Create a private endpoint for a Streaming Endpoint
Warning
Azure Media Services will be retired June 30th, 2024. For more information, see the AMS Retirement Guide.
This article shows you how to use a private endpoint for a Media Services Streaming Endpoint. You'll be creating a private endpoint resource which is a link between a virtual network and a streaming endpoint. This deployment creates a network interface IP address inside the virtual network. The private link allows devices in your VNet to connect to the streaming endpoint in the Media Services account.
Although a private link is used with the Azure products Private Link and Private Link service, the private link used for this exercise is simply the link between the resource and the private endpoint.
The virtual network created for this walk-though is just to assist with the example.
Restricting access
Internet access to the endpoints in the Media Services account can be restricted in one of two ways:
- Restricting access to all resources within the Media Services account.
- Restricting access separately for each resource by using the IP allowlist.
Creating a private endpoint DOES NOT implicitly disable internet access to it.
Warning
Completing this exercise will incur costs.
Prerequisites
Create a resource group for this exercise
Important
It is important that you create all of the resources for this exercise in the same region. Otherwise, the VNet and VM steps will not work. Decide which region you want to work with based on your subscription VM allowances.
Create a VNet and a VM
Complete the Quickstart: Create a private endpoint by using the Azure portal to create the VNet and a VM for this exercise. In other words, don't delete the resources at the end.
After you have created the VNet and the VM, return to this page and continue.
Create a media services account
Create a Media Services account with the portal
Sign in at the Azure portal.
Select +Create a resource.
In the search field, enter "Media Services" and select Enter. Search results will appear including a card for Media Services.
Select the Media Services card. The Media Services detail screen will appear.
Select Create. The Create a Media Services account screen will appear.
In the Create a Media Services account section enter required values.
Name Description Account Name Enter the name of the new Media Services account. A Media Services account name is all lowercase letters or numbers with no spaces, and is 3 to 24 characters in length. Subscription If you have more than one subscription, select one from the list of Azure subscriptions that you have access to. Resource Group Select the new or existing resource. A resource group is a collection of resources that share lifecycle, permissions, and policies. Learn more here. Location Select the geographic region that will be used to store the media and metadata records for your Media Services account. This region will be used to process and stream your media. Only the available Media Services regions appear in the drop-down list box. Storage Account Select a storage account to provide blob storage of the media content from your Media Services account. You can select an existing storage account in the same geographic region as your Media Services account, or you can create a new storage account. A new storage account is created in the same region. The rules for storage account names are the same as for Media Services accounts.
You must have one Primary storage account and you can have any number of Secondary storage accounts associated with your Media Services account. You can use the Azure portal to add secondary storage accounts. For more information, see Azure Storage accounts with Azure Media Services accounts.
The Media Services account and all associated storage accounts must be in the same Azure subscription. It is strongly recommended to use storage accounts in the same location as the Media Services account to avoid additional latency and data egress costs.Advanced settings Select a previously created user managed identity from the dropdown list or create a new user managed identity by selecting the link. Important
All new Media Services accounts require a user-managed identity. Previously created accounts that have a system-managed identity have not changed.
Select the checkbox next to "I have all the rights to use the content/file, and agree that it will be handled per the Online Services Terms and the Microsoft Privacy Statement." to confirm and continue.
Click Review + create or add tags with the Next:Tags button.
Click Create on the following screen. Deployment will begin.
A default Streaming Endpoint (called default) is created when you create the account. Creating a User Managed Identity is also required during the setup process.
Upload files
Note
Media Services doesn't limit the file size for uploading videos.
- Navigate to the Media Services account you want to work with.
- Select Assets.
- Select the + Upload. The Upload a video asset screen appears.
- Select the folder icon next to the Upload files field.
- Select the media files to upload. An asset naming field will appear. You can change the name or use the default name. If more than one media file is uploaded, more than one asset will be created. An asset naming field will appear for each.
- Select I agree and upload. The upload begins. When the upload is finished, the new asset(s) will be listed in the Assets screen.
Create a transform, job and streaming locator
In order to stream media, the video you uploaded needs to be encoded. A transform is an encoding method for the video.
Create a transform with the portal
- Navigate to the Media Service account you want to work with.
- Select Transforms + jobs.
- Select Add transform. The Add transform screen will appear.
- Enter a transform name in the Transform name field.
- Optional: Add a description in the Description field.
- Select a transform type from the Transform type dropdown list. You can select from one of the following types:
- Encoding Use a built-in Standard Encoder preset to encode video or audio.
- Copy Copy video and/or audio stream into an asset that can be streamed.
- Video and audio analyzer Extract video and/or audio insights from the input media.
- Audio transcription Apply a set of audio analysis operations such as speech-to-text transcription
- Face detection Detect occurrences of faces in video timestamps and outputs a JSON format file. The asset must contain a video file.
- Select a category from the Built-in preset category dropdown list. The Built-in preset dropdown menu selections will change depending on what you select.
- HEVC (H.265) Generate video and audio output using the HEVC (H.265) codec presets.
- H.264 Generate video and audio output using the H.264 codec presets.
- Audio only Generate audio only
- Select the preset you want to use from the Built-in preset dropdown list. ContentAwareEncoding is the recommended preset.
- Select an optimization from the Performance optimization dropdown list. You can select from Balance optimized, Speed optimized, or Quality optimized.
- Select Add.
To encode the video, you must create an encoding job, that uses the transform to encode the video.
Create a job in the portal
- Navigate to the Media Services account you want to work with.
- Select Transforms + jobs from the menu.
- Select the transform you want to use for the job. The transform screen will appear.
- Select Add job. The Create a job screen will appear.
- For the Input source, the Asset radio button should be selected by default. If not, select it now.
- Select Select an existing asset. The Select an asset screen will appear.
- Select one of the assets in the list. You can only select one at a time for the job.
- Select Select.
- For the transform, select the Use existing radio button.
- Select a transform from the Transform dropdown list.
- Under Configure output, default settings will be auto-populated. You can leave them as they are or change them.
- Select Create.
- Select Transforms + Jobs. The transform will now show up in the table of jobs along with its status.
- To see details about the job, select the job listed under Name in the table of jobs. The job detail screen will open.
- Select the output asset Asset name from the Outputs list. The asset screen will open.
- Select the link for the asset next to Storage container. A new browser tab will open and you'll see the results of the job that used the transform. There should be several files in the output asset such as:
- Encoded video files with .mpi and .mp4 extensions.
- A XXXX_.ism file.
- A XXXX.isc file.
- A ThumbnailXXXX.jpg file.
Create a streaming locator in the portal
- Navigate to the Media Services account you want to work with.
- Select Assets from the menu. The assets screen will appear.
- Under Streaming locators, select + New streaming locator. The Add streaming locator screen will appear.
- Enter a name for the streaming locator in the Name field, if you want to change the default name.
- Select a streaming policy from the Streaming policy dropdown list.
- If you have created a content key policy, select the content key policy from the Content key policy dropdown list.
- Set the Expiration time if needed.
- If you have created an asset filter, select the asset filter from the Filters dropdown list.
- Enter a streaming locator Id in the Streaming locator ID field if you want to configure the ID yourself. Otherwise, a streaming locator will be generated for you.
- Select New streaming locator. The Add streaming locator screen will appear and a default name for the locator will appear. You can change it or leave it as is.
- Select the Streaming policy policy that you want to use from the dropdown list.
- Select Add. The video will start playing in the player on the screen, and the Streaming URL field will be populated.
- Select Show URLs in the Streaming locator list. The Streaming URLs screen will appear.
Start the streaming endpoint
- Navigate to the Media Services account you created.
- Select Streaming endpoints from the menu. The Streaming endpoints screen will appear.
- Select the default Streaming endpoint that you created when you set up the Media Services account. The default Streaming endpoint screen will appear.
- Select Start. Start options will appear.
- Select Start. The Streaming endpoint will start running. The endpoint is still Internet facing.
Get the streaming URL
Once you have started the streaming endpoint, you can get the streaming URLs for use with a media player.
- In the streaming locators list for the asset you are working with, select Show URLs. The Streaming URLs sceen will appear.
- Copy the HLS streaming URL into your clipboard.
Test without an IP allow list or a private endpoint
Before creating a private endpoint, we will see how this works without it.
- In a new browser window or tab on your development device, go to the Azure Media Player demo page.
- Paste the URL into the URL field of the player interface.
- Select Update.
Your video now streams to the Internet. This is because default streaming endpoints allow access to the Internet.
Change the IP allow list for the streaming endpoint
Now you will change the IP allow list to block all access from the Internet.
- In the portal, navigate to the default streaming endpoint for the Media Services account you are working with.
- Select Settings. The Settings screen will appear.
- Select the Specified IP addresses radio button.
- In the Name field, enter a name for your addresses, such as Allow none.
- In the Addresses field, enter 0.0.0.0.
- In the Subnet Prefix Length field, enter 32.
- Select Save.
- IMPORTANT! Clear your browser cache. Otherwise you will be playing video fragments that are in the cache.
- Refresh the Azure Media Player browser window. You should receive a streaming error.
Create a private endpoint
Now you'll create a private endpoint for the streaming endpoint and be able to stream the video within the VNet, using the VM.
- In the portal, navigate to the Media Services account you are working with.
- Select Networking from the menu
- Select the private endpoint connections tab. The private endpoint connection screen will appear.
- Select Add a private endpoint. The Create a private endpoint screen will appear.
- In the Name field, give the private endpoint a name.
- From the Region dropdown list, select the same region you have been working with (it may already be selected).
- Select Next: Resource. The Resource screen will appear.
Assign the private endpoint to the streaming resource type
- From the Connection methods radio buttons, select the Connect to an Azure resource in my directory radio button.
- From the Resource type dropdown list, select Microsoft.Media/mediaservices.
- From the Resource dropdown list, select the Media Services account you created.
- From the Target sub-resource dropdown list, select streaming endpoint.
- Select Next: Virtual Network.
Deploy the private endpoint to the virtual network
- From the Virtual network dropdown list, select the virtual network you created earlier.
- From the Subnet dropdown list, select the subnet your created earlier.
- Stay on this screen.
Create the DNS zone
To use the streaming endpoint inside your virtual network, create private DNS zones. You can use the same DNS name and get back the private IP address of the streaming endpoint.
On this screen, the Configuration name, Subscription, Resource group, Private DNS zone should already be pre-populated.
- Leave all the settings as they are and select Next: Tags.
- Optionally, add tags, the select Review + create.
- Double-check your settings, then select Create.
Test the streaming URL with the VM in the Vnet
- Copy the URL from the Azure Media Player window on your desktop.
- Connect to your VM using the bastion host as you did before in the quickstart.
- Open a browser in your VM and paste the URL in the URL field.
You should see the video playing since the VM is part of the VNet and is using the private endpoint so it isn't blocked by the IP allow list.
ARM template
You can use ARM templates to automate deployment. While the deployment is in progress, it's also creating an Azure Resource Manager (ARM) template. To see the template, select Template from the menu.
Clean up resources
If you aren't planning to use the resources created in this exercise, simply delete the resource group. If you don't delete the resources, you will be continue to be billed for them.