How to Host an On-Demand Streaming Video With AWS S3, CloudFront, and Route 53
A Step-by-Step Guide to Hosting an On-Demand Video with AWS
As a cloud engineer, a strong understanding of hosting and distributing media files via cloud platforms like AWS is essential. AWS offers services that simplify uploading, streaming, and delivering media across multiple web applications and regions.
Using AWS S3 and CloudFront together creates a powerful storage and distribution system that securely stores your content and delivers it to millions of users worldwide while maintaining quality.
At the end of this guide, you will have set up your custom domain for video streaming globally–using Amazon cloud services.
Overview of the Setup
This guide consists of three sections. In the first section, you will learn how to use AWS S3 to upload and store the video you will be streaming. After that, you will create and configure a custom domain for your video using AWS Route53 and Amazon Certificate Manager.
Lastly, you will use AWS CloudFront as your Content Delivery Network (CDN) to reduce latency for distribution. Here is what the architecture for this setup looks like:
Prerequisites
AWS account: To follow this guide and access the management console, you need an AWS account.
Basic familiarity with DNS concepts
A video file for testing
Terminal/Command Line access
Section One: Upload and Store Your Video in an S3 Bucket
Amazon S3 is a storage service that can help you store a wide range of data. One of its perks is that it scales automatically to meet your needs, so you never have to worry about running out of space. It is also useful for media hosting, storing static website files, and database backups like SQL dumps.
Here, you will be using it to host your video file.
Step 1: Navigate to S3 on the AWS Management Console
To begin, you need to sign in to the AWS management console, navigate to S3 on the dashboard, and select it. If you cannot find it on your dashboard, in the search bar at the top of the console, type S3 and click on the first service with the caption “scalable storage in the cloud.”
Step 2: Create an S3 Bucket
To add files or directories to S3, you need to create a bucket that will act as a placeholder for your file. At the top right corner of your newly accessed web page, click on Create bucket.
After clicking, you will be redirected to another webpage, where you will configure your bucket.
Step 2.1: Choose Your Bucket Type
Now, you have to indicate what type of bucket you need. In the bucket configuration tab, under bucket type, select General purpose.
AWS S3 offers two types of buckets: general-purpose buckets and directory buckets. General-purpose buckets are better used in cases where you are handling only a few files, like in this guide, as they follow a flat structure. Think of general-purpose buckets as big containers where you can dump files.
Directory buckets, on the other hand, are more structured and hierarchical. With these types of buckets, you can manage many files more efficiently.
Step 2.2: Name Your Bucket According to AWS’s Guidelines
Proceed to name your bucket. AWS requires you to use a name that does not already exist as a bucket name in the region you are connected to. Your bucket name has to be universally unique.
To find your account's AWS region, follow this AWS documentation guide.
Step 2.3: Disable Access Control List(ACL)
Next, you want to secure the files you will store in this bucket by disabling ACLs. By default, AWS disables ACLs, blocking external users from owning files in your bucket or making changes to any file in that bucket.
Learn more about AWS object ownership and ACLs here.
Step 2.4: Block Public Access to Your Bucket
You also have to ensure the entire bucket is secure from external traffic, like a user accessing the bucket from a web browser using the bucket’s URL. Leave the Block all public access box checked.
Data breaches often happen with files in the cloud. One way to avoid this as a cloud engineer is by securing your files with a lock that stops anybody on the internet from accessing your files accidentally. Blocking all public access is just the way to do this.
Step 2.5: Create the Bucket
Finally, you want to leave the rest of the configurations as default and click the Create bucket button at the bottom of the page. You should get redirected to another webpage with a message at the top of the screen indicating that your bucket has been successfully created.
Additionally, you should see the name of your bucket in the bucket list.
Step 3: Upload Your Choice Video to the S3 Bucket
Step 3.1: Access the Upload Panel
Click on the name of your bucket. Inside your bucket, you should see that it is empty—without any objects. To add your video to this bucket, click the Upload button.
Clicking on Upload will take you to a new panel that allows you to add folders and files from your computer.
On that panel, you can drag and drop your file as indicated on the screen, or click Add files to open a file upload dialog if you prefer. Next, choose your desired video from your file manager and click open.
Step 3.2: Choose and Upload Video to Your Bucket
After that, you should see your video added to the Files and Folders section, like in the image below:
Lastly, scroll to the bottom of the page and click on Upload at the right corner of the screen. After hitting that button, you will get a pop-up at the top of the screen indicating that your file is uploading and a confirmation after it uploads.
Congratulations! You have successfully uploaded your video to S3.
Section Two: Configure Your Domain Name With Route 53
Route 53 is a Domain Name System (DNS) service that enables you to set up human-readable domain names for websites and AWS resources like CloudFront distributions or S3 buckets.
Acting as a directory service, Route 53 translates human-friendly domain names (like myvideostreaming.com) into their corresponding IP addresses. An IP address is a unique identifier that all websites and web resources have, which web browsers use to locate and access them on the internet.
With Route 53, when users enter a domain name, their browser can find the correct server to deliver the requested webpage or file. Explore the AWS Route 53 documentation for additional details.
In this section, you will register a domain name, create a DNS record that links to your CloudFront distribution, and obtain an SSL (Secure Socket Layer) certificate for added security to your domain.
Step 1: Create or Register a Domain Name
Step 1.1: Open Route 53
Navigate to the search bar on your console and search for Route 53. When the service pops up, select it to enter the Route 53 interface.
Step 1.2: Register Your Domain
Once inside the interface, click on Register domain to create the domain for streaming your video. In the Register domains panel, choose a name and click on Search to check for the availability of that name.
After searching, you will get a variety of domain names with different top-level domains (TLDs) like .com, .net, .info, .xyz, .tz, and so on.
The price of registering a domain depends on the TLD you choose. Some, like .io, are usually more expensive because they are more specialized, while others, like .info, might be more affordable.
Select the best pricing option for you and proceed to checkout. In the Pricing tab, click on Next.
After that, a new webpage where you have to fill in your contact information pops up. Fill out the form and submit.
Note: If you are on a tight budget, consider a free domain from third-party providers like Infinityfree or Namecheap.
If you registered your domain through Route 53, proceed to Step 3. If you're using a third-party domain, complete Step 2 to connect your domain to Route 53.
Step 2: Create a Public Hosted Zone
When you buy a domain (like buying a piece of land), a public-hosted zone acts as the layout or blueprint for that land that is accessible to everybody on the internet. This “layout” or “public-hosted zone” connects your domain to different internet resources, such as CloudFront (a CDN) or servers where you store files and content.
Step 2.1: Create a Hosted zone
To begin, on the Route 53 dashboard, click on the Create hosted zone button. Input your domain name in the form that opens up and configure your hosted zone like the example below:
Step 2.2: Copy and Update Your Domain’s NS List
After creating the hosted zone, you will get redirected to a new tab showing your hosted zone details. In that tab, under Records, select the first record with the type “NS.” When you select it, a sidebar opens up on the left to show the record’s details.
A list of nameservers (NS) shows up on the side under the Value section. Copy these nameservers and update them in the nameservers list in the account settings of your domain name.
Step 3: Request an SSL Certificate Using ACM
Now that you have connected your domain to Route 53, you need to add a layer of security to your domain. In the next few steps, you will explore the AWS Certificate Manager and see how it adds locks to your domain to prevent intruders from tampering with the information shared between your domain and the end user.
Have you ever tried accessing a website and gotten a notification that read, “Your connection is not private” or “Not Secure”? This notification happened because the website you were trying to retrieve did not have SSL/TLS certificates.
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are security protocols. Think of them as the “lock on the door” of a website that ensures any data shared between the visitor (user) and the website stays private and secure.
Amazon Certificate Manager is responsible for issuing these certificates. For further reading on AWS Certificate Manager and how it works , follow this user guide. Below are the steps to obtain this certificate:
Step 3.1: Request a Certificate
On the AWS console, navigate to ACM by typing “Certificate Manager” in the search bar. On ACM, click on Request a certificate to begin creating an SSL certificate for your domain.
Step 3.2: Select the Type of Certificate:
In the next tab, you have to choose the type of certificate you need. By default, you will only have access to a public certificate. Click on Next to continue.
Lastly, in the new section, fill in the full URL of your domain, leave the other options as default, and click the Request button. After this, a new interface will pop up confirming that you have requested an SSL certificate.
Step 3.3: Validate Your SSL Certificate
Next, click on Create record in Route 53 in the Domain section. This action adds a CNAME (canonical name) record to validate your SSL certificate.
A CNAME is a type of DNS record that acts like a forwarding address, directing the end-user to the CloudFront distribution you will create in the next section. DNS records prove that you control the domain you are attaching the security certificate.
You will get redirected to the tab below:
To confirm that ACM has validated your certificate, click on List certificates on the left navigation pane. Click on the certificate you just created, and you should see Issued under the status section, like in the photo below:
Now, your domain is set up, and in the next section, you will configure CloudFront to deliver your video.
Section Three: Distribute Your Video With CloudFront for Low Latency
Amazon CloudFront is a CDN service that AWS offers. Without a CDN, your video loads from only one location, causing users far from that location to experience lag when they try to load your file.
Content Delivery Network services like CloudFront work by connecting your storage service to different servers distributed all across the world.
With this service, no matter how large your file may be, the end-users’ request to load your file will load quickly with minimal delay. Explore this guide on how CloudFront brings your file closer to end-users.
Step 1: Create an Origin Access Identity
In steps 2.3 and 2.4 in Section One, you restricted access to your S3 bucket by disabling ACL and blocking all public access. This setting also means CloudFront cannot access your bucket.
To circumvent this security setting, you can create an Origin Access Identity (OAI) that will allow your CloudFront distribution to fetch content from your private bucket by acting as a virtual user with special privileges.
Step 1.1: Create an OAI
To create an OAI, navigate to the top of your current window and type CloudFront in the search bar, and select the service. Next, on the CloudFront console, open the left navigation pane, scroll to the Security section and select Origin Access.
Step 1.2: Name Your OAI
On the Origin access interface, navigate to the Identities tab and click on Create origin access identity. After clicking, you should get a pop-up asking you to name your OAI. Type in any name you prefer and click on Create.
After that step, you will get a message at the top of the screen indicating that you have successfully created an OAI. Your interface should look like the one below:
Step 2: Create a Distribution and Attach the SSL Certificate
Scroll to the top of the navigation pane and select Distributions. In the Distributions window, click on Create distribution. You will get redirected to a form. Follow the steps below to fill out this form accurately.
Step 2.1: Choose Your Origin Domain
This is where you tell CloudFront where to fetch the files it will serve to users. In this case, it is your S3 bucket.
In the Origin Domain field, select or enter your S3 bucket URL (in this guide, it is: myvideohosting.s3.eu-north-1.amazonaws.com).
Step 2.2: (Optional) Add an Origin Path
You can leave this blank unless you want CloudFront to look for files inside a specific folder in your bucket.
For example, if you stored your videos under a folder called /movies
, you would enter /movies
here. Skip this field if you are using the root directory of the S3 bucket.
Step 2.3: Choose Origin Access Settings
This section determines how CloudFront will access your S3 bucket.
- Option one: Public
Use this option if your S3 bucket is public (open to everyone). In this guide, though, the bucket is set to block public access.
2. Option two: Origin Access Control Settings (recommended)
This option is an alternate option to the OAI you created earlier in this section. It ensures that only CloudFront can access your S3 bucket, even if the bucket itself is set to private. This improves security.
3. Legacy Access Identities (OAI):
Select this option and use the OAI you created earlier. Ensure that you select the “Yes, update bucket policy” option after choosing your OAI. Additionally, as a shortcut, you can create a new OAI by clicking Create new OAI.
Leave the other settings in the Origin section as default and move to the Default cache behaviour section.
Step 2.3: Updating Viewer Protocol Policy and Configuring HTTP Methods
Leaving the path pattern as default, move to the viewer protocol policy to determine how users will access your site—whether they use HTTP or HTTPS.
Select “Redirect HTTP to HTTPS.” If someone tries to use HTTP, they’ll be automatically redirected to the secure HTTPS version. Think of it as setting a sign that says, “Please use the secure entrance!”
Step 2.4: Choose HTTP Method
Select GET, HEAD, OPTIONS. The OPTIONS method lets a browser check what actions a server, like CloudFront, permits before making a full request. This helps ensure a smoother connection by confirming available permissions ahead of time.
OPTIONS is useful for some more complex applications. Alternatively, you could use the GET, HEAD option because your users will only be making a GET request in this guide.
Leave all other settings in this section, as well as the Functions associations, as default and move to the WAF section.
Step 2.5: Select Your Security Protections
AWS gives you the option to protect your web applications by using a Web Application Firewall (WAF). WAF helps filter out malicious traffic and blocks requests before they reach your web server.
In production environments, it is important to enable it, but here, you can skip it and select “Do not enable security protections.”
Step 2.6: Input Your Alternate Domain Name and Attach SSL Certificate
In the Alternate Domain Name (CNAME) section, you should add a custom domain name like www.example.com or *.example.com to show that the URL should point to every subdomain under your custom domain.
Additionally, attach the SSL certificate you created with ACM to your distribution. This step is important because CloudFront needs the SSL certificate to keep communication with browsers safe and protect sensitive data like login credentials or video streams.
Leave other settings as default and click on Create distribution.
Step 3: Create a Record in Route 53 to Point to Your Cloud Distribution
Now that you have set up your distribution, you need to update the DNS records of your domain to point to the distribution you just created. That way, your domain knows where to draw its content from.
Step 3.1: Create a Record in Route 53
Navigate to Route 53 using the search bar and select the hosted zone you created in Section Two. In that hosted zone, click on Create record.
That command switches you to a tab to choose the routing policy. At the top right corner of the Routing policy section, click on Switch to quick create. That command opens up a form to create the record.
Step 3.2: Select A Record as the Record Type
In the first bar of the form, input the same alternate domain name you used when you created your distribution. Leave the record type as an A record. Activate the Alias button right underneath the record name to enable routing traffic to the CloudFront distribution instead of an IP address.
An A record with an alias maps your domain to AWS resources like CloudFront. It ensures that if CloudFront’s IP addresses change, Route 53 automatically updates them, keeping your service running without interruption.
Step 3.3: Activate Alias
Under Route traffic to, select Alias to CloudFront distribution as the endpoint and choose your recently created distribution in the section underneath it.
Finally, click on Create record, and you are officially done with configuring your distribution. You can access your video by entering your domain name, a forward slash, and the video key (example: www.example.com/myvideo.png).
To find the key to your video, navigate to the S3 bucket where your file is. Select the video file, and on the left-hand side of Object Overview, you will find the key. Ensure to append a forward slash to the domain URL before attaching the key.
Troubleshooting CloudFront Errors and Access Issues
Configuring and setting up cloud architectures, like in this guide, usually come with a few errors. Below are a few errors you may run into when you input the domain’s URL in a browser, what they mean, and how to fix them:
- “This site can’t be reached. Check if there is a typo in example.com.”
This error can occur due to a wrong DNS configuration or because of outdated DNS information in your browser. To correct this error:
Open the URL in a new window and input the URL again. Alternatively, you can open up a bash shell and input the command
curl <domain URL/video key>
to test that the domain works properly. If you get the error “Couldn’t resolve host” from the shell, try the next troubleshooting step.Double-check the domain name and alternate domain you entered in the CloudFront configuration. Confirm that the alternate domain name is pointing to your domain on Route 53.
2. “This XML file does not appear to have any style information associated with it. The document tree is shown below.”
Verify that the S3 bucket has the correct bucket policy or Origin Access Identity (OAI) configured. Review your bucket policy and ensure that CloudFront has access to it.
Confirm that you appended the key to your video in the URL you typed (eg., www.example.com/myvideo.png).
Note: Your browser can also throw this error if the object you are trying to access does not exist in that bucket.
3. URL bar showing “Not secure”
- Access your CloudFront distribution through the AWS console and verify that the SSL certificate attached to it is pointing to the correct domain.
Congratulations! You have successfully set up an on-demand video streaming using AWS services. By following these steps, your content will now load quickly and securely for users around the world.
With this foundational knowledge, you are well on your way to mastering cloud engineering and content delivery.
To view the video streamed with this guide, follow this link: osinachi.site/7691946-uhd_2160_4096_30fps.mp4