Why is opening UDP ports necessary on EC2?

[AbdulSamad]

Hi all,

I've been scratching my head over this question for some time now and I couldn't find a direct answer to it in the group. Question is as follows:

Why is it necessary to open UDP ports to stream between my scripts (using websocket) and Janus plugin demos (Text Room, Video Room) when Janus is deployed on AWS EC2? How come running the same plugin demos on browser runs fine without having to open UDP ports? 

I have python scripts that fail to run unless I specifically open UDP ports through EC2's security groups while the Video Room plugin demo works on Chrome/Firefox even if no UDP port is opened (at least, explicitly) on EC2's security group.

Here's some background.

I have deployed Janus on an EC2 instance with Ubuntu 18.04. The --nat-1-1 argument has been set to the instance's public IP. The security group has port 443, 80, and 22 open.

With the mentioned settings, I can access my Janus deployment and run the following plugin demos without an issue on Chrome/Firefox: 1. Echo Test, 2. Video Room, 3. Text Room.

With the same settings, I can run my python script to access the Text Room demo and send/receive text in the room.

However, when I run my python scripts to send/receive video, the DTLS handshake never gets completed. To get past this issue, I have to open UDP ports in EC2's security group and then pass the range thru --rtp-port-range when running Janus. Then, I can stream video.

What I don't understand is: what makes Chrome/Firefox run even when no UDP port is open? Is it because the browser is making use of JavaScript API? Does it have to do with use of websockets in my python script?

[Lorenzo Miniero]

WebRTC uses UDP for media, with ports that change for every PeerConnection. You may want to have a look at some tutorials on how WebRTC works in general, including ICE, as that's a good thing to know even when using a server.

L.

[AbdulSamad]

Thanks for your reply, Lorenzo!

Can you help me with this question as well please: Why can I use Chrome/Firefox to stream from/to Video Room plugins to Janus (deployed on my EC2 server) without having to explicitly open UDP port on EC2's firewall, but my python scripts cannot connect to video room unless I open UDP ports on EC2?

[Lorenzo Miniero]

Again, that's explained once you understand how ICE works. Browsers try to poke "holes" in the NAT using STUN/TURN, which Janus by default doesn't use because it's supposed to be publicly reachable.

L.

[AbdulSamad]

That helps - thanks a lot! Definitely looking into ICE to wrap my head around its details.