Contents
Challenge
A major media and entertainment enterprise needed a cloud-based studio solution that met stringent security requirements. The architecture needed to ensure no component was directly exposed to the internet. Specific challenges included:
- Prohibiting the use of public IP addresses across the architecture.
- Implementing fine-grained Network Access Control Lists (NACLs) and Security Groups for enhanced security.
- Adopting a Multi-Factor Authentication (MFA) system through OKTA for secure user authentication.
- Ensuring that the Load Balancer remained inaccessible from the internet.
Solution Implementation
To meet these requirements, a comprehensive solution was implemented, leveraging multiple AWS services and technologies to ensure security, scalability, and performance. The architecture was adjusted to:
- Use Amazon CloudFront distribution for user authentication.
- Employ AWS Global Accelerator for the streaming layer.
- Configure AWS WAF (Web Application Firewall) for both CloudFront and Global Accelerator to accept connections exclusively from HP Anywhere.
Workflow Overview
The workflow was structured to integrate authentication and streaming processes seamlessly:
- Users authenticate through a flow managed by an Amazon CloudFront distribution integrated with OKTA Identity Provider (IDP).
- After successful authentication, users are redirected to the AWS Global Accelerator to initiate the streaming flow.
- Streaming traffic passes through the Global Accelerator, enabling access to the authorized Amazon EC2 instances for streaming. This approach eliminates the need for public IP addresses, enhancing both security and connection efficiency.
Services and Technologies Used to Ensure Studio Security
- Amazon CloudFront: Managed authentication flow and provided a secure entry point for users.
- AWS Global Accelerator: Enhanced streaming performance by directing traffic to the closest available endpoint.
- AWS WAF: Added an additional security layer to filter and control incoming requests.
- Okta: Facilitated secure Multi-Factor Authentication for user access.
- Amazon EC2: Hosted the streaming instances within the secure environment.
- NACLs and Security Groups: Provided granular network access controls to enforce security policies.
Results and Outcome
The solution delivered significant improvements in both security and performance. Key achievements included:
- Enhanced Security: The architecture ensured that no customer-managed resources had public IP addresses or were directly exposed to the internet.
- Improved Performance: Utilizing AWS Global Accelerator for streaming optimized connection speeds and reduced latency.
About TrackIt
TrackIt is an international AWS cloud consulting, systems integration, and software development firm headquartered in Marina del Rey, CA.
We have built our reputation on helping media companies architect and implement cost-effective, reliable, and scalable Media & Entertainment workflows in the cloud. These include streaming and on-demand video solutions, media asset management, and archiving, incorporating the latest AI technology to build bespoke media solutions tailored to customer requirements.
Cloud-native software development is at the foundation of what we do. We specialize in Application Modernization, Containerization, Infrastructure as Code and event-driven serverless architectures by leveraging the latest AWS services. Along with our Managed Services offerings which provide 24/7 cloud infrastructure maintenance and support, we are able to provide complete solutions for the media industry.