Skip to content

Network interactions

Agora is designed for corporate networks with separated component roles and segments. A typical deployment separates flows so that:

  • administrative traffic is isolated from media traffic;
  • external sources only talk to the Ingress server;
  • internal master nodes are not directly reachable from user networks;
  • content delivery to viewers uses edge servers.

Main network segments

Typical segments include:

  • administrative segment for controller access;
  • internal media segment for origin, vod transcoder, streamers, and relays;
  • DMZ for the Ingress server when external live sources are accepted;
  • user or branch segment where edge servers and clients sit;
  • storage segment for the storage system.

This layout reduces direct exposure of internal media servers and aligns with corporate security policy.

Primary traffic flows

Controller and streamers / relays

The controller talks to streamers and relays over HTTP or HTTPS.

Common ports:

  • 80 for plain HTTP;
  • 443 for HTTPS.

This traffic carries management, status, configuration, and monitoring.

Between streamers

Streamer-to-streamer traffic may include:

  • HTTP / HTTPS for control and publish interactions;
  • multicast for Standby Push.

For Standby Push the backup streamer receives multicast from the primary. That expects a LAN with reliably low latency.

Between relays and streamers

Relays pull video from streamers over:

  • HTTP;
  • HTTPS.

Depending on resilience design, a relay may connect to one or several streamers.

Ingress server and external sources

The Ingress server accepts external sources over the protocols used in your ingest design, commonly:

  • HTTP;
  • HTTPS;
  • RTMP on port 1935;
  • SRT on agreed ports;
  • WebRTC with a fixed port set when policy requires it.

For SRT and WebRTC, port ranges are defined during rollout and must be agreed with the customer network team.

Ingress server and internal streamers

When Ingress server and internal streamers are separate, they use:

  • HTTP;
  • HTTPS.

This path should be allowed only between trusted internal nodes because it moves the stream from DMZ into the internal media segment.

Typical firewall requirements

Network policies usually need to:

  • allow admin access to the controller only from the admin segment;
  • allow external video ingest only to the Ingress server;
  • block direct external access to origin and other internal media servers;
  • allow internal connectivity between streamers, relays, and edge servers only on agreed protocols;
  • restrict storage access to trusted platform components.

Practical notes

When designing connectivity, remember:

  • Twincast needs two independent ingest paths;
  • Standby Push needs low-latency LAN and multicast between streamers;
  • for isolated ingest of external sources, place the Ingress server in DMZ;
  • allowed ports and protocols should be recorded in the deployment design doc.