has a private IP address from the subnet range, and it specifies port 5000. 

     `10.30.30.33:5000`

1. Make sure that the operator sets up properly for a single-pipeline channel. They must:
   + Set up one upstream system.
   + Set up one output interfaces. The interface is the address in one of the purple boxes in [the diagram after this procedure](setup-result-cdi-vpc.md).
   + Push to the correct URL on MediaLive. For example, they must push to:

     `10.30.30.33:5000`

# Result of this procedure
<a name="setup-result-cdi-vpc"></a>

The results of this setup are illustrated in the diagram that follows. There are three main components:
+ The upstream system (purple boxes).
+ The VPC, with subnets (green boxes), and VPC security groups (yellow boxes).
+ The CDI input (blue box).

The CDI input has one or two *endpoint* URLs (the addresses in the blue box). These endpoints are elastic network interfaces (ENIs) on your VPC. MediaLive has permission to use these ENIs for its inputs. MediaLive has permission (through the IAM trusted entity role) to automatically manage the ENIs for its inputs. 

The upstream system has two outputs. Each output has an IP address in one of the specified subnets in your VPC. The upstream system has permission (through the rules in one or more Amazon VPC security groups) to push content to these endpoints. The upstream system pushes the source content to both endpoints (if you are setting up a standard channel) or to one endpoint (if you are setting up a single-pipeline channel). 

The upstream system has IP addresses in the VPC subnets, and the CDI input has endpoints in the same VPC subnets. In this way, the delivery of the content from the upstream system to MediaLive takes place within the security of the VPC. 

The two IP addresses on the CDI input are fixed for the lifetime of the input. They are fixed, regardless of changes such as modifying other information in the input, or attaching the input to a different channel.

Keep in mind that with a push input, the upstream system must be pushing the video source to the input when you start the channel. The upstream system does not need to be pushing before then. 

At runtime of the channel, MediaLive reacts to the content that is being pushed and ingests it. 

![\[Diagram showing VPC subnets, security groups, and upstream systems connecting to CDI input in MediaLive.\]](http://docs.aws.amazon.com/medialive/latest/ug/images\cdi-vpc-uss-input.png)