# Creating an SRT output group
<a name="opg-srt"></a>

When you create a AWS Elemental MediaLive channel, you might want to include an SRT output group. For information about the use cases for an SRT output group, see [Containers, protocols, and downstream systems](outputs-supported-containers-downstream-systems.md).

With an SRT output group, you can create one or more outputs. Each output is an SPTS with its own destination.

SRT outputs support two connection modes:
+ **Caller mode**: MediaLive initiates connections to downstream systems. MediaLive is the caller and sender. The downstream system is the listener and receiver. MediaLive initiates the handshake with the downstream system, and after the handshake is accepted, MediaLive sends the content to the downstream system.
+ **Listener mode**: Downstream systems initiate connections to MediaLive. MediaLive is the listener and sender. The downstream system is the caller and receiver. The downstream system initiates the handshake with MediaLive, and after the handshake is accepted, MediaLive sends the content to the downstream system.

The output content must be encrypted, so you must use AWS Secrets Manager to store a passphrase that MediaLive will use to encrypt the content.

This section includes specific guidelines if you are sending the SRT output to an AWS Elemental MediaConnect flow.

**Topics**
+ [Selecting the SRT connection mode](srt-connection-mode-selection.md)
+ [Organize encodes in an SRT output group](design-srt-package.md)
+ [Plan for delivery using Amazon VPC](srt-get-ready.md)
+ [Set up the passphrase in AWS Secrets Manager](srt-output-encryption-asm.md)
+ [Creating SRT outputs in caller mode](creating-srt-caller-output.md)
+ [Creating SRT outputs in listener mode](creating-srt-listener-output.md)
+ [Output > Stream settings](srt-streams.md)

# Selecting the SRT connection mode
<a name="srt-connection-mode-selection"></a>

When you create an SRT output group, you must choose the connection mode for each output. The connection mode determines how MediaLive and the downstream system establish the SRT connection.

The following table compares the two connection modes:


| Characteristic | Caller mode | Listener mode | 
| --- | --- | --- | 
| Connection initiation | MediaLive initiates connections to downstream systems | Downstream systems initiate connections to MediaLive | 
| MediaLive role | Caller and sender | Listener and sender | 
| Downstream role | Listener and receiver | Caller and receiver | 
| Destination configuration | You specify the downstream system's IP address and port | MediaLive allocates IP addresses; you specify the port | 
| Channel security group | Not required | Required for channels using Public delivery method (controls which downstream systems can connect). Not required for VPC delivery or MediaLive Anywhere channels; customers must configure their network to allow SRT connections from the caller destination. | 
| Use case | Push-style delivery where MediaLive connects to known downstream endpoints | Pull-style delivery where downstream systems connect to MediaLive on demand | 
| MediaLive Anywhere support | Supported | Supported | 

**Note**  
You cannot mix connection modes within a single output. Each output must use either caller mode or listener mode for all its destinations.

# Organize encodes in an SRT output group
<a name="design-srt-package"></a>

An SRT output group can contain the following:
+ One or more outputs.

Each output contains the following:
+ One video encode.
+ One or more audio encodes.
+ Zero or more captions encodes. The captions are either embedded or object-style captions. 

Each output represents one SPTS. Each output (SPTS) has its own destination.

This diagram illustrates an SRT output group with one output. The captions are embedded in the video encode.

![\[alt text not found\]](http://docs.aws.amazon.com/medialive/latest/ug/images/output3-nonABR-Ve-2A.png)


This diagram illustrates an SRT output group with one output. The captions are object-style captions.

![\[alt text not found\]](http://docs.aws.amazon.com/medialive/latest/ug/images/output4-nonABR-V-2A-2C.png)


# Plan for delivery using Amazon VPC
<a name="srt-get-ready"></a>

You might set up the MediaLive channel for the SRT output to have [output endpoints in Amazon Virtual Private Cloud](delivery-out-vpc.md) (Amazon VPC). Following are some guidelines for setting up the secret in Secrets Manager and for delivery of the output to MediaConnect (if MediaConnect is the destination).

## Considerations for Secrets Manager
<a name="srt-get-ready-asm"></a>

SRT outputs are always encrypted, therefore AWS Secrets Manager is always involved. There are specific requirements for the VPC subnet where you will create the channel:
+ The subnet for the channel must have a Secrets Manager endpoint.
+ The subnet for the channel and the Secrets Manager endpoint must use the same security group, which means that the same security group must be associated with the subnet and with the endpoint.

## Considerations for MediaConnect
<a name="srt-get-ready-emx"></a>

You might be delivering to a MediaConnect that also uses a VPC. This means that the SRT output egress from the MediaLive channel is on your VPC and that the MediaConnect flow has a VPC interface.
+ The administrator for your VPC must ensure that there is an appropriate route between MediaLive and MediaConnect. 

# Set up the passphrase in AWS Secrets Manager
<a name="srt-output-encryption-asm"></a>

You must set up for the mandatory encryption of the SRT output. Follow these steps:

1. You and the operator of the downstream system should have already agreed about an encryption passphrase.

1. Give the passphrase to a person in your organization who works with AWS Secrets Manager. That person must store the passphrase in a secret in Secrets Manager. For more information, see [Create an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html). Create a secret of type **Other type of secret**. 

   Secrets Manager generates an ARN that looks like this:

   `arn:aws:secretsmanager:region:123456789012:secret:Sample-abcdef`
**Important**  
Store SRT passphrases in Secrets Manager as plaintext (for example, `secretpassword123`). Do not use the key/value option or JSON format when creating the Secret, as this may cause interoperability issues with other services. Store the passphrase as plaintext only.  
Ensure your passphrase is between 10 and 79 characters.

1. Make sure that you obtain the full ARN of the secret to use for your SRT output's encryption passphrase Secret ARN.

# Creating SRT outputs in caller mode
<a name="creating-srt-caller-output"></a>

This section describes how to create SRT outputs in caller mode, where MediaLive initiates connections to downstream systems.

**Topics**
+ [Coordinate with the downstream system](downstream-system-srt-caller.md)
+ [Create the SRT output in caller mode](creating-srt-caller-output-group.md)
+ [Provide information to the downstream system](srt-caller-info-to-downstream.md)

# Coordinate with the downstream system
<a name="downstream-system-srt-caller"></a>

With an SRT output group, you can create more than one output, in order to deliver the same content to more than one downstream system.

You and the operator of each downstream system must discuss details about the output delivery. With caller mode, MediaLive is the caller and the sender. The downstream system is the listener and the receiver.

1. Decide if you need two destinations for the output: 
   + If the MediaLive channel is a [standard channel](plan-redundancy.md), you need two destinations. 
   + If the MediaLive channel is a single-pipeline channel, you need one destination. 

1. Obtain the IP address and port for each destination. For example, `srt://203.0.113.22:5000` and `srt://203.0.113.88:5001`. 

   Note that if you are delivering to MediaConnect, you can obtain the addresses only after the MediaConnect operator creates the flows. See the last step in this procedure.

1. MediaLive always encrypts the content, therefore you must agree about the following encryption details:
   + The encryption algorithm: AES 128, AES 192, or AES 256.
   + The passphrase that MediaLive and the downstream system will use to create the encryption and decryption keys. The passphrase can be 10 to 79 Unicode characters, which means that spaces are allowed. 

1. Discuss the following with the operator of the downstream system:
   + Tell the downstream system about the latency (in milliseconds) that you plan to configure into MediaLive for packet loss and recovery. Packet recovery is a key feature of SRT. The downstream destination should choose a latency value that is close to the value that you plan to use.

     You will configure the latency in each output, so each downstream system can have a different latency. 
   + MediaLive works without a stream ID. But if you want to include one, or if the downstream system would like to use one, agree on the ID. Maximum 512 UTF-8 characters.

1. If you are delivering to a MediaConnect flow, ask the MediaConnect operator to create their flow now.

   Ask the operator to give you the one or two addresses that are in the Inbound IP address field for that flow. These addresses are the destinations for the SRT output. For example, `srt://203.0.113.22:5000` and `srt://203.0.113.88:5001`.

# Create the SRT output in caller mode
<a name="creating-srt-caller-output-group"></a>

After you have designed the contents of the output and you have coordinated delivery of the output with the downstream system, you can create the SRT output in caller mode.

1. On the **Create channel** page, under **Output groups**, choose **Add**. 

1. In the **Add output group** section, choose **SRT**, and then choose **Confirm**. More sections appear.

   The form for this output group is broken down into the following sections:
   + **SRT settings**: Features that apply at the output group level, not in individual outputs.
   + **SRT outputs**: Outputs in the output group.
   + **Output > Destinations**: The URL and encryption fields for each output. 
   + **Output > Output settings**: Networking and transport stream settings, and configure individual PIDs.
   + **Output > Stream settings**: Configuration of the video, audio, and captions in each output.

   For information about each section, see the topics listed after this procedure.

1.  After you have finished setting up this output group and its outputs, you can create another output group (of any type), if your plan requires it. Otherwise, go to [Save the channel](creating-a-channel-step9.md)

## SRT settings
<a name="srt-caller-srt-settings"></a>

In the **SRT settings** sections, complete the fields:
+ **Name**: Enter a name for the output group. This name is internal to MediaLive; it doesn't appear in the output. For example, **Sports Game**.
+ **Input loss action**: Choose a value. For details, choose the **Info** link. For detailed information about input loss handling for all output groups in the channel, see [Handling loss of video input](feature-input-loss.md).

## SRT outputs
<a name="srt-caller-srt-outputs"></a>

The **SRT outputs** section shows the single output that is added by default. Choose **Add output** if you want to send the content to more destinations.

In each output, choose the **Settings** link to show three subsections:
+ Destinations. See [Output > Destinations](#srt-caller-destinations).
+ Output settings. See [Output > Output settings](#srt-caller-output-settings)
+ Stream settings: See [Output > Stream settings](srt-streams.md).

## Output > Destinations
<a name="srt-caller-destinations"></a>

In each output, you must specify one destination (for a single-pipeline channel) or two destinations (for a standard channel). You must also configure encryption for each destination. 
+ **Connection mode**: Select **Caller**.
+ Enter the destination URL or URLs, including the port number. You obtained this information when you [discussed your requirements](downstream-system-srt-caller.md) with the downstream system. For example:

  **srt://203.0.113.22:5000**

  **srt://203.0.113.88:5001**
+ Stream ID: Optional.
+ In each destination, select the secret that [you obtained from the operator of Secrets Manager](srt-output-encryption-asm.md). You can select the secret by its ARN or its name.

## Output > Output settings
<a name="srt-caller-output-settings"></a>

Enter a user-friendly name for the output, or leave the default. This name is internal to MediaLive and doesn't appear in the output.

The remainder of this section contains fields that let you configure the following:
+ Network behavior.
+ Characteristics of the transport stream (in the **Container** section).
+ PID values (in the **PID Settings** section). 

  These fields cover the SI/PSI and other data. For each of the SI/PSI PIDs, you can specify a custom value or you can let MediaLive use the default value. 

  For other data, complete the fields as appropriate. With some of these fields, the behavior is different for fields that you leave empty. MediaLive might omit the data from the transport stream. Or MediaLive might use default values.

Change any values as appropriate. For details about a field, choose the **Info** link next to the field in the MediaLive console.

# Provide information to the downstream system
<a name="srt-caller-info-to-downstream"></a>

The downstream system might need the source IP addresses of the one or two MediaLive streams, so that they can allow these addresses to connect to them. If the downstream system is MediaConnect, it definitely needs this information.

**On an AWS Cloud channel**

Read this information if your organization doesn't deploy MediaLive Anywhere.
+ After you have created the channel, select the channel by its name. The channel details appear.

  In the **Destinations** tab, find the **Egress endpoints** section. Copy the one or two IP addresses. There is one set of addresses for the channel, not one set for each output. 
+ Make a note of the IP addresses and label them correctly as pipeline 0 and pipeline 1. Give them to the downstream operator. 

**On a MediaLive Anywhere channel**

Read this information if your channel is a MediaLive Anywhere channel, which means that it is running on an on-premises hardware, not in the AWS Cloud.
+ Obtain the IP address of the Gateway into the network. You might need to speak to the network administrator in your organization. Give this address to the downstream operator.

# Creating SRT outputs in listener mode
<a name="creating-srt-listener-output"></a>

This section describes how to create SRT outputs in listener mode, where downstream systems initiate connections to MediaLive.

**Topics**
+ [Prerequisites for listener mode](srt-listener-prerequisites.md)
+ [Create the SRT output in listener mode](creating-srt-listener-output-group.md)
+ [Additional setup for MediaLive Anywhere channels](srt-listener-emla-setup.md)
+ [Provide connection information to downstream systems](srt-listener-provide-info.md)
+ [Validation rules for listener mode](srt-listener-validation.md)

# Prerequisites for listener mode
<a name="srt-listener-prerequisites"></a>

Before you create SRT outputs in listener mode, you must complete the following prerequisites:

1. **Create or identify a channel security group (Public delivery method only)**: For channels using the Public delivery method, you must attach a channel security group to the channel. The channel security group controls which downstream systems (SRT callers) are allowed to connect to the MediaLive listener endpoints. For information about channel security groups, see [Using channel security groups](feature-channel-security-groups.md).

   For channels using VPC delivery or MediaLive Anywhere channels, the channel security group is not required. Instead, you must configure your network to allow SRT connections from the caller destination to reach the listener endpoints.

1. **Coordinate with downstream systems**: Discuss the following with the operator of each downstream system:
   + The IP addresses that the downstream systems will connect from. You need these addresses to create or update the input security group that the channel security group references.
   + The encryption algorithm: AES 128, AES 192, or AES 256.
   + The passphrase for encryption. The passphrase can be 10 to 79 Unicode characters.
   + The preferred latency (in milliseconds) for packet loss and recovery. The valid range is 120 to 15000 milliseconds.
   + The stream ID, if the downstream system uses this identifier. The stream ID is optional.

1. **Store the passphrase in Secrets Manager**: Follow the steps in [Set up the passphrase in AWS Secrets Manager](srt-output-encryption-asm.md) to store the passphrase in AWS Secrets Manager.

# Create the SRT output in listener mode
<a name="creating-srt-listener-output-group"></a>

After you have completed the prerequisites and coordinated with the downstream systems, you can create the SRT output in listener mode.

1. On the **Create channel** page, choose **Channel and input details** in the navigation pane.

1. **For channels using Public delivery method only**: In the **General settings** section, find the **Channel security groups** field.

1. **For channels using Public delivery method only**: From the dropdown list, select the input security group that you want to use as the channel security group.

1. Navigate to the **Output groups** section and choose **Add**.

1. In the **Add output group** section, choose **SRT**, and then choose **Confirm**.

1. In the **SRT settings** section, complete the fields:
   + **Name**: Enter a name for the output group.
   + **Input loss action**: Choose a value. For details, see [Handling loss of video input](feature-input-loss.md).

1. In the **SRT outputs** section, choose the **Settings** link for the output.

1. In the **Destinations** section, configure the listener mode settings:
   + **Connection mode**: Select **LISTENER**.
   + **Listener port**: Enter the port number that MediaLive will listen on. The valid range is 5000 to 5200.

     You must have unique ports for each of the SRT listener outputs on your channel.

     For a standard channel with two pipelines, you must have unique listener ports for each pipeline destination as well.
   + **Stream ID**: Optional. Enter the stream ID if you agreed on one with the downstream systems.
   + **Encryption passphrase secret ARN**: Select the ARN of the secret you created in Secrets Manager.

1. Complete the **Output settings** and **Stream settings** sections as described in [Output > Output settings](creating-srt-caller-output-group.md#srt-caller-output-settings) and [Output > Stream settings](srt-streams.md).

1. After you have finished setting up this output group and its outputs, you can create another output group (of any type), if your plan requires it. Otherwise, go to [Save the channel](creating-a-channel-step9.md).

# Additional setup for MediaLive Anywhere channels
<a name="srt-listener-emla-setup"></a>

If you are creating an SRT listener output on a MediaLive Anywhere channel, there are additional configuration requirements:
+ **Logical interface name**: In the **Destinations** section, you must specify the logical interface for each output in listener mode. This field appears when you create a channel on a MediaLive Anywhere cluster. The logical interface determines which physical network interface on the MediaLive Anywhere node will be used for the SRT listener.
+ **Node interface IPs**: After you create the channel, the destination information will include the node interface IPs. This field displays the IP address that the downstream system should use to connect to the MediaLive Anywhere node. The IP address is associated with the physical interface that is mapped to the logical interface you selected.
  + **In the console**: The node interface IPs are displayed in the **Destinations** table under the **SRT destination settings** section.
  + **Using the API**: The node interface IPs are included in the node describe call as `PhysicalInterfaceIpAddresses`.

  You must provide this IP address to the downstream systems so they can configure their SRT callers to connect to the correct MediaLive Anywhere node interface.

# Provide connection information to downstream systems
<a name="srt-listener-provide-info"></a>

After you create the channel with SRT outputs in listener mode, you must provide connection information to the operators of the downstream systems so they can configure their SRT callers to connect to MediaLive.

**To obtain the connection information**

1. After you have created the channel, select the channel by its name. The channel details appear.

1. Choose the **Destinations** tab.

1. In the **Output destinations** section, find the SRT output group.

1. For each output in the group, note the connection information that downstream systems will need. For a standard channel, there are two sets of information (one for each pipeline). For a single-pipeline channel, there is one set.

   **For MediaLive channels**:
   + In the **Egress endpoints** section under the **Destinations** tab, note the **Source IP** address. This is the IP address that downstream systems should connect to.
   + In the **SRT destination settings** section, note the **Listener port**.
   + Provide the destination to downstream operators in the format `srt://source-ip:listener-port`.

   **For MediaLive Anywhere channels**:
   + In the **SRT destination settings** section under the **Destinations** tab, note the **Node interface IPs**. This is the IP address that downstream systems should connect to.
   + In the same section, note the **Listener port**.
   + Provide the destination to downstream operators in the format `srt://node-interface-ip:listener-port`.

1. Provide these destination URLs to the operators of the downstream systems. The operators must configure their SRT callers to connect to these addresses.

Make sure that the operators at the downstream systems set up as follows:
+ They configure the correct number of connections:
  + If the MediaLive channel is a standard channel, they must connect to both destination addresses for redundancy.
  + If the MediaLive channel is a single-pipeline channel, they must connect to the single destination address.
+ They configure their SRT callers to use the same encryption algorithm and passphrase that you agreed on.
+ They configure their SRT callers to use a latency value. SRT will negotiate and use the maximum of the latency values configured on both sides.
+ If you specified a stream ID in the output configuration, the downstream systems can optionally send a stream ID value during connection. MediaLive accepts connections with any stream ID value (or no stream ID). The stream ID is logged for monitoring and troubleshooting purposes only.
+ Their source IP addresses must be included in the CIDR allow list of the input security group that the channel security group references. Otherwise, MediaLive will reject their connection attempts.

# Validation rules for listener mode
<a name="srt-listener-validation"></a>

MediaLive enforces the following validation rules when you create or update SRT outputs in listener mode:
+ **Channel security group required (Public delivery method only)**: For channels using the Public delivery method, if the channel includes at least one SRT output configured in listener mode, you must attach a channel security group to the channel. If you attempt to create or start a channel using Public delivery with SRT outputs in listener mode but no channel security group, MediaLive returns an error. For channels using VPC delivery or MediaLive Anywhere channels, the channel security group is not required; you must configure your network to allow SRT connections from the caller destination.
+ **Port uniqueness**: Within a single channel, each SRT output in listener mode must use a unique port number. If you attempt to create two outputs with the same port, MediaLive returns an error.
+ **Listener port range**: The port number must be in the range 5000 to 5200 inclusive. 
+ **Cannot remove channel security group**: If the channel has SRT outputs in listener mode, you cannot remove the channel security group. You must first remove all SRT outputs configured in listener mode, or change them to caller mode.
+ **Cannot change mode on running channel**: You cannot change an output's connection mode (from caller to listener or vice versa) while the channel is running. You must stop the channel first.

# Output > Stream settings
<a name="srt-streams"></a>

The fields in this section relate to the encoding of the video, audio, and captions streams (encodes) in the output. These settings apply to both caller mode and listener mode outputs.

For information about creating encodes, see the following sections:
+ [Set up the video encode](creating-a-channel-step6.md)
+ [Set up the audio encodes](creating-a-channel-step7.md)
+ [Set up the captions encodes](creating-a-channel-step8.md)