# Creating a CMAF endpoint
<a name="endpoints-cmaf"></a>

Create an endpoint that formats content for devices that support Apple HLS fragmented MP4 (fMP4).

**To create a CMAF endpoint (console)**

1. Access the channel that the endpoint will be associated with, as described in [Viewing channel details](channels-view.md).

1. On the details page for the channel, under **Origin endpoints**, choose **Manage endpoints**.

1. Complete the fields as described in the following topics:
   + [New endpoint fields](endpoints-cmaf-new.md)
   + [Packager settings fields](endpoints-cmaf-packager.md)
   + [Package encryption fields](endpoints-cmaf-encryption.md)
   + [Access control settings fields](endpoints-cmaf-access-control.md)
   + [Stream selection fields](endpoints-cmaf-include-streams.md)

1. Choose **Save**.

   If you enabled Amazon CloudFront distribution creation from the AWS Elemental MediaPackage console and this is your first endpoint on the channel, MediaPackage adds an origin to the distribution. You can view the CloudFront CDN URL and endpoint information in the endpoints section of the channel's details page.

   The endpoint is active and can deliver content as soon as requests are sent to its URL endpoints. MediaPackage scales resources up and down to allow the right amount of capacity for your traffic.

   When you're creating an endpoint, you will receive an error if you exceed the quotas on the account. An error similar to Too many requests, please try again. Resource limit exceeded means that either you've exceeded the API request quotas, or you've already reached the maximum number of endpoints allowed on this channel. If you think you received this error wrongfully, use the Service Quotas console to [request quota increases](https://console.aws.amazon.com/servicequotas/home?region=us-east-1#!/services/mediapackage/quotas). For more information about quotas in MediaPackage, see [Quotas in AWS Elemental MediaPackage](quotas.md).

# New endpoint fields
<a name="endpoints-cmaf-new"></a>

When you're creating an endpoint, don't put sensitive identifying information like customer account numbers into free-form fields such as the **Name** field. This includes when you work with AWS Elemental MediaPackage using the MediaPackage console, MediaPackage API, AWS CLI, or AWS SDKs. Any data that you enter into MediaPackage might get picked up for inclusion in diagnostic logs or Amazon CloudWatch Events.

1. For **ID**, enter a name that describes the endpoint. The ID is the primary identifier for the endpoint and must be unique for your account in the AWS Region.

1. (Optional) For **Description**, enter any descriptive text that helps you to identify the endpoint. 

1. For **Manifest name**, enter a short string that will be appended to the end of the endpoint URL. The manifest name helps to create a unique path to this endpoint.

1. (Optional) For **Startover window**, enter the size of the window (in seconds) to create a window of the live stream that's available for on-demand viewing. Viewers can start-over or catch-up on content that falls within the window. For more information about implementing start-over and catch-up TV, see [Time-shifted viewing reference in AWS Elemental MediaPackage](time-shifted.md).

1. (Optional) For **Time delay**, enter the duration (in seconds) to delay when content is available to players. The minimum time is 5 seconds. The maximum time is 86,400 seconds (24 hours).

   Use time delay to redefine the live point and make content available at a time that equals "now" minus the delay specified. With a 60-second time delay, content that MediaPackage receives at 12:20 isn't available until 12:21. Requests for playback at 12:20 will be served with content from 12:19. Likewise, if you're serving content across time zones, you can set a time delay equal to the time zone difference to make content available at, for example, 8:00 local time.

   When you use time delay in conjunction with a startover window, the time delay duration must be less than the startover window duration.
**Tip**  
Use a time delay to help reduce buffering during input switching when you're using input redundancy with short output segments. Note that the delay can increase latency in content playback.

# Packager settings fields
<a name="endpoints-cmaf-packager"></a>

The Packager settings fields hold general information about the endpoint.

1. For **Packaging type**, choose **Common Media Application Format (CMAF)**. 

1. For **HLS Manifest ID**, enter an ID that will be the primary identifier for the manifest. The ID must be unique for this endpoint. You cannot change this ID after it's created.

1. (Optional) For **Segment prefix**, enter a custom name for the segments in the HLS child manifest. The segment prefix is prepended to the segment name to create a unique identifier for each segment.  
**Example**  

   If the segment prefix is `movie`, a segment from the child manifest is `movie_1_2.ts`.

1. (Optional) For **Segment duration**, enter the duration (in seconds) of each segment. Enter a value equal to, or a multiple of, the input segment duration. If the value that you enter is different from the input segment duration, AWS Elemental MediaPackage rounds segments to the nearest multiple of the input segment duration.

1. (Optional) For **Live playlist window duration**, enter the total duration (in seconds) of the parent manifest.

1. For **Manifest name**, enter a string that will be appended to the end of the endpoint URL. The manifest name helps to create a unique path to this manifest on this endpoint. The HLS manifest name overrides the manifest name that you provided in the New Endpoint** Manifest name** field (if applicable).

1. (Optional) Select **Include IFrame only stream** to include an additional I-frame only stream along with the other tracks in the manifest. MediaPackage generates an I-frame only stream from the first rendition in the manifest. The service inserts `EXT-I-FRAMES-ONLY` tags in the output manifest, and then compiles and includes an I-frames only playlist in the stream. This playlist enables player functionality like fast forward and rewind.

1. (Optional) For **Program date/time interval**, enter the interval (in seconds) at which MediaPackage should insert the `EXT-X-PROGRAM-DATE-TIME` tags in the manifest.

   The `EXT-X-PROGRAM-DATE-TIME` tag holds the time of the segment. When program date time (PDT) information is available in the source content, MediaPackage uses this same information on the output content. Otherwise, MediaPackage uses Coordinated Universal Time (UTC) for the PDT.

   The PDT information helps downstream players to synchronize the stream to the wall clock, enabling functionality like viewer seek in the playback timeline and time display on the player.

1. (Optional) For **Playlist type**, choose **None**, **Event**, or **VOD**. When specified as either event or VOD, a corresponding `EXT-X-PLAYLIST-TYPE` entry is included in the media playlist. Indicates if the playlist is live to VOD content.

1. (Optional) Use the following fields to dictate how MediaPackage processes SCTE-35 messages from the input stream. For more information, see [SCTE-35 message options in AWS Elemental MediaPackage](scte.md). 

   1. (Optional) For **Ad markers**, choose how ad markers are included in the packaged content. 

      Choose from the following:
      + **None** – Omit all SCTE-35 ad markers from the output.
      + **Passthrough** – Copy the SCTE-35 ad markers directly from the input HLS input stream to the output.
      + **SCTE-35 enhanced** – Generate ad markers and blackout tags in the output based on the SCTE-35 input messages from the input stream.
      + **Daterange** – Emit `EXT-X-DATERANGE` tags in HLS and CMAF manifests to signal ads and program transitions.

   1. (Optional) For **Ad triggers**, choose the SCTE-35 message types that you want to be treated as ad markers in the output. If you don't make a selection here, MediaPackage inserts ad markers in the output manifest based on these message types:
      + Splice insert
      + Provider advertisement
      + Distributor advertisement
      + Provider placement opportunity
      + Distributor placement opportunity

   1. (Optional) For **Ads on delivery restrictions**, choose what ad insertion action MediaPackage takes based on delivery restriction flags in the segmentation descriptors of SCTE-35 messages.
      + **None** – MediaPackage doesn't insert any ad markers in the output manifest.
      + **Restricted** – MediaPackage inserts ad markers when there *are* delivery restrictions in the SCTE-35 message types that you indicated in **Customize ad triggers**.
      + **Unrestricted** – MediaPackage inserts ad markers when there *aren't* delivery restrictions in the SCTE-35 message types that you indicated in **Customize ad triggers**.
      + **Both** – MediaPackage inserts ad markers whether or not there are delivery restrictions in the SCTE-35 message types that you indicated in **Customize ad triggers**.

# Package encryption fields
<a name="endpoints-cmaf-encryption"></a>

Protect your content from unauthorized use through content encryption and digital rights management (DRM). AWS Elemental MediaPackage uses the [AWS Secure Packager and Encoder Key Exchange (SPEKE) API](https://aws.amazon.com/media/tech/speke-basics-secure-packager-encoder-key-exchange-api/) to facilitate content encryption and decryption by a DRM provider. Using SPEKE, the DRM provider supplies encryption keys to MediaPackage through the SPEKE API. The DRM provider also supplies licenses to supported media players for decryption. For more information about how SPEKE is used with services and features running in the cloud, see [AWS cloud-based architecture](https://docs.aws.amazon.com/speke/latest/documentation/what-is-speke.html#services-architecture) in the *Secure Packager and Encoder Key Exchange API Specification guide*.

**Important**  
To encrypt content, you must have a DRM provider and use a version of AWS SPEKE. For more information about how to use encryption for MediaPackage, see [Content encryption and DRM in AWS Elemental MediaPackage](https://docs.aws.amazon.com/mediapackage/latest/ug/using-encryption.html). 

Define the encryption values.

1. To serve content without copyright protection, keep **No encryption** selected.

1. To serve content with copyright protection, choose **Encrypt content** and complete the additional fields as follows:

   1. For **Resource ID**, enter an identifier for the content. The service sends this to the key server to identify the current endpoint. How unique you make this depends on how fine-grained you want access controls to be. The service does not allow you to use the same ID for two simultaneous encryption processes. The resource ID is also known as the content ID. 

      The following example shows a resource ID.

      ```
      MovieNight20171126093045
      ```

   1. For **System IDs**, enter a unique identifier for your streaming protocol and DRM system. Provide up to three IDs. If you provide more than one system ID, enter one per line and choose **Add**. If you do not know your IDs, ask your system provider.

   1. For **URL**, enter the URL of the API Gateway proxy that you set up to talk to your key server. The API Gateway proxy must reside in the same AWS Region as MediaPackage.

      The following example shows a URL. 

      ```
      https://1wm2dx1f33.execute-api.us-west-2.amazonaws.com/SpekeSample/copyProtection
      ```

   1. For **Role ARN**, enter the Amazon Resource Name (ARN) of the IAM role that provides you access to send your requests through API Gateway. Get this from your DRM solution provider.

      The following example shows a role ARN. 

      ```
      arn:aws:iam::444455556666:role/SpekeAccess
      ```

   1. (Optional) For **SPEKE version**, select the SPEKE version that you'd like to use for encryption. SPEKE Version 1.0 is the legacy version that uses CPIX Version 2.0, and supports single key encryption. SPEKE Version 2.0 uses CPIX Version 2.3, and supports multiple key encryption. For more information about using SPEKE with MediaPackage, see [Content encryption and DRM in MediaPackage](https://docs.aws.amazon.com/mediapackage/latest/ug/using-encryption.html). 

      If you select **SPEKE Version 2.0**, then also choose a **Video encryption preset** and an **Audio encryption preset**. The video and audio presets determine which content keys MediaPackage uses to encrypt the audio and video tracks in your stream. For more information about these presets, see [SPEKE Version 2.0 presets](drm-content-speke-v2-presets.md).

       When using SPEKE Version 2.0, MediaPackage disables key rotation.

   1. **Certificate ARN** – (Optional) Enter a 2048 RSA certificate ARN to use for content key encryption. Use this option only if your DRM key provider supports content key encryption. If you use this and your key provider doesn't support it, the event fails.

      To enter a certificate ARN here, you must have already imported the corresponding certificate into AWS Certificate Manager. Then enter the certificate ARN from ACM here. 

      For information about content key encryption, see [Preparing and managing certificates for use with content keys](drm-content-key-encryption.md).

   1. For **Encryption Method**, choose **Sample-AES** for CMAF Apple HLS FairPlay or choose **AES-CTR** for Microsoft PlayReady and Google Widevine.

   1. (Optional) For **Constant initialization vector** enter a 128-bit, 16-byte hex value represented by a 32-character string, to be used with the key for encrypting content.

   1. (Optional) For **Key rotation interval**, enter the frequency, in seconds, of key changes for live workflows, in which content is streamed real time. The service retrieves content keys before the live content begins streaming, and then retrieves them as needed over the lifetime of the workflow. By default, key rotation is set to 60 seconds, which is equivalent to setting it to `60`. To disable key rotation, set this interval to `0` (zero). 

      The following example setting causes the service to rotate keys every thirty minutes.

      ```
      1800
      ```

      For information about key rotation, see [Understanding key rotation behavior](drm-content-key-encryption.md).

# Access control settings fields
<a name="endpoints-cmaf-access-control"></a>

Define the access control values.

1. Select **Allow origination** to enable this endpoint to serve content to requesting devices. It's uncommon to disallow origination on an endpoint.

   Typically, the only reason that you won't allow an endpoint to serve content is if it's only being used to harvest VOD content from the live stream. For more information, see [Creating live-to-VOD assets with AWS Elemental MediaPackage](ltov.md).

1. Choose **Allow all incoming clients** to serve content to all requesting IP addresses and ranges or choose **Restrict by IP address** to limit the IP addresses that this endpoint serves. If you restrict by IP address, for **IP allowlist**, enter the IP addresses and ranges that this endpoint serves content to. One CIDR block per line.

1. Select **Use CDN authorization** to require that content requests to this endpoint include a valid authorization code.

1. (Optional) For **Secrets role ARN**, enter the ARN for the IAM role that grants MediaPackage access to AWS Secrets Manager. The secrets role ARN must be in this format: `arn:aws:iam::accountID:role/name`

1. (Optional) For **CDN identifier secret ARN**, enter the ARN for the authorization code secret in Secrets Manager that your CDN uses for authorization to access your endpoint. The CDN identifier must be in this format: `arn:aws:secretsmanager:region:accountID:secret:guid`

For information about how this authorization works, see [CDN authorization in AWS Elemental MediaPackage](cdn-auth.md).

# Stream selection fields
<a name="endpoints-cmaf-include-streams"></a>

Define the streams to include.

The minimum and maximum values take into account only the video bitrates. If the video bitrate is *below the minimum* specified rate, it's *not* included in the output, regardless of the sum of the bitrates for other tracks. Likewise, if the video bitrate is *below the maximum *specified rate, it *is* included in the output, regardless of the sum of the bitrates for other tracks.

1. (Optional) For **Stream order**, choose the order that video bitrates are presented to the player.
   + **Original** to sort the output streams in the same order that the incoming source uses.
   + **Video bitrate ascending** to sort the output streams starting with the lowest bitrate and ending with the highest.
   + **Video bitrate descending** to sort the output streams starting with the highest bitrate and ending with the lowest.

1. (Optional) For **Min video bitrate**, enter the minimum bitrate (in bits per second) that video tracks must be at or above to be available for playback from this endpoint.

1. (Optional) For **Max video bitrate**, enter the maximum bitrate (in bits per second) that video tracks must be at or below to be available for playback from this endpoint.