Networking & Content Delivery

Monitoring surveillance camera feeds on AWS with multicast technology

As governments seek to improve security and safety in public places, video surveillance in the public sector is a rapidly growing technology. Video surveillance is increasingly being used in public places such as airports, train stations, public transportation, schools, and government buildings. Governments all over the world aim to put in place various measures to encourage the use of video surveillance, such as the Smart Cities Mission, which aims to make cities more liveable and sustainable through the use of technology. The mission entails installing CCTV cameras in public places as well as integrating various technologies such as facial recognition and license plate recognition.

In most cases, video is streamed over networks using either unicast or multicast transmissions. With unicast, only the intended recipient receive unicast video packets. Unless they are specifically involved in the forwarding process or configured to capture network traffic, other devices on the network do not receive a copy of the video packet. Multicast packets are sent to all members of the multicast group at the same time. This enables real-time or near real-time data distribution, making it suitable for applications requiring large-scale content distribution, such as live video streaming and audio streaming.

Introducing multicast technology on AWS

Multicast technology has emerged as a solution for efficient video distribution to multiple recipients at the same time to meet the needs of large-scale video surveillance deployments where one sender must distribute data to multiple recipients at the same time, reducing network load, latency, network bandwidth, and cost.

Amazon Web Services (AWS) is the first cloud provider to support the native IPv4 multicast solution on transit gateway, which will enable customers to migrate their applications to the cloud and take advantage of the elasticity and scalability that AWS provides. Similar to routing domains, multicast domains allow you to segment your multicast network into different domains, making the transit gateway act as multiple multicast routers.

With multicast support on AWS Transit Gateway, AWS makes it simple for customers to build multicast applications in the cloud and easily monitor, manage, and scale multicast configurations with hundreds of receivers.

This post focuses on how multicast technology can be used in video surveillance using a video management solution of your choice hosted on AWS. Multicast feeds from individual cameras connected over multiprotocol label switching (MPLS) network can be sent to multiple monitoring locations at the same time. This extends to hybrid deployments with on-premises data centers and AWS disaster recovery (DR) sites where both can receive multicast streams directly from cameras, eliminating the need for backhauling traffic between them.

Solution overview 

The proposed solution was developed to demonstrate the multicast compatibility of video management systems (VMSs) in the AWS environment.

The multicast stream from the camera installed in remote locations needs to be sent to the VMS server hosted on AWS. The media server is a component in the video management system that is used for live streaming, replaying and recording video, user management, and access control. The constituent parts of this solution are:

Compute and other infrastructure components deployed on AWS

Telco and network connectivity

  • MPLS connectivity from remote camera locations extended to AWS through AWS Direct Connect
  • Generic Routing Encapsulation (GRE) tunnel from the customer edge router to the AWS Elastic Compute Cloud (Amazon EC2) hosting Cisco CSR 8000v virtual router
  • Telco to enable multicast on the MPLS network
  • Layer 3 reachability from camera to the VMS server

Integrated command and control center (ICCC)

  • Telco last-mile connectivity
  • Monitoring stations

Multicast Architecture showcasing connectivity between camera site and AWS

Figure 1: High-level architecture for the solution

AWS Services involved

  • Amazon EC2
    • Cisco CSR 8000v virtual router
      • The Cisco Catalyst 8000V cloud services router (CSR) was installed from the AWS Marketplace on an Amazon EC2 machine inside the VPC.
      • Amazon EC2 is configured with three elastic network interfaces:
        • To terminate GRE tunnel
        • Interface through which traffic is sent to Transit Gateway
        • Management interface
      • An overlay GRE tunnel between Amazon EC2 Cisco CSR and telco provider edge routers to receive multicast over Direct Connect in an AWS environment. Because Direct Connect doesn’t support forwarding of multicast traffic natively , we have built an overlay GRE tunnel between Amazon EC2 Cisco CSR and the customer edge routers to encapsulate multicast traffic using GRE tunnel and send over Direct Connect.
    • Video Management Solution
      • Follow the VMS vendor recommendations for configuring the VMS media server on an Amazon EC2 machine to receive multicast from the cameras.
  • AWS Transit Gateway
    Transit Gateway is a service that connects Amazon Virtual Private Cloud (VPC) and on-premises networks through a Direct Connect or, AWS Site-to-Site VPN. In this demo, we used Transit Gateway to distribute video streams for video surveillance because it supports forwarding of multicast traffic. Transit Gateway can route multicast traffic between attached VPC subnets and acts as a multicast router for instances sending multicast traffic to multiple receiving instances.

To set up the Transit Gateway:

    1. Attach the Transit Gateway to the VPC where the multicast sender and receiver instances resides. In this scenario, the Cisco router is acting as the multicast sender inside the VPC, which is receiving multicast streams from cameras over the GRE tunnel.
    2. In Transit Gateway, create a multicast domain and register the Cisco CSR network interface to it through which multicast traffic must be routed inside the VPC. (This network interface will be different from the network interface on which the GRE tunnel is terminated. Keeping a separate interface simplifies the routing of multicast traffic on Cisco CSR, and you can apply different security groups on this interface to allow the multicast traffic from Transit Gateway.)
    3. Register the receivers’ network interfaces to the Transit Gateway multicast domain for the VMS media server to receive the multicast feed.
  • AWS Direct Connect
    AWS Direct Connect is set up to extend private network connectivity between the camera location and AWS.

Prerequisites

Network connectivity requirements :

  • Establish private IP connectivity between cameras, Amazon VPC, and ICCC.
  • AWS Direct Connect with the private virtual interface (VIF) and the virtual private gateway.

In this scenario, we are extending the private network from the camera location to AWS through Direct Connect to build IP connectivity with the AWS VPC that contains the virtual router. The internal IP addresses of the virtual router and the customer edge router would be advertised as part of the Border Gateway Protocol (BGP) advertisements across the private virtual interface.

Configuration Walkthrough

To receive the multicast in an AWS environment, we installed a Cisco CSR virtual router on an Amazon EC2 machine within the VPC and established an overlay GRE tunnel between the telco PE router and Cisco CSR. The CSR router should be deployed in each Availability Zone to achieve high availability. For simplicity, we have shown CSR deployment in one Availability Zone.

We used a second network interface attached to the Cisco CSR running in a VPC to forward the received multicast traffic to Transit Gateway.

Overlay network and tunnel

Figure 2: Overlay network configurations

  1. Multicast configuration in Cisco CSR
    The following list shows the multicast configurations required to enable IP multicast routing on Cisco CSR router.
    # ip multicast-routing distributed
    # interface Tunnel10
      ip address 20.0.0.1 255.255.255.0
      ip pim sparse-mode
      load-interval 30
      tunnel source 10.0.1.250
      tunnel destination 10.254.254.1
    # ip forward-protocol nd
      ip pim rp-address 10.0.1.250
      ip pim ssm default
      ip mroute 0.0.0.0 0.0.0.0 20.0.0.2
    We configured Protocol Independent Multicast (PIM) sparse mode that makes use of rendezvous point (RPs) in the network.

    • Each router that receives multicast traffic from a source will forward it to the RP.
    • Each router that wants to receive multicast traffic will go to the RP.

    To verify multicast configurations like PIM neighbors, source of RP mapping, or source or receiver target groups on the router interface etc, refer to the Cisco product documentation and validate multicast configurations to enable multicast routing on the CSRs.

  2. Multicast configuration in AWS Transit Gateway
    We have created a Transit Gateway, enabled multicast, and then created a transit gateway multicast domain, which allows multicast traffic from your multicast source to multicast group members to be sent over VPC attachments that you associate with the domain.Use the following steps to configure multicast domains in Transit Gateway:

    • Configure Transit Gateway and enable the ability to create multicast domains in this transit gateway.
    • Configure Transit Gateway attachment and attach a VPC to a transit gateway.
    • Create transit gateway route table and configure routing for your transit gateway attachments.
    • Create a transit gateway multicast domain.

    For detailed guidance on setup, refer to Integrating external multicast services with AWS.

  3. Multicast configuration in the camera
    Under the network settings of the camera:

    • Assign the IP address and associated configurations of the camera.
    • Configure the Integrated Group Management Protocol (IGMP) settings to control the video traffic and define the multicast IP address which the camera will use as the destination multicast IP to forward the feeds.
    • Under the audio and video settings, define bitrate as CBR and 4000 Kbps to keep the bitrate consistent and reliable.
    • Repeat these steps for additional cameras.
  4. Multicast configuration in the VMS server
    The VMS application is installed on an EC2 instance. In order to configure cameras on the network to multicast their video streams to the VMS server, start the VMS application interface and enter the camera details.

    • Enter the camera IP, username, password, multicast URL, model, and type.
    • Select Multicast as the transmission mode.
    • Repeat these steps for additional cameras.

    At this point, the multicast configurations on all the components are complete.

The solution is implemented to solve one of the following use cases

When both the data center and DR sites are in AWS Cloud, and the monitoring location (for example, the ICCC, Government offices, or the war room) is outside AWS, setup includes:

  • Configuring the cameras to simultaneously send the multicast to the data center, DR, and all monitoring sites, which will optimize the bandwidth requirement for individual cameras.
  • Monitoring sites will be in constant communication with data center servers (for authentication) in order to receive the multicast feed from the camera.
  • In the event of primary VMS server unavailability (for example, if the Availability Zone is down), the multicast feed to the monitoring locations will continue. But for tasks such as authentication, archive, and display, the workstation at the monitoring location will connect to a secondary VMS server (active-passive configuration) deployed in another Availability Zone.

Note: For hybrid deployments with on-premises as the data center location and AWS as the DR site, the configuration remains same.

Conclusion

In this post, we have demonstrated how to set up an efficient large-scale video surveillance solution as well as possible scenarios for doing so. Governments envision a variety of benefits, including but not limited to:

  • Detection and investigation of crime
  • Response to an emergency
  • Crowd control
  • Traffic control
  • Evidence in a court of law
  • Public understanding and accountability
  • Preparedness for an emergency

Also, enterprise and telecom customers can build multicast topologies using AWS cloud native services like AWS Transit Gateway, AWS Direct Connect, and partner solutions from AWS Marketplace.

You can get started right now on the AWS Management Console. For more information, visit Multicast on Transit Gateway.

About the author

Abhishek Mittal is a Solutions Architect for the worldwide public sector team with Amazon Web Services (AWS), where he primarily works with ISV partners across industries providing them with architectural guidance for building scalable architecture and implementing strategies to drive adoption of AWS services. He is passionate about modernizing traditional platforms and security in the cloud. Outside work, he is a travel enthusiast. LinkedIn: /abhishekmittal02/

Avanish Yadav is a Senior Networking Solutions Architect at Amazon Web Services. With a passion for networking technologies, he enjoys innovating and helping customers solve complex technical challenges by creating secure, scalable cloud architectures. When he’s not collaborating with clients to provide expert solutions to their needs, he can often be found playing cricket outside of work. LinkedIn: /avanish-yadav-93b8a947/

Tarun Sachdeva is a Sr. Solutions Architect at Amazon Web Services (AWS) India. He has over 17 years of experience in the IT industry.

Mandar Patil is FSI Sr. Manager, Solutions Architecture at Amazon Web Services (AWS) India. He has over 22 years of experience in the IT industry.