Guidance on Secure BBB Setup in AWS

[Shahezad Virani]

Hello everyone,

I’m a senior developer working on setting up BigBlueButton (BBB) and integrating it with our custom LMS. I have a proof of concept running in one of our environments, but I could use some clarification and guidance from folks who might have faced similar challenges.

Our LMS and BBB will run inside a very strict AWS environment with a lot of security constraints. To work within those limits, I’ve put the following in place so far:

1. TURN server: We can’t expose a wide range of UDP ports on our BBB instances. To handle this, I set up a TURN server that sits behind an AWS NLB(in case if we want to enable UDP later) and only accepts traffic on port 443. These TURN instances run in a public subnet(I could not make it work in private subnet; I think that is because NLB passes the client IP/information to the instance) as an Auto Scaling Group (ASG) of EC2 instances.

2. BBB instance placement: Right now, I have a single BBB instance in a public subnet. When Greenlight starts a room, the browser directs users there. What I’d like to understand is:

   • Can I move BBB instances into a private subnet instead?

   • Can these BBB instances also be managed by an ASG, spinning up/down as needed?

   • I do have Scalelite in place to handle room assignments. My assumption is that I’d use the cluster-proxy configuration here, but I’m not sure how that works in practice with ASG-managed instances.

In short, I’m trying to design an architecture that doesn’t require exposing a wide range of ports or opening up instances to the public internet. For now, I’m fine with using only TCP/443 and disabling UDP, but I’d love to hear how others have approached building a secure, production-grade BBB setup in AWS.

Some other things to note: I have scalelite and greenlight on ECS fronted by their own ALBs.

Thanks in advance for any insights you can share!