Configuring coturn with an ec2 instance on private subnet.

425 views
Skip to first unread message

mayank khandelwal

unread,
May 4, 2021, 5:35:39 PM5/4/21
to TURN Server (Open-Source project)

We need to configure coturn on an ec2 instance on private subnet in aws(customer requirement).
As this is a private subnet, the instance do not have any public ip.
We are using a network load balancer(NLB) with tcp_udp listener on port 443.
NLB forwards the traffic to coturn instance.

Considering below references-
Domain of NLB - nlb.xyz.com
public ip(elastic ip in aws) of NLB - nlb_ip.
private ip of coturn instance - coturn_private_ip. 

Configuration of coturn are set as - 
listening_ip = coturn_private_ip
external_ip = nlb_ip/coturn_private_ip
realm = nlb.xyz.com
server-name = nlb.xyz.com

On client -
ice server configurations(keeping turn/tcp deliberately for testing) -
iceServers: [stun:nlb.xyz.com:443?transport=tcp, turn:nlb.xyz.com:443?transport=tcp] iceTransportPolicy: all

With these configurations though I am able to connect a call(with lot of confusions as explained below) and I am not sure if this is a good idea to have coturn in private subnet.

Please see these questions which pops up in my mind -
1. Are there any obvious issues running coturn like this.
2. How the connectivity will work i.e. 
a. Request for allocations will reach from NLB to coturn. We have configured external ip as ip of NLB, will coturn able to create allocations properly.
b. Once the allocations are made, the further send indications and data indications or channel-data use relayed transport address. Will they be allowed to communicate directly to coturn as the instance is in private subnet. (will it be considered part of same session and allowed ?)
b. From relay transport address will coturn be able to communicate to client/peer(this seems fine though). 
3. As mentioned before I have seen the connectivity worked somehow(relayed on turn/tcp), however the selected candidate pair seems way more confusing. Please have a look at the attached snippet. It shows both LocalAddress and RemoteAddress is of turn server(13.232.100.233).
4. The connectivity did not work with turn/UDP and we are still analyzing that.

It would be of great help if someone can explain the working with above case in details ASAP. We would be very thankful.

Capture_all_open.PNG
Reply all
Reply to author
Forward
0 new messages