# Set up CDN integration with MediaTailor
<a name="cdn-configuration"></a>

This section provides guidance on integrating AWS Elemental MediaTailor with a content delivery network (CDN). 

Effective CDN integration with MediaTailor is essential for delivering high-quality streaming experiences with personalized ads at scale. This guide walks you through the complete process of setting up, configuring, and optimizing your CDN integration.

For additional information, see the following links:
+ For information about passing query parameters through CDNs for authorization and ad targeting, see [MediaTailor manifest query parameters](manifest-query-parameters.md). 
+ For advanced routing using dynamic variables and configuration aliases, see [MediaTailor dynamic ad variables for ADS requests](variables.md).
+ For information about creating MediaTailor configurations, see [Using AWS Elemental MediaTailor to insert ads](configurations.md). 
+ For information about creating a CloudFront distribution, see [Creating a distribution](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-creating-console.html) in the CloudFront Developer Guide.

To ensure clarity in this guide, the following terminology is used to describe different types of manifests:
+ **HLS manifests**:
  + *Multivariant playlist*: The top-level manifest that contains links to media playlists
  + *Media playlist*: The second-level manifest with links to content segments
+ **DASH manifests**:
  + *MPD (Media Presentation Description)*: The standard term for DASH manifests

Integrating MediaTailor with a CDN provides the following benefits:
+ Reduced latency for viewers
+ Improved scalability for high-traffic events
+ Enhanced reliability through redundant delivery paths
+ Optimized costs by reducing origin traffic
+ Better protection against DDoS attacks

## CDN integration components and requirements
<a name="cdn-integration-components"></a>

A successful CDN integration with MediaTailor involves configuring the following key components:

**CDN routing behaviors**  
Rules that determine how different types of requests (manifests, content segments, ad segments) are routed through your CDN.

**CDN mapping in MediaTailor**  
Configuration in MediaTailor that ensures manifests reference your CDN domain instead of directly referencing origin servers.

**Security settings**  
Configurations that protect your content and infrastructure, including transport security, access control, and monitoring.

**Testing and validation**  
Procedures to verify that your CDN integration is working correctly before deploying to production.

## Prerequisites for CDN integration
<a name="prerequisites"></a>

Before configuring your CDN integration, ensure you have the following:

1. A MediaTailor configuration with the following settings:
   + Your content origin as the **Content source**
   + Your ADS as the **Ad decision server**

   You need the origin and ADS URLs in the CDN integration steps as well.

1. Access to your CDN's configuration interface

1. Understanding of your CDN's specific terminology for behaviors, rules, and cache settings

1. Knowledge of your content structure, including file extensions used for segments (such as .ts, .mp4, or .m4s)

## CDN integration setup steps
<a name="cdn-integration-workflow"></a>

The process of integrating MediaTailor with a CDN follows these high-level steps:

1. **Configure CDN routing behaviors** - Set up your CDN to route different types of requests appropriately.

1. **Configure CDN mapping in MediaTailor** - Update your MediaTailor configuration to use your CDN domain names.

1. **Implement security best practices** - Configure security settings to protect your content and infrastructure.

1. **Test your integration** - Verify that your CDN integration is working correctly.

## Required headers for MediaTailor CDN integration
<a name="cdn-required-headers"></a>

For MediaTailor to function correctly with your CDN, you must configure your CDN to forward specific HTTP headers. These headers are essential for proper functionality including compression, device detection, ad personalization, and geo-targeting.

Configure your CDN to forward the following headers to MediaTailor:

**`Accept-Encoding`**  
**Purpose**: Required for compression functionality  
**Details**: This header tells MediaTailor which compression methods the client supports. MediaTailor uses this information to compress manifests when possible, reducing bandwidth usage and improving performance. Legacy devices that don't support compression won't send this header, and MediaTailor will return uncompressed manifests.

**`User-Agent`**  
**Purpose**: Required for device detection and ad personalization  
**Details**: MediaTailor analyzes the User-Agent header to identify the client device type, browser, and capabilities. This information is used for ad targeting, device-specific optimizations, and ensuring compatibility with different playback clients.

**`Host`**  
**Purpose**: Required for proper request routing  
**Details**: The `Host` header ensures that requests are routed to the correct MediaTailor endpoint. This is particularly important in multi-tenant environments and when using custom domain configurations.  
Many CDNs, including Amazon CloudFront, do not forward the `Host` header by default. For CloudFront users: See [Configuring cache behaviors](cloudfront-basic-setup.md#cf-cache-behaviors) for configuration instructions.

**`X-Forwarded-For`**  
**Purpose**: Required for client IP detection and geo-targeting  
**Details**: This header preserves the original client IP address when requests pass through your CDN. MediaTailor uses this information for geographic ad targeting, analytics, and compliance with regional content restrictions.

**Important**  
All four headers are required for full MediaTailor functionality. Missing any of these headers can result in reduced functionality, including:  
Inability to compress manifests (missing Accept-Encoding)
Poor ad targeting and device compatibility issues (missing User-Agent)
Request routing failures (missing Host)
Inaccurate geo-targeting and analytics (missing X-Forwarded-For)

For CDN-specific configuration instructions, see the routing behaviors and caching sections that reference this header list.

The following topics provide detailed instructions for each aspect of CDN integration.

**Topics**
+ [CDN integration components and requirements](#cdn-integration-components)
+ [Prerequisites for CDN integration](#prerequisites)
+ [CDN integration setup steps](#cdn-integration-workflow)
+ [Required headers for MediaTailor CDN integration](#cdn-required-headers)
+ [Set up CDN routing behaviors for MediaTailor](cdn-routing-behaviors.md)
+ [Set up CDN mapping in MediaTailor](cdn-mapping-mediatailor.md)
+ [CDN integration security best practices for MediaTailor](cdn-security-best-practices.md)

# Set up CDN routing behaviors for MediaTailor
<a name="cdn-routing-behaviors"></a>

This section explains how to set up your content delivery network (CDN) to route different types of requests appropriately for AWS Elemental MediaTailor integration. Proper routing configuration ensures that manifest requests, content segments, and ad segments are handled correctly.

Configuring CDN routing behaviors is a critical step in creating an efficient content delivery pipeline. By setting up specific routing rules for different content types, you can optimize caching, improve delivery performance, and ensure personalized ad insertion works correctly.

For advanced routing scenarios using dynamic variables and configuration aliases, see [MediaTailor dynamic ad variables for ADS requests](variables.md). For information about preserving query parameters across CDN routing, see [MediaTailor manifest query parameters](manifest-query-parameters.md).

**Important**  
Failure to include CORS headers in either the cached object or on the CDN response to viewers can cause playback failures. 

## CDN routing behavior configuration
<a name="cdn-routing-configuration"></a>

Set up your CDN to route different types of requests appropriately.

### Content segment routing
<a name="content-segment-routing"></a>

Content segment routing directs requests for your actual content segments to your origin server. Like ad segment routing, content segment routing also requires proper CORS configuration to ensure smooth playback in web-based players.

For detailed configuration guidance, see the CloudFront example at [Precedence 4: Content origin path behavior](cf-comprehensive-configuration.md#cf-default-behavior). This example provides specific settings that you should follow for CloudFront or adapt for other CDNs.

Key configuration requirements for content segment routing include:
+ Use path patterns that match your content segment file extensions (like `*.ts`, `*.mp4`, or `*.m4s`)
+ Route requests to your content origin (such as an Amazon S3 Bucket or MediaPackage endpoint)
+ For optimal cache-hit ratio, include only query string parameters that cause your origin to modify the response in the cache key and forward the origin request 
+ Apply an appropriate cache policy with greater than 24-hour TTL values
+ Include CORS response headers to your viewers

### Ad segment routing
<a name="ad-segment-routing"></a>

Ad segment routing is critical for delivering personalized advertisements to viewers. When configuring ad segment routing, you must implement proper CORS (Cross-Origin Resource Sharing) handling to prevent issues that can cause playback failures in web-based players.

For detailed configuration guidance, see the CloudFront example at [Precedence 0: Ad segments path behavior](cf-comprehensive-configuration.md#cf-transcode-manage-behavior). This example provides specific settings that you should follow for CloudFront or adapt for other CDNs.

Key configuration requirements for ad segment routing include:
+ Use the path pattern `/tm/*` specifically for MediaTailor ad segments
+ Route requests to `segments.mediatailor.region.amazonaws.com`
+ For optimal cache-hit ratio, do not include any viewer request headers, cookies, or query string parameters in the cache key or in the origin request
+ Apply an appropriate cache policy with greater than 24-hour TTL values
+ Include CORS response headers to your viewers

### Manifest request routing
<a name="manifest-routing"></a>

To route multivariant playlist, media playlist, and MPD requests to MediaTailor, use the following general settings. For CloudFront configuration, see [Configuring manifest cache behavior](cloudfront-basic-setup.md#cf-manifest-behavior).

1. In your CDN configuration interface, create behaviors for different manifest types.

1. Set path patterns to match multivariant playlist and media playlist file extensions (`*.m3u8` for HLS) and MPD file extensions (`*.mpd` for DASH).

1. Configure the origin setting in your CDN to point to your MediaTailor configuration endpoint.

1. For ad insertion, disable caching of personalized multivariant playlists, media playlists, and MPDs. Because ad insertion provides personalized manifests, your CDN shouldn't cache them. If a different playback device than the one intended receives a cached playlist or MPD, it could result in issues with playback or tracking. For comprehensive caching guidance including TTL recommendations for all content types, see [Caching optimization for CDN and MediaTailor integrations](cdn-optimize-caching.md).

1. Configure header forwarding for all headers. For minimum requirements, see [Required headers for MediaTailor CDN integration](cdn-configuration.md#cdn-required-headers).

1. Enable query string forwarding to pass ad targeting parameters.

------
#### [ HLS multivariant playlist ]

HLS multivariant playlist requests follow these formats:

```
https://<playback-endpoint>/v1/index/<hashed-account-id>/<origin-id>/<index>.m3u8
```

Example:

```
https://777788889999.mediatailor.us-east-1.amazonaws.com/v1/master/a1bc06b59e9a570b3b6b886a763d15814a86f0bb/Demo/assetId.m3u8
```

------
#### [ HLS media playlist ]

HLS media playlist requests follow these formats:

```
https://<playback-endpoint>/v1/manifest/<hashed-account-id>/<session-id>/<manifestNumber>.m3u8
```

Player requests to `https://CDN_Hostname/some/path/asset.m3u8` are routed to the MediaTailor path `https://mediatailor.us-west-2.amazonaws.com/v1/session/configuration/endpoint` based on the keyword `*.m3u8` in the request.

Example:

```
https://777788889999.mediatailor.us-east-1.amazonaws.com/v1/manifest/a1bc06b59e9a570b3b6b886a763d15814a86f0bb/c240ea66-9b07-4770-8ef9-7d16d916b407/0.m3u8
```

------
#### [ DASH MPD ]

DASH MPD requests follow these formats:

```
https://<playback-endpoint>/v1/dash/<hashed-account-id>/<origin-id>/<assetName>.mpd
```

Player requests to `https://CDN_Hostname/some/path/asset.mpd` are routed to the MediaTailor path `https://mediatailor.us-west-2.amazonaws.com/v1/dash/configuration/endpoint` based on the keyword `*.mpd` in the request.

Example:

```
https://777788889999.mediatailor.us-east-1.amazonaws.com/v1/dash/a1bc06b59e9a570b3b6b886a763d15814a86f0bb/Demo/0.mpd
```

------

## CDN routing best practices
<a name="cdn-routing-best-practices"></a>

When configuring CDN routing behaviors, follow these best practices to ensure optimal performance and reliability:

**Use specific path patterns**  
Create specific path patterns that accurately match your content structure to ensure proper routing.

**Prioritize behavior order**  
In most CDNs, behaviors are evaluated in order. Place more specific behaviors before more general ones.

**Test behavior patterns**  
Verify that your path patterns correctly match the expected requests before deploying to production.

**Document your configuration**  
Maintain documentation of your CDN routing behaviors to facilitate troubleshooting and future updates.

## Next steps
<a name="cdn-routing-next-steps"></a>

After configuring your CDN routing behaviors, the next step is to configure CDN mapping in MediaTailor. See [Set up CDN mapping in MediaTailor](cdn-mapping-mediatailor.md) for instructions.

# Set up CDN mapping in MediaTailor
<a name="cdn-mapping-mediatailor"></a>

This section explains how to configure AWS Elemental MediaTailor to use your content delivery network (CDN) domain names. After setting up your CDN routing behaviors, you need to update your MediaTailor configuration to ensure that manifests reference your CDN domain instead of directly referencing origin servers.

Configuring CDN mapping in MediaTailor ensures that all content and ad segment URLs in your manifests point to your CDN rather than directly to origin servers. This step is essential for creating a complete CDN delivery chain and maximizing the benefits of your CDN integration.

## CDN mapping configuration in MediaTailor
<a name="mediatailor-configuration"></a>

After setting up your CDN routing behaviors, configure MediaTailor to use your CDN domain names:

1. Open the [MediaTailor console](https://console.aws.amazon.com/mediatailor/home).

1. Select the configuration you want to update.

1. In the **Advanced settings** of the **CDN configuration** section, enter your CDN domain name in the **CDN content segment prefix** field.

1. If you're using a separate CDN domain for ad segments, enter it in the **CDN ad segment prefix** field.

1. Save your changes.

This configuration ensures that MediaTailor generates manifests with URLs that point to your CDN instead of directly to the origin or ad segment storage.

### Understanding base URL behavior
<a name="base-url-behavior"></a>

MediaTailor determines base URLs in manifests based on your CDN prefix configuration:
+ **CDN ad segment prefix configured**: Ad segments use the CDN prefix as the base URL.
+ **CDN ad segment prefix not configured**: Ad segments use the direct MediaTailor location as the base URL.
+ **CDN content segment prefix configured**: Content segments use the CDN prefix as the base URL.
+ **CDN content segment prefix not configured**: Content segments reference the original content origin.

#### DASH BaseURL handling
<a name="dash-baseurl-handling"></a>

For DASH manifests, MediaTailor manages `BaseURL` settings differently for content and ad segments:

**Content segments:**
+ **With CDN content segment prefix**: MediaTailor sets exactly one `BaseURL` at the `MPD` level using your specified prefix.
+ **Without CDN content segment prefix**: MediaTailor preserves existing `BaseURL` settings from the origin manifest, or adds one based on the origin `MPD` URL if none exist.

**Ad segments:**
+ **With CDN ad segment prefix**: Each ad period gets exactly one `BaseURL` using the configured prefix.
+ **Without CDN ad segment prefix**: Each ad period gets exactly one `BaseURL` pointing to the MediaTailor ad content server.

**Example CDN mapping example**  
If your content origin is `http://origin.com/contentpath/` and your CDN content segment prefix is `https://cdn.example.com/`, then a content segment that would normally be referenced as `http://origin.com/contentpath/subdir/content.ts` will appear in the manifest as `https://cdn.example.com/subdir/content.ts`.

## Important considerations
<a name="cdn-mapping-considerations"></a>

When configuring CDN mapping in MediaTailor, keep the following important considerations in mind:

**Use HTTPS for CDN prefixes**  
Always use HTTPS URLs for your CDN prefixes to ensure secure content delivery.

**Match CDN behavior paths**  
Ensure that the CDN prefixes you configure in MediaTailor match the path patterns you configured in your CDN behaviors.

**Consider regional CDNs**  
If you're using different CDN domains for different regions, you'll need to create separate MediaTailor configurations for each region.

**Verify domain ownership**  
Ensure that you have control over the CDN domains you configure in MediaTailor.

## Verify CDN mapping configuration
<a name="cdn-mapping-verification"></a>

After configuring CDN mapping in MediaTailor, verify that your configuration is working correctly:

1. Request a manifest through your CDN.

1. Examine the manifest content to verify that segment URLs reference your CDN domain.

1. Check that content segment URLs in the manifest point to your CDN domain.

1. Check that ad segment URLs in the manifest point to your CDN domain.

For comprehensive testing and validation procedures, see [Testing and validation for CDN and MediaTailor integrations](cdn-integration-testing.md).

## Next steps
<a name="cdn-mapping-next-steps"></a>

After configuring CDN mapping in MediaTailor, the next step is to implement security best practices for your CDN integration. See [CDN integration security best practices for MediaTailor](cdn-security-best-practices.md) for instructions.

# CDN integration security best practices for MediaTailor
<a name="cdn-security-best-practices"></a>

This section explains how to implement security best practices for your AWS Elemental MediaTailor content delivery network (CDN) integration. Proper security configuration helps protect your content and infrastructure from unauthorized access and potential threats.

Securing your CDN integration is crucial for protecting your content, preventing unauthorized access, and ensuring compliance with security requirements. Implementing these best practices helps create a robust security posture for your streaming workflow.

## CDN security configuration
<a name="cdn-security-settings"></a>

Before configuring your CDN routing and cache settings, implement these security best practices to protect your content and infrastructure:

### Transport security
<a name="transport-security"></a>

MediaTailor only uses HTTPS for all communication and does not allow HTTP connections. To ensure secure communication between all components in your streaming workflow, complete the following steps:

1. Configure HTTPS for all communication between your CDN and MediaTailor endpoints. MediaTailor requires HTTPS and will not accept HTTP connections.

1. Use TLS 1.2 or later for all HTTPS connections.

1. Configure your CDN to enforce HTTPS-only connections from viewers.

### Access control
<a name="access-control"></a>

To protect your content and infrastructure from unauthorized access, implement the following access controls:

1. Configure geo-restriction settings if you need to limit content access to specific regions.

1. Implement signed URLs or signed cookies for content that requires viewer authentication.

1. Set up IP-based allowlists for administrative access to CDN configuration.

### Security monitoring
<a name="security-monitoring"></a>

To detect and respond to security events effectively, implement the following monitoring practices:

1. Enable access logging for your CDN distribution.

1. Set up alerts for unusual traffic patterns or access attempts.

1. Regularly review security configurations and update as needed.

## Advanced security features
<a name="advanced-security-features"></a>

The following advanced security features provide enhanced protection for your CDN integration:

**Web Application Firewall (WAF)**  
If your CDN supports WAF functionality, configure it to protect against common web vulnerabilities and attacks.

**DDoS protection**  
Enable DDoS protection features provided by your CDN to mitigate distributed denial-of-service attacks.

**Origin access control**  
Configure your origin servers to accept requests only from your CDN to prevent direct access attempts.

**Content encryption**  
For highly sensitive content, consider implementing additional encryption mechanisms beyond transport security.

## Next steps
<a name="security-best-practices-next-steps"></a>

After implementing security best practices, the next step is to test and troubleshoot your CDN integration. See [Troubleshoot CDN integration](cdn-troubleshooting.md) for comprehensive testing and troubleshooting instructions.